My NMAP cheatsheet

NMAP is the holy grail of network reconnaissance and cybersecurity auditing. It started as a port scanner and has evolved into a family of rock-star networking tools featuring headliners like Ncrack, Ncat, Nping, Zenmap, NSE, etc.

Important considerations:

• Firewalls, routers, proxy servers, and other sec devices can influence NMAP scan results. Scanning remote hosts outside your local network may yield misleading information due to these factors
• Due to these factors, certain scanning options necessitate elevated privileges on Unix and Linux systems. You might need to log in as the root user or execute nmap using the pseudo command

Warnings:

• Avoid scanning sensitive sites like the FBI or Secret Service websites unless you want legal trouble
• Aggressively scanning certain systems may induce crashes, resulting in undesirable outcomes such as system downtime and data loss 
• Exercise caution when scanning mission-critical systems 
• Approach each scan with the awareness of potential consequences

Use Nmap for Network Reconnaissance

NETWORK / TARGET DISCOVERY

ipcalc [IP address] --> shortcut for checking the entire subnet range:

• As you see above, the entire subnet range of 172.17.0.1 is: 172.17.0.0/24
• Use the subnet range with NMAP to ensure you scan everything!
• Nmap 172.17.0.0/24 —> scan every port on every possible IP address within this subnet range (which in this case is: 254)
• arp-scan -l —> alternative scan

TARGET CLASSIFICATION

This part is the drilling down to find out the available open ports & software versions. For that Nmap has different scan types:

Normal scan

nmap 10.100.100.12

Ping scan

nmap -sP 10.100.100.12 (or entire network address, i.e., 172.17.0.0/24)

Fast scan

nmap -F 172.17.0.0/24 —> scan only a couple of ports

OS enumeration

nmap -O 10.100.100.12

Scan the service version

nmap -sV 10.100.100.12

Port scanning (via TCP protocol)

nmap -sT -p 80 10.100.100.12

nmap -p http 10.100.100.12

Stealthy scan

nmap -sS -p 80 10.100.100.12 (This uses syn and syn-ack only)

nmap -sS  [IP address] | grep open | cat >> results.txt

Scan all flags

nmap -A 10.100.100.12 --> a combo search of all flags

Use nmap scripts

nmap --script vuln 10.100.100.12  (vuln is the script name prebuilt in nmap)

Decoy/obfuscation scan

nmap -sS -D <fake ip> <target ip>

nmap -sS -D 10.7.1.80 10.7.1.226

nmap -0 192.168.0.1 -D 10.0.0.1, 10.0.0.2, 10.0.0.4 —> deceptive scan

nmap -0 192.168.0.1 -D 10.0.0.1, 10.0.0.2, 10.0.0.4 --> spoof-mac

nmap -sL IPs.txt —> faster scan

nmap -sS -sU -PN [IP address]

Use Nmap Scripts for Network Vulnerabilities

Nmap Scripts empower you to discover vulnerabilities on your hosts that you can exploit.

nmap --script vuln 10.0.2.13

nmap -p80,443 --script vuln 10.0.2.13 --> narrow down to port 80 and 443

Nmap Scripts are truly powerful. This is just a short introduction. Check out my other article, where I dive a little more into Nmap Scripts.

That's a wrap!

Remember to check the NMAP manual (man nmap) for more info on all the available switches. Also, have a look at https://nmap.org/ for more details.

Use WireShark to see the traffic that you're generating when doing NMAP scans.