nmap Cheat Sheet All in One

Posted by Riino Site on November 25, 2021 Cheet-Sheet nmap

nmap

nmap offical reference guide: https://nmap.org/book/man.html

Offical Doc : https://nmap.org/book/man.html Offical Doc CN : https://nmap.org/man/zh/index.html Offical Doc JP : https://nmap.org/man/ja/

Cheat Sheet by Nathan House https://www.stationx.net/nmap-cheat-sheet/

Macros (WIP)

#Stay low (IDS Evasion command)
nmap -f -t 0 -n -Pn –data-length 200 -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
#Get target OS and ports
nmap -sS -P0 -sV -O <target>
#Find every host under a LAN MASK
nmap -sP 192.168.0.*
#Batch Ping 
nmap -sP 192.168.1.100-254
#Count Win/Linux devices
sudo nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux \
| wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) device”
#Find unused IPs
nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp

Cheat Sheat

flowchart LR

id(nmap 192.168.1.1\nnmap 192.168.1-254 \n nmap 192.168.1.1 riino.site)
id --modifyIP?--> TS(Yes)
id --SCAN NOTHING!-->sl
TS --enable ipv6--> -6
TS --random 100--> -TS1(iR 100)
TS --from file--> -TS2(iL list.txt)
TS --exclude--> -TS3( --exclude)
id --discover any?--> d(YES)
id --discover any?--> dn(No)
dn--No ping-->-Pn
d --TCP SYN ping-->-PS
d --TCP ACK ping-->-PA
d --UDP ping-->-PU
d --ARP ping-->-PR
d --SCTP INIT ping-->-PY
d --ICMP ping-->ICMP( -PE \n -PP \n -PM)
d --IP P ping--> -P0
id --scan port?--> ST(Yes)
id --scan port?--> IPonly(No)
IPonly -->-sn
ST --is TCP?-->TCP(Yes)
TCP--TCP-->-sT
TCP --TCP SYN-->-sS
TCP--TCP ACK-->-sA
TCP--TCP Window-->-sW
TCP--TCP maimon-->-sM
ST --is UDP?-->-sU
ST --> wp(which port?)
wp --> p( -p 21 \n -p 21-100 \n -p U:53,T:21-25,80 \n -p http,https \n --top-ports 2000 \n -F  \n -p-65535 \n -p0- )
ST --Check Service Version?-->CS(Yes)
CS -->s( -sV \n -sV --version-all \n -A) 
id --guess OS?-->-O
id --Be gentle?-->Sure
Sure --Paranoid	for IDS-->-T0
Sure --Sneaky for IDS-->-T1
Sure --Polite-->-T2
Sure --Normal-->-T3
Sure --Aggressive-->-T4
Sure --Insane-->-T5
Sure --Custom--> -T( --host-timeout 30s \n  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 100s \n --min-hostgroup/max-hostgroup 1024 \n --min-parallelism/max-parallelism 10 \n --scan-delay/--max-scan-delay 2s \n --max-retries 3  \n --min-rate 100 \n --max-rate 100)
id --trickery-->TRI(YES)
TRI --split package--> -f
-f --custom offset--> MTU( -mtu 32)
TRI --spoofed IP--> D( -D 192.168.1.101,192.168.1.102 )
TRI --spoofed MAC--> SM( --spoof-mac apple \n --spoof-mac 0 \n --spoof-mac 01:02:03:04:05:06 \n --spoof-mac 0020F2)
TRI --spoofed Port --> SP( -g 53 )
TRI --fake origin IP--> S( -S scanner.example.com)
TRI --random scan sequence--> RH( --randomize-hosts)
id --I WANT EVERYTHING--> -A
id --save file-->file(YES)
file-- xml--> xml( -oX output.xml )
file--normal--> on( -oN output.txt )