Skip to main content

Nmap cheatsheet with explanations

Always apply the best nmap scanning strategy for all size networks

Scan Network Range

 nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
 nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5
 nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5
 nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5
 
-sn    Disables port scanning.
-oA tnet    Stores the results in all formats starting with the name 'tnet'.
-iL    Performs defined scans against targets in provided 'hosts.lst' list.

If we disable port scan (-sn), Nmap automatically ping scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive. The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option. To ensure that ICMP echo requests are sent, we also define the option (-PE) for this.

nmap 10.129.2.18 -sn -oA host -PE --packet-trace 

-PE    Performs the ping scan by using 'ICMP Echo requests' against the target.
--packet-trace    Shows all packets sent and received

Another way to determine why Nmap has our target marked as "alive" is with the "--reason" option.

nmap 10.129.2.18 -sn -oA host -PE --reason 

--reason    Displays the reason for specific result.

Nmap does indeed detect whether the host is alive or not through the ARP request and ARP reply alone. To disable ARP requests and scan our target with the desired ICMP echo requests, we can disable ARP pings by setting the "--disable-arp-ping" option. Then we can scan our target again and look at the packets sent and received.

nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping 

 Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default. This means that if we do not define ports and scanning methods, these parameters are set automatically. We can define the ports one by one (-p 22,25,80,139,445), by range (-p 22-445), by top ports (--top-ports=10) from the Nmap database that have been signed as most frequent, by scanning all ports (-p-) but also by defining a fast port scan, which contains top 100 ports (-F)

nmap 10.129.2.28 --top-ports=10

--top-ports=10    Scans the specified top ports that have been defined as most frequent.

 If we trace the packets Nmap sends, we will see the RST flag on TCP port 21 that our target sends back to us. To have a clear view of the SYN scan, we disable the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping).

nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping

-n    Disables DNS resolution.

-Pn    Disables ICMP Echo requests.

Connect Scan

Nmap's TCP Connect Scan (-sT) involves:

Utilizing the TCP three-way handshake, sending an SYN packet to a port, and analyzing the response.

An SYN-ACK response indicates an open port, while an RST response signals a closed port.

This scan is highly accurate and stealthy, minimizing detection risk by IDS/IPS due to no leftover connections or packets.

Ideal for network mapping with minimal service disruption, being a "polite" scan method.

Effective against personal firewalls that block incoming but allow outgoing packets.

Drawbacks include slower performance due to the wait for responses, potentially delaying results on busy or non-responsive targets.

nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT

-Pn    Disables ICMP Echo requests.

Filtered Ports

Filtered Port Indicators: A port is marked as "filtered" when Nmap can't determine if it's open or closed due to packet filtering. This is usually the firewall's intervention.

Packet Handling by Firewalls: Firewalls may drop (silently discard) or reject (send a response indicating the packet won't be processed) incoming packets. A dropped packet leads to no response, making it difficult for Nmap to ascertain the port's status.

Nmap's Retry Mechanism: By default, Nmap's -max-retries is set to 1. This means if Nmap doesn't receive a response to its initial packet, it will attempt once more, considering the packet could have been lost or mishandled.

Example Scenario: Imagine trying to scan TCP port 139, already identified as filtered. To closely monitor how the sent packets are treated without interference from other processes, you might modify the scan as follows:

nmap -p 139 -Pn -n --disable-arp-ping --max-retries 1 <target>

Host discovery, generate a list of surviving hosts

 nmap -sn -T4 -oG Discovery.gnmap 192.168.1.1/24
 grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > LiveHosts.txt

#http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf

 nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt
 nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt

Port found, found all the ports, but UDP port scanning will be very slow

 nmap -sS -T4 -Pn –top-ports 3674 -oG 3674 -iL LiveHosts.txt
 nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt
 nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt
 nmap 10.129.2.28 -F -sU
 
 -F    Scans top 100 ports.

Displays the TCP / UDP port

 grep “open” FullTCP|cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ |xargs | sed ‘s/ /,/g’|awk ‘{print “T:”$0}’
 grep “open” FullUDP|cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ |xargs | sed ‘s/ /,/g’|awk ‘{print “U:”$0}’

Detect the service version

 nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt
 nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt
 nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt

Another option (--stats-every=5s) that we can use is defining how periods of time the status should be shown. Here we can specify the number of seconds (s) or minutes (m), after which we want to get the status.

nmap 10.129.2.28 -p- -sV --stats-every=5s

-p-    Scans all ports.
-sV    Performs service version detection on specified ports.
--stats-every=5s    Shows the progress of the scan every 5 seconds.

We can also increase the verbosity level (-v / -vv), which will show us the open ports directly when Nmap detects them.

nmap 10.129.2.28 -p- -sV -v 

-v    Increases the verbosity of the scan, which displays more detailed information.
**Modify the default MTU size, but it must be a multiple of 8 (8, 16, 24, 32, etc.)**

Nmap Scripting Engine

Nmap Scripting Engine (NSE) is another handy feature of Nmap. It provides us with the possibility to create scripts in Lua for interaction with certain services. There are a total of 14 categories into which these scripts can be divided:

auth Determination of authentication credentials.
broadcast Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.
brute Executes scripts that try to log in to the respective service by brute-forcing with credentials.
default Default scripts executed by using the -sC option.
discovery Evaluation of accessible services.
dos These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.
exploit This category of scripts tries to exploit known vulnerabilities for the scanned port.
external Scripts that use external services for further processing.
fuzzer This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.
intrusive Intrusive scripts that could negatively affect the target system.
malware Checks if some malware infects the target system.
safe Defensive scripts that do not perform intrusive and destructive access.
version Extension for service detection.
vuln Identification of specific vulnerabilities.

Default Scripts

 nmap <target> -sC

Specifying Scripts

nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Aggressive Scan

nmap 10.129.2.28 -p 80 -A

-A    Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.

 Vuln Category

nmap 10.129.2.28 -p 80 -sV --script vuln

--script vuln    Uses all related scripts from specified category.

cd /usr/share/nmap/scripts/
wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
nmap -sS -sV –script=vulscan/vulscan.nse target
nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap -sV –script=vuln target
nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target

Performance

Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth. We can use options to tell Nmap how fast (-T <0-5>), with which frequency (--min-parallelism <number>), which timeouts (--max-rtt-timeout <time>) the test packets should have, how many packets should be sent simultaneously (--min-rate <number>), and with the number of retries (--max-retries <number>) for the scanned ports the targets should be scanned.

Timeouts

When Nmap sends a packet, it takes some time (Round-Trip-Time - RTT) to receive a response from the scanned port. Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms. 

Default Scan

nmap 10.129.2.0/24 -F

Optimized RTT

nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

-F    Scans top 100 ports.
--initial-rtt-timeout 50ms    Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms    Sets the specified time value as maximum RTT timeout.

Max Retries

Another way to increase the scans' speed is to specify the retry rate of the sent packets (--max-retries). The default value for the retry rate is 10, so if Nmap does not receive a response for a port, it will not send any more packets to the port and will be skipped.

Default Scan

nmap 10.129.2.0/24 -F | grep "/tcp" | wc -l

Reduced Retries

nmap 10.129.2.0/24 -F --max-retries 0

--max-retries 0    Sets the number of retries that will be performed during the scan.

Rates

During a white-box penetration test, we may get whitelisted for the security systems to check the systems in the network for vulnerabilities and not only test the protection measures. If we know the network bandwidth, we can work with the rate of packets sent, which significantly speeds up our scans with Nmap. When setting the minimum rate (--min-rate <number>) for sending packets, we tell Nmap to simultaneously send the specified number of packets. It will attempt to maintain the rate accordingly.

Default Scan

nmap 10.129.2.0/24 -F -oN tnet.default

Optimized Scan

nmap 10.129.2.0/24 -F -oN tnet.minrate300 --min-rate 300

-oN tnet.minrate300    Saves the results in normal formats, starting the specified file name.
--min-rate 300    Sets the minimum number of packets to be sent per second.

Timing

Because such settings cannot always be optimized manually, as in a black-box penetration test, Nmap offers six different timing templates (-T <0-5>) for us to use. These values (0-5) determine the aggressiveness of our scans. This can also have negative effects if the scan is too aggressive, and security systems may block us due to the produced network traffic. The default timing template used when we have defined nothing else is the normal (-T 3).

-T 0 / -T paranoid-T 1 / -T sneaky

-T 2 / -T polite

-T 3 / -T normal

-T 4 / -T aggressive

-T 5 / -T insane

Firewall and IDS/IPS Evasion

Nmap's TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

nmap 10.129.2.28 -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace
nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

-sS    Performs SYN scan on specified ports.
-sA    Performs ACK scan on specified ports.
-Pn    Disables ICMP Echo requests.
-n    Disables DNS resolution.
--disable-arp-ping    Disables ARP ping.
--packet-trace    Shows all packets sent and received.

Decoys

There are cases in which administrators block specific subnets from different regions in principle. This prevents any access to the target network. Another example is when IPS should block us. For this reason, the Decoy scanning method (-D) is the right choice. With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet sent. With this method, we can generate random (RND) a specific number (for example: 5) of IP addresses separated by a colon (:). Our real IP address is then randomly placed between the generated IP addresses. Another critical point is that the decoys must be alive. Otherwise, the service on the target may be unreachable due to SYN-flooding security mechanisms.

nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

-D RND:5    Generates five random IP addresses that indicates the source IP the connection comes from.

Testing Firewall Rule

sudo nmap 10.129.2.28 -n -Pn -p445 -O

-O    Performs operation system detection scan.

Scan by Using Different Source IP

nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

-S    Scans the target by using different source IP address.

-e tun0    Sends all requests through the specified interface.

DNS Proxying

Nmap's DNS Resolution Process and Techniques:

Default Behavior: Nmap automatically performs reverse DNS resolution to gather additional information about targets, typically via UDP port 53.

DNS Queries and Protocols: Traditionally, TCP port 53 was reserved for DNS zone transfers and handling data transfers exceeding 512 bytes. However, the advent of IPv6 and DNSSEC has led to an increase in DNS requests over TCP port 53.

Custom DNS Server Specification: Nmap allows specifying custom DNS servers with the -dns-servers <ns>,<ns> option, which can be crucial in controlled environments like a DMZ. Using internal, trusted DNS servers can facilitate interactions with internal network hosts more securely and reliably.

Exploiting TCP Port 53 for Scans:

Utilizing TCP port 53 as a source port with the -source-port option can exploit firewall configurations that trust or poorly filter traffic through this port, potentially evading detection by IDS/IPS systems.

Practical Applications and Considerations:

Security Context: In secure or sensitive environments, leveraging internal DNS servers for Nmap scans can reduce the risk of exposing internal network activities to external monitoring and potential adversaries.

Evasion Techniques: Using TCP port 53 as a source port for scans can serve as an evasion technique, exploiting firewall and IDS/IPS configurations that may not scrutinize traffic on this port as closely, allowing reconnaissance and scanning activities to proceed undetected.

SYN-Scan of a Filtered Port From DNS Port

nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

--source-port 53    Performs the scans from specified source port.

Modify the default MTU size, but it must be a multiple of 8 (8, 16, 24, 32, etc.)

nmap –mtu 24

Botnet scanning, first need to find the botnet IP

nmap -sI [Zombie IP] [Target IP]

Add a random number of data after each scan

nmap –data-length 25 IP

MAC address spoofing, you can generate different host MAC address

nmap –spoof-mac Dell/Apple/3Com IP