🖥️nmap
➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the nmap command with important options and switches using examples.
12 minute read
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ███╗ ██╗███╗ ███╗ █████╗ ██████╗
# ████╗ ██║████╗ ████║██╔══██╗██╔══██╗
# ██╔██╗ ██║██╔████╔██║███████║██████╔╝
# ██║╚██╗██║██║╚██╔╝██║██╔══██║██╔═══╝
# ██║ ╚████║██║ ╚═╝ ██║██║ ██║██║
# ╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝
# NMAP is an essential tool in any hacker's arsenal. Originally written by Gordon Lyon aka Fydor, it's used to locate hosts and services and create a map of the network. NMAP has always been an incredibly powerful tool, but with it's newest release, they've really out done themselves. NMAP now comes equipped with a ton of new scripts you can use to do everything from DoSing targets to exploiting them (with written permission, of course). The scripts cover the following categories
# Auth: Use to test whether you can bypass authentication mechanism
# Broadcast: Use to find other hosts on the network and automatically add them to scanning que.
# Brute: Use for brute password guessing.
# Discovery: Use to discover more about the network.
# Dos: Use to test whether a target is vulnerable to DoS
# Exploit: Use to actively exploit a vulnerability
# Fuzzer: Use to test how server responds to unexpected or randomized fields in packets and determine other potential vulnerabilities
# Intrusive: Use to perform more intense scans that pose a much higher risk of being detected by admins.
# Malware: Use to test target for presence of malware
# Safe: Use to perform general network security scan that's less likely to alarm remote administrators
# Vuln: Use to find vulnerabilities on the target
# For this tutorial, I will show you how to scan a target for vulnerabilities, actively try and exploit any vulnerabilities, test whether the target is vulnerable to DoS, and then finally launch a DoS attack.
## Download NMAP ##
# Download nmap from https://nmap.org/download.html and follow the installation instructions for your particular Operating System. NMAP works easily on both Windows and Linux. After installing you will have NMAP and ZENMAP on your computer.
# ZENMAP and NMAP are the same thing except ZENMAP provides you with a graphical user interface. For the rest of this tutorial you can chose to either run NMAP from your command line, or launch ZENMAP and enter the commands in the GUI.
# Run NMAP ##
# Now that we've got NMAP installed, it's time to scan our target for vulnerabilities. As mentioned there is an entire category of scripts dedicated to finding vulnerabilities on a target. Invoking the following command will run all of the scripts against your target.
nmap -Pn --script vuln <target.com or ip> <enter>
# *I always throw a -Pn in there just in case the target blocks ping probes, although it's optional. After your scan completes, review NMAPs output to determine what vulnerabilities were found. It will list it's findings along with applicable CVEs and links to any exploits that exist in Offensive Security's Exploit Database.
# Use NMAP to Actively Exploit Detected Vulnerabilities ##
# As mentioned, you can also use NMAP's exploit script category to have NMAP actively exploit detected vulnerabilities by issuing the following command:
nmap --script exploit -Pn <target.com or ip> <enter>
# Use NMAP to Brute Force Passwords ##
# Nmap contains scripts for brute forcing dozens of protocols, including http-brute, oracle-brute, snmp-brute, etc. Use the following command to perform brute force attacks to guess authentication credentials of a remote server.
nmap --script brute -Pn <target.com or ip> <enter>
# Use NMAP to Test if Target Is Vulnerable to Dos ##
# Use the following command to check whether the target is vulnerable to DoS:
nmap --script dos -Pn <target.com or ip> <enter>
# This will tell you whether the target is vulnerable without actually launching a dos attack.
# Use NMAP to Perform DOS Attack
# Use the following command to perform an active DoS attack against a target for an indefinite period of time:
nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
# Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -A -T4 target
# As above but scans all TCP ports (takes a lot longer)
nmap -v -sS -p- -A -T4 target
# As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -sU -sS -p- -A -T4 target
# Search nmap scripts for keywords
ls /usr/share/nmap/scripts/* | grep ftp
# Single target scan:
nmap [target]
# Scan from a list of targets:
nmap -iL [list.txt]
# iPv6:
nmap -6 [target]
# OS detection:
nmap -O --osscan_guess [target]
# Save output to text file:
nmap -oN [output.txt] [target]
# Save output to xml file:
nmap -oX [output.xml] [target]
# Scan a specific port:
nmap -source-port [port] [target]
# Do an aggressive scan:
nmap -A [target]
# Speedup your scan:
# -n => disable ReverseDNS
# --min-rate=X => min X packets / sec
nmap -T5 --min-parallelism=50 -n --min-rate=300 [target]
# Traceroute:
nmap -traceroute [target]
# Ping scan only: -sP
# Don't ping: -PN <- Use full if a host don't reply to a ping.
# TCP SYN ping: -PS
# TCP ACK ping: -PA
# UDP ping: -PU
# ARP ping: -PR
# Example: Ping scan all machines on a class C network
nmap -sP 192.168.0.0/24
# Force TCP scan: -sT
# Force UDP scan: -sU
# Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 target
# Scan port for all available A records (useful when multiple A records are returned by the DNS server)
nmap --script resolveall --script-args newtargets,resolveall.hosts=[target] -p [port]
# Use some script:
nmap --script default,safe
# Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/customscripts.
nmap --script default,banner,/home/user/customscripts
# Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy.
nmap --script 'http-*'
# Loads every script except for those in the intrusive category.
nmap --script "not intrusive"
# Loads those scripts that are in both the default and safe categories.
nmap --script "default and safe"
# Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.
nmap --script "(default or safe or intrusive) and not http-*"
# Discovert DHCP information on an interface
nmap --script broadcast-dhcp-discover -e eth0
# Scan for the heartbleed
# -pT:443 => Scan only port 443 with TCP (T:)
nmap -T5 --min-parallelism=50 -n --script "ssl-heartbleed" -pT:443 127.0.0.1
# Show all informations (debug mode)
nmap -d ...
#==============================#
# CMD nmap
#==============================##==============================#
nmap -iR 20 -sL -n|awk '{print $2}'|grep '^[0-9]'|uniq
# Random IP addresses
nmap -p22 -oG - $(ip addr | awk '/inet .*global/ {print $2}' | tr '\n' ' ') | awk '/22\/open/ {print $2}' | uniq
# Find all SSH Hosts - If you want to find all SSH enabled hosts in all subnets to which your computer is connected, you can use this oneliner
nmap --open -p T:22 192.168.1.0/24
# Scan your internal network for hosts listening on TCP port 22 (SSH protocol).
nmap -sP 192.168.1.0/24; arp-scan --localnet | grep "192.168.1.[0-9]* *ether"
# find all active IP addresses in a network I just added the args [arp-scan --localnet] which works for Debian users, because the package 'arp' has name 'arp-scan', and it doesn't works with the argument 'arp'.
# Scan a single IP address When firewall OFF/ON on target PC -> Syntax – nmap IP address/hostname
nmap 192.168.75.131
nmap google.com
# Boost up Your nmap Scan – using this command u can decrease scan time -> Syntax – nmap –F IP address
nmap –F google.com
# Scan multiple IP address or subnet A. scan a range of IP address -> Syntax – nmap IP address range
nmap 192.168.75.1-131
# Scan a range of IP address using a wildcard
nmap 192.168.75.*
# Scan an entire subnet
nmap 192.168.75.1/24
# scan turn on OS and version detection
nmap –O 192.168.75.131
# Scan all TCP port in target IP
nmap –sT 192.168.75.131
# Scan a firewall for security weakness -> Null scan – TCP Null Scan to fool a firewall to generate a response
nmap –sN 192.168.75.131
# Fin scan – TCP Fin scan to check firewall
nmap –sF 192.168.75.131
# TCP Xmas scan to check firewall
nmap –sX 192.168.75.131
# UDP Scan – Scan a host for UDP services. This scan is used to view open UDP port.
nmap –sU 192.168.75.131
# Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
nmap –sO 192.168.75.131
# detect remote services (server / daemon) version numbers
nmap –sV 192.168.75.131
# Find out the most commonly used TCP ports using TCP SYN Scan -> Stealthy scan
nmap –sS 192.168.75.131
# Find out the most commonly used TCP ports using TCP connect scan
nmap –sT 192.168.75.131
# Find out the most commonly used TCP ports using TCP ACK scan
nmap –sA 192.168.75.131
# Find out the most commonly used TCP ports using TCP Window scan
nmap –sW 192.168.75.131
# Find out the most commonly used TCP ports using TCP Maimon scan
nmap – sM 192.168.75.131
# List Scan – this command is used tolist target to scan
nmap –sL 192.168.75.131
# Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running
nmap –sP 192.168.75.0/24
# Scan a host when protected by the firewall
nmap –PN 192.168.75.1
# Ping sweep for network:
nmap -sn -PE <IP ADDRESS OR RANGE>
# Scan and show open ports:
nmap --open <IP ADDRESS OR RANGE>
# Determine open services:
nmap -sV <IP ADDRESS>
# Scan two common TCP ports, HTTP an HTTPS:
nmap -p 80,443 <IP ADRESS OR RANGE>
# Scan common UDP port, DNS:
nmap -SU -p 53 <IP ADDRESS OR RANGE>
# Scan UDP and TCP together, be verbose on a single host and include optional skip ping:
nmap -v -Pn -sU -sT -p U:53,111,137,T:21-25,80,139,8080 <IP ADDRESS>
# How can I write a linux bash script that tells me which computers are ON in my LAN ?
nmap -sn 192.168.1.60-70
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-09 20:13 BST
Host machine1.home (192.168.1.64) appears to be up.
Host machine2.home (192.168.1.65) appears to be up.
Nmap finished: 11 IP addresses (2 hosts up) scanned in 0.235 seconds
That said, if you want to write it yourself (which is fair enough), this is how I would do it:
nmap --open -p T:22 192.168.1.0/24
# Scan your internal network for hosts listening on TCP port 22 (SSH protocol).
nmap -sS www.example\.com
# Do a stealthy like port scan of your website http://www.example.com to see what ports are exposed.
# Nmap scan every interface that is assigned an IP
ifconfig -a | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b' | xargs nmap -A -p0-
# Explanation:
# ifconfig -a to output all interfaces, | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b' will search for 4 octets with up to three digits each, ignoring any leading or trailing 255. For my personal, and likely most local networks, this will exclude broadcast and netmask addresses without affecting host IPs. At this point, stdout holds any IP assigned to an interface, and will finally pipe to xargs, which supplies the IPs as arguments for nmap. Nmap then performs an OS detection, version detection, script, and traceroute scan on all 65536 ports of each assigned IP.
# Note: When using grep, -P is requrired to be able to interpret negative lookahead (?!) and non-capturing group (?:) brackets.
# Limitations:
# The regex epression will find both valid and non-valid IP addresses, e.g. 999.999.999.999, however invalid IPs are not an expected result of ifconfig -a. It is possible to correct this with a much longer regex expression, but not necessary in this case.
nmap -sP "$(ip -4 -o route get 1 | cut -d ' ' -f 7)"/24 | grep report | cut -d ' ' -f 5-
# Display live hosts on the network Displays live hosts on the same network as the local machine with their hostnames and IP addresses. This command is IPv6 and multiple network adapter safe and does not rely on awk or sed, however it requires the "nmap" package installed. Might not work on OSX. Example alias for shell startup file: alias livehosts='nmap -sP "$(ip -4 -o route get 1 | cut -d " " -f 7)"/24 | grep report | cut -d " " -f 5-' Show Sample Output:
# gateway.url (192.168.2.1)
# host1.mynetwork (192.168.2.123)
# host2.mynetwork (192.168.2.140)
# 192.168.2.147
# host3.mynetwork (192.168.2.148)
# 192.168.2.187
# 192.168.2.190
# host4.mynetwork (192.168.2.194)
nmap -p0-65535 192.168.1.254 -T5
# nmap fast scan all ports target
# Dump top 10 ports tcp/udp from nmap - To be used with other port scanners and or for help with iptables --dport 1000:2000 style expansion
nmap -oA derp --top-ports 10 localhost>/dev/null;grep 'services\=' derp.xml | sed -r 's/.*services\=\"(.*)(\"\/>)/\1/g'
# Sample output
# 7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157
# nmap get all active online ips from specific network - scan whole specific network for active online ips
nmap -n -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}'
# Sample output
# 192.168.1.79
# 192.168.1.82
# ...
# 192.168.1.119
# 192.168.1.120
#==============================##==============================#
# CMD NMAP #
#==============================##==============================#
Cheatsheets are an excellent complement to other information sources like Linux man-pages, Linux help, or How-To’s and tutorials, as they provide compact and easily accessible information. While man-pages and detailed tutorials often contain comprehensive explanations and extensive guides, cheatsheets summarize the most important options forthe command nmap in a clear format. This allows users to quickly access the needed information for nmap without having to sift through lengthy texts. Especially in stressful situations or for recurring tasks, cheatsheets for nmap are a valuable resource to work efficiently and purposefully.
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.