Introduction

Nmap (Network Mapper) is an open-source tool for network exploration and security auditing. Widely used by network administrators, it’s crucial for vulnerability scanning and network inventory. This cheat sheet provides a quick reference to the most commonly used Nmap commands and options, ideal for both beginners and experienced users.

Basic Scanning Techniques

  1. Basic Network Scan: Command: nmap [target]
    • Use to quickly scan a target IP or domain.
  2. Scan Multiple IPs or Subnets: Command: nmap [target1, target2, etc.]
    • Handy for scanning multiple targets.
  3. Ping Scan (No Port Scan): Command: nmap -sn [target]
    • Useful for checking if the host is online without performing a port scan.

Advanced Scanning Options

  1. TCP SYN Scan (Stealth Scan): Command: nmap -sS [target] - Less intrusive and stealthier than a connect scan.
  2. UDP Scan: Command: nmap -sU [target] - For scanning UDP ports. It’s slower but essential for a complete security audit.
  3. Aggressive Scan: Command: nmap -A [target] - Provides a more comprehensive output including OS detection, version detection, script scanning, and traceroute.
  4. Version Detection: Command: nmap -sV [target] - Detects the service version on the open ports.

Output Options

  1. Saving Output in a Specific Format: Command: nmap -oX [output.xml] [target] (for XML format) - Other formats include oN for normal, oG for grepable, and oA for all.
  2. Verbose Output: Command: nmap -v [target] - Provides more detailed output.

Scripts

Nmap’s scripting engine (NSE) is one of its most powerful and flexible features. It allows users to write (or use existing) scripts to automate a wide variety of networking tasks. This cheat sheet covers some of the most useful Nmap scripts for network discovery, vulnerability detection, and more.

Understanding Nmap Script Types:

  1. Default Scripts: - Automatically used by Nmap for common tasks. - Example: nmap -sC [target] (Runs default scripts)
  2. Safe Scripts: - Designed not to disrupt the target network. - Example: nmap --script safe [target]
  3. Intrusive Scripts: - Potentially disruptive, should be used with caution. - Example: nmap --script intrusive [target]
  1. Discovery: - Scripts for network and service discovery. - Example: nmap --script discovery [target]
  2. Vulnerability: - Identifies known vulnerabilities. - Example: nmap --script vuln [target]
  3. Authentication: - Tests for authentication mechanisms and weaknesses. - Example: nmap --script auth [target]
  4. Database: - Specific scripts for database servers. - Example: nmap --script "database* and safe" [target]
  5. Malware: - Checks for signs of infection or backdoors. - Example: nmap --script malware [target]

Using Script Arguments

Some scripts accept arguments for more specific control.

  • Example: nmap --script [script-name] --script-args=[arg]=[value] [target]

Combining Scripts and Scan Techniques

Scripts can be combined with standard Nmap scan techniques.

  • Example: nmap -sV --script=default,vuln [target]

Output and Debugging

Use verbose and debugging options for detailed script output.

  • Example: nmap --script [script] -d [target] (debugging mode)
  • Example: nmap --script [script] -v [target] (verbose mode)