The Essential Nmap Cheat Sheet for Quick Reference

Introduction

Nmap (Network Mapper) is an open-source tool for network exploration and security auditing. Widely used by network administrators, it’s crucial for vulnerability scanning and network inventory. This cheat sheet provides a quick reference to the most commonly used Nmap commands and options, ideal for both beginners and experienced users.

Basic Scanning Techniques

  1. Basic Network Scan: Command: nmap [target]
    • Use to quickly scan a target IP or domain.
  2. Scan Multiple IPs or Subnets: Command: nmap [target1, target2, etc.]
    • Handy for scanning multiple targets.
  3. Ping Scan (No Port Scan): Command: nmap -sn [target]
    • Useful for checking if the host is online without performing a port scan.

Advanced Scanning Options

  1. TCP SYN Scan (Stealth Scan): Command: nmap -sS [target] - Less intrusive and stealthier than a connect scan.
  2. UDP Scan: Command: nmap -sU [target] - For scanning UDP ports. It’s slower but essential for a complete security audit.
  3. Aggressive Scan: Command: nmap -A [target] - Provides a more comprehensive output including OS detection, version detection, script scanning, and traceroute.
  4. Version Detection: Command: nmap -sV [target] - Detects the service version on the open ports.

Output Options

  1. Saving Output in a Specific Format: Command: nmap -oX [output.xml] [target] (for XML format) - Other formats include oN for normal, oG for grepable, and oA for all.
  2. Verbose Output: Command: nmap -v [target] - Provides more detailed output.

Scripts

Nmap’s scripting engine (NSE) is one of its most powerful and flexible features. It allows users to write (or use existing) scripts to automate a wide variety of networking tasks. This cheat sheet covers some of the most useful Nmap scripts for network discovery, vulnerability detection, and more.

Understanding Nmap Script Types:

  1. Default Scripts: - Automatically used by Nmap for common tasks. - Example: nmap -sC [target] (Runs default scripts)
  2. Safe Scripts: - Designed not to disrupt the target network. - Example: nmap --script safe [target]
  3. Intrusive Scripts: - Potentially disruptive, should be used with caution. - Example: nmap --script intrusive [target]
  1. Discovery:
  • Scripts for network and service discovery.
  • Example: nmap --script discovery [target]
  1. Vulnerability:
  • Identifies known vulnerabilities.
  • Example: nmap --script vuln [target]
  1. Authentication:
  • Tests for authentication mechanisms and weaknesses.
  • Example: nmap --script auth [target]
  1. Database:
  • Specific scripts for database servers.
  • Example: nmap --script "database* and safe" [target]
  1. Malware:
  • Checks for signs of infection or backdoors.
  • Example: nmap --script malware [target]

Using Script Arguments

  • Some scripts accept arguments for more specific control.
  • Example: nmap --script [script-name] --script-args=[arg]=[value] [target]

Combining Scripts and Scan Techniques

  • Scripts can be combined with standard Nmap scan techniques.
  • Example: nmap -sV --script=default,vuln [target]

Output and Debugging

  • Use verbose and debugging options for detailed script output.
  • Example: nmap --script [script] -d [target] (debugging mode)
  • Example: nmap --script [script] -v [target] (verbose mode)