📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Tool
  • Scope
  • Host discovery
  • Scan options
  • Version & OS
  • Ports
  • Evasion
  • Output
  • Templates
  1. Networking

Nmap

nmap cheatsheet

Tool

Scope

nmap <host list>
nmap -6 <host list>
nmap -iL <path to file>.txt
nmap <host list> --exclude <host list>

Host discovery

-sL    No Scan. List targets only
-sn    Disable port scanning. Host discovery only.
-Pn    Disable host discovery. Port scan only.
-PS    TCP SYN discovery on port x. Port 80 by default
-PA    TCP ACK discovery on port x. Port 80 by default
-PU    Port 40125 by default
-PR    ARP discovery on local network
-n     Never do DNS resolution

Scan options

-sS    TCP SYN port scan (Default)
-sT    TCP connect port scan (Default without root privilege)
-sU    UDP port scan (Can be combined with other scan options)
-sA    TCP ACK port scan
-sW    TCP Window port scan
-sM    TCP Maimon port scan
-sN    TCP NULL port scan
-sF    TCP FIN port scan
-sX    TCP Xmas port scan
-sY    SCTP INIT scan
-sZ    COOKIE-ECHO scan

Version & OS

-sV                    Attempts to determine the version of the service running on port
-sV --version-light    Enable light mode. Lower accuracy. Faster
-sV --version-all      Higher accuracy. Slower
-O		       Remote OS detection using TCP/IP stack fingerprinting
-O --osscan-limit      If at least one open and one closed TCP port are not found it will not try OS detection
-O --osscan-guess      Makes Nmap guess more aggressively
-A                     Traceroute, version and OS scan

Ports

-p             Use port range, protocol or mixed i.e. T:443,U:1040
-p 1-65535     All ports
--top-ports    Most used ports
-F	       Top 100 ports

Evasion

-f              Requested scan (including ping scans) use tiny fragmented IP packets
--mtu           Set your own offset size
-D              Send scans from spoofed IPs
-S              Spoof host (-e eth0 -Pn may be required)
--spoof-mac     Spoof NMAP MAC address
--badsum        Send packets with a bogus TCP/UDP/SCTP checksum
-g	        Use given source port number
--proxies       Relay connections through HTTP/SOCKS4 proxies
--data-length	Appends random data to sent packets

Output

-oN			File.txt
-oX			File.xml
-oG			Grepable
-oA			Output in the three major formats at once

Templates

Common services slow

nmap -Pn -p 21,22,25,53,80,110,111,143,443,445,1433,1521,3306,5432,8080,8443 -T2 <ip> -A -vvv -oA ./nmap

Service detailed scan

nmap -Pn -p <port> <ip> -sV --version-all -sC -vvv -oA ./nmap

Full scan

nmap -Pn -p- <ip> -sV --version-all -A -vvv -oA ./nmap

Light scan

nmap -Pn --top-ports 500 <ip> -vvv -oA ./nmap

Machine discovery

nmap -PR -T2 --top-ports 100 <ip> -vvv -oA ./nmap

Machine discovery no scan

nmap -PR -T2 -sn <ip> -vvv -oA ./nmap
PreviousExpose ResourcesNextScan types

Last updated 2 years ago