Pentesting with Nmap Cheat Sheet

Best Boutique Pentesting Companies - Top Rated Pen Test Companies

Pentesting with Nmap

Pentesting (or penetration testing) is a type of cybersecurity test that identifies vulnerabilities, threats, and risks in networks, systems, and applications. While vulnerability scanning attempts to identify known vulnerabilities, a penetration test (or pen test) is intended to exploit the weaknesses to gain full situational awareness when it comes to cybersecurity including organizational risk, threats, vulnerabilities, and potential business impact.

Nmap is just one of many tools that a penetration tester may use during a pentest.

Why Do I Need A Pentest?

Pentesting is one of the best security practices that you can take.

Pentesting can evaluate your security controls and provide you with recommendations to enhance your overall security posture. Penetration testing can include real-world security tests using advanced hacking methods to help you identify your weaknesses and improve your security posture. Advanced penetration tests can also simulate attacks on your network using similar techniques as malicious attackers to see if you can identify active attacks!


Nmap Overview


Nmap

Nmap ("Network Mapper") is a free and open source utility for network discovery, security testing, and pentesting. Nmap can be used to map a network, scan for live hosts, discover open ports, enumerate services, identify operating systems, and so much more!

Nmap Default Scan Settings

  • Scans the 1,000 most common ports
  • Randomizes the scanned port order
  • Normal scan timing (-T3)
  • Standard user - TCP Connect() (-sT)
  • Root user - TCP SYN (-sS)

Port Statuses

  • open - An application is actively accepting connections
  • closed - A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it
  • filtered - Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall
  • unfiltered - The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only used for the ACK scan, which is used to map firewalls
  • open|filtered - Nmap is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response
  • closed|filtered - This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan

Print Version Number

Print the version number

nmap -V
nmap --version

Print Help Page

Print the help page

nmap -h
nmap --help

Scanning As Root

Certain Nmap scans must be run with root privileges.
You may receive an error: You requested a scan type which requires root privileges. QUITTING!
Add "sudo" to the command.

sudo nmap 

Canceling A Running Scan

You may need to cancel a scan if the scan is taking a long time or if you accidently started a scan.

Ctrl + c



Nmap: Discovery & DNS Resolution


List Scan

The list scan id a degenerate form of host discovery. It lists each host without sending any packets. This still performs reverse DNS resolution to learn the names of the hosts.

nmap -sL 192.168.1.0/24

Ping Scan / Do Not Port Scan

The Ping scan (disable port scan / no port scan) does not run a port scan after host discovery. This is one step more intrusive than the list scan.

nmap -sn 192.168.1.0/24

No Ping / Disable Ping

The No Ping scan (disable ping scan) skips the discovery stage altogether and forcefully scans every IP address.

nmap -Pn 192.168.1.0/24

No DNS Resolution

The No DNS Resolution scan does not perform DNS resolution. DNS can be slow and this type of scan may improve scanning times.

nmap -n 192.168.1.0/24

DNS Resolution For All Targets

The DNS Resolution scan performs DNS resolution for all targets. Normally DNS resolution is only performed against online hosts.

nmap -R 192.168.1.0/24



Nmap: Common Options


Scan A Single IP Address

Scan a single IP address using the default settings.

nmap 192.168.1.1

Scan Multiple IP Addresses

Scan multiple IP addresses by separating them with spaces.

nmap 192.168.1.1 192.168.1.2 192.168.1.3

Scan A Range Of IP Addresses

Scan a range of IP addresses.

nmap 192.168.1.50-100
nmap 192.168.1-20.50-100

Scan A CIDR Block

Scan a CIDR block.

nmap 192.168.1.0/24

Scan A Single Port

Scan a single port. The space is optional.

nmap -p 21 192.168.1.0/24
nmap -p21 192.168.1.0/24

Scan Multiple Individual Ports

Scan multiple ports by separating them with commas.

nmap -p 21,22,23 192.168.1.0/24
nmap -p21,22,23 192.168.1.0/24

Scan A Range Of Ports

Scan a range of ports using a dash.

nmap -p 21-23 192.168.1.0/24
nmap -p21,22,23,100-200 192.168.1.0/24
nmap -p21-23,100-200 192.168.1.0/24

Fast Limited Port Scan

The Fast port scan only scans the top 100 ports instead of the default top 1,000 ports

nmap -F 192.168.1.0/24

Scan Top Ports

Scan a specific number of top ports.

nmap --top-ports 10 192.168.1.0/24
nmap --top-ports 100 192.168.1.0/24
nmap --top-ports 1000 192.168.1.0/24

Scan (Almost) All Ports

Scan ports 1 - 65,535.

nmap -p- 192.168.1.0/24

Scan All Ports Including "0"

Scan ports 0 - 65,535. Port zero is invalid but nothing stops someone from specifying it in the header field. Some malicious trojan backdoors listen on port zero. This is a stealthy way to allow access without appearing on most port scans.

nmap -p 0-65535 192.168.1.0/24
nmap -p0-65535 192.168.1.0/24

Do Not Randomize Ports

Do not randomize the order of the ports. By default, the port order is randomized.

nmap -r 192.168.1.0/24

Only Show Open Ports

Only show the open ports.

nmap --open 192.168.1.0/24



Nmap: Not Just Port Scanning


Service Version Detection

Service version detection interrogates open ports to determine what is actually running. By default, Nmap only shows the status of the ports. Version detection will verify the service and display the version.

nmap -sV 192.168.1.0/24

Operating System Detection

Operating system detection uses TCP/IP stack fingerprinting. It sends a series TCP and UDP packets and examines every bit in the responses, performing dozens of tests.

nmap -O 192.168.1.0/24

OS, Service Version, Scripts, & Traceroute

Enable OS detection, servie version detection, script scanning, and traceroute.

nmap -A 192.168.1.0/24



Nmap: Exclusions


Exclude Hosts

Exclude specific IP addresses and networks from being scanned.

nmap --exclude 192.168.1.1,192.168.1.2 192.168.1.0/24

Exclude Ports

Exclude specific ports from being scanned.

nmap --exclude-ports 21,22,23 192.168.1.0/24

Do Not Exclude Any Ports

Do not exclude any ports. By default, some ports may be excluded including TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP GET requests, binary SSL session requests, etc.

nmap --allports 192.168.1.0/24



Nmap: Input & Output Files


Scan Hosts From A File

Scan IP addresses and networks listed in a file. There should be one IP address or CIDR per line.

nmap -iL targets.txt

Exclude Hosts From A File

Exclude IP addresses and networks listed in a file. There should be one IP address or CIDR per line.

nmap --excludefile exclude.txt 192.168.1.0/24

Save The Output In Normal Format

Save the output in normal format.

nmap -oN results.nmap 192.168.1.0/24

Save The Output In XML Format

Save the output in XML format.

nmap -oX results.xml 192.168.1.0/24

Save The Output In Grepable Format

Save the output in grepable format. This is deprecated.

nmap -oG results.gnmap 192.168.1.0/24

Save The Output In ScRipT Kidd|3 Format

Save the output in ScRipT Kidd|3 format.

nmap -oS results.txt 192.168.1.0/24

Save The Output In All Formats

Save the output in all formats excluding script kiddie format.

nmap -oA results 192.168.1.0/24



Nmap: Scan Types


TCP SYN Scan

The TCP SYN scan (stealth scan) is unobtrusive and stealthy because it never completes TCP connections. This is the default scan type for root users.

nmap -sS 192.168.1.0/24

TCP Connect Scan

The TCP Connect scan completes the connection. This take longer than the TCP SYN scan. The target network more likely to log TCP Connect scans than TCP SYN scans. This is the default scan type for normal users.

nmap -sT 192.168.1.0/24

UDP Scan

While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some penetration testers ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol.

nmap -sU 192.168.1.0/24

Nmap UDP Probes

Nmap interprets responses to UDP scan probes by:

  • open - Any UDP response from target port (unusual)
  • open|filtered - No response received (even after retransmissions)
  • closed - ICMP port unreachable error (type 3, code 3)
  • filtered - Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13)

ICMP Destination Unreachable Type 3 Code Values

Nmap only cares about codes 0–3, 9, 10, and 13, which are marked with an asterisk.

  • 0* - Network unreachable
  • 1* - Host unreachable
  • 2* - Protocol unreachable
  • 3* - Port unreachable
  • 4 - Fragmentation needed but don't-fragment bit set
  • 5 - Source route failed
  • 6 - Destination network unknown
  • 7 - Destination host unknown
  • 8 - Source host isolated (obsolete)
  • 9* - Destination network administratively prohibited
  • 10* - Destination host administratively prohibited
  • 11 - Network unreachable for type of service (TOS)
  • 12 - Host unreachable for TOS
  • 13* - Communication administratively prohibited by filtering
  • 14 - Host precedence violation
  • 15 - Precedence cutoff in effect

SCTP INIT Scan

SCTP is a relatively new alternative to TCP and UDP. SCTP combines characteristics of TCP and UDP while adding new features. The SCTP INIT scan is the SCTP equivalent of the TCP SYN scan.

nmap -sY 192.168.1.0/24

TCP ACK Scan

The TCP ACK scan never determines "open" or "open|filtered". It maps out firewall rulesets to determine if they are stateful or not, and which ports are filtered.

nmap -sA 192.168.1.0/24

TCP ACK Scan Probes

Nmap interprets responses to TCP ACK scan probes by:

  • unfiltered - TCP RST response
  • filtered - No response received (even after retransmissions)
  • filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)

TCP Window Scan

The TCP Window scan is the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when an RST is returned. It does this by examining the TCP Window value of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window.

nmap -sW 192.168.1.0/24

TCP Window Scan Probes

Nmap interprets responses to TCP Window scan probes by:

  • open - TCP RST response with non-zero window field
  • closed - TCP RST response with zero window field
  • filtered - No response received (even after retransmissions)
  • filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)

NULL, TCP FIN, and Xmas Scans

The NULL, TCP FIN, and Xmas scans are the same in behavior except for the TCP flags set in the probe packets. These scan types are a little stealthier than even a SYN scan. Most modern IDS products can be configured to detect them. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Such firewalls try to prevent incoming TCP connections (while allowing outbound ones) by blocking any TCP packets with the SYN bit set and ACK cleared.

Null Scan

The Null scan does not set any bits (TCP flag header is 0).

nmap -sN 192.168.1.0/24

FIN Scan

The FIN scan only sets the TCP FIN bit.

nmap -sF 192.168.1.0/24

Xmas Scan

The Xmas scan sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

nmap -sX 192.168.1.0/24

Nmap NULL, FIN, Xmas Probes

Nmap interprets responses to NULL, FIN, and Xmas scan probes by:

  • open|filtered - No response received (even after retransmissions)
  • closed - TCP RST packet
  • filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)

ICMP Destination Unreachable Type 3 Code Values

Nmap only cares about codes 0–3, 9, 10, and 13, which are marked with an asterisk.

  • 0* - Network unreachable
  • 1* - Host unreachable
  • 2* - Protocol unreachable
  • 3* - Port unreachable
  • 4 - Fragmentation needed but don't-fragment bit set
  • 5 - Source route failed
  • 6 - Destination network unknown
  • 7 - Destination host unknown
  • 8 - Source host isolated (obsolete)
  • 9* - Destination network administratively prohibited
  • 10* - Destination host administratively prohibited
  • 11 - Network unreachable for type of service (TOS)
  • 12 - Host unreachable for TOS
  • 13* - Communication administratively prohibited by filtering
  • 14 - Host precedence violation
  • 15 - Precedence cutoff in effect

TCP Maimon Scan

The Maimon scan is named after its discoverer, Uriel Maimon. This technique is the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), an RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.

nmap -sM 192.168.1.0/24

TCP Maimon Scan Probes

Nmap interprets responses to TCP Maimon scan probes by:

  • open|filtered - No response received (even after retransmissions)
  • closed - TCP RST packet
  • filtered - ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13)

TCP Idle Scan

The TCP Idle scan is the ultimate stealth scan. It takes far longer than most other scan types. A 15 second SYN scan could take 15+ minutes as a TCP Idle scan. Targets will be scanned without sending packets from the attacking IP address. A side-channel attack bounces the scan off of a dumb "zombie host".

nmap -sI 192.168.1.0/24

Finding An Idle Scan Zombie Host

The first step in a TCP Idle scan is to find a zombie host. The zombie host needs to assign IP ID packets incrementally on a global basis instead of a per-host basis. There are many suitable zombie hosts on the Internet but using one is illegal without permission.

Technique 1: Perform a port scan and OS identification (-O) on the zombie candidate network rather than just a ping scan to help in selecting a good zombie host. As long as verbose mode (-v) is enabled, OS detection will usually determine the IP ID Sequence Generation type of "Incremental" or "Broken little-endian incremental".

nmap -O -v 192.168.1.0/24

Technique 2: Run the ipidseq NSE script against the zombie candidate network.

nmap --script ipidseq --script-args probeport=80

IP Protocol Scan

The IP Protocol scan determines which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the "-p" option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.

nmap -sO 192.168.1.0/24

IP Protocol Scan Probes

Nmap interprets responses to IP Protocol scan probes by:

  • open - Any response in any protocol from target host
  • closed - ICMP protocol unreachable error (type 3, code 2)
  • filtered - ICMP unreachable error (type 3, code 1, 3, 9, 10, or 13)
  • open|filtered - No response received (even after retransmissions)

TCP FTP Bounce Scan

The TCP FTP bounce scan uses FTP servers to port scan other hosts.

nmap -b ftp.domain.com 192.168.1.0/24



Nmap: Cloaking & Spoofing


Cloak A Scan With Decoys

The Decoy scan cloaks a scan with decoy IP addresses. This still includes your source IP. An IDS may report multiple port scans from unique IP addresses.

nmap -D [,] 192.168.1.0/24

Spoof The Source IP Address

Spoof the source IP address. You must include "-Pn" and "-e".

nmap -S  192.168.1.0/24
nmap -Pn -e [eth0/lo] -S  192.168.1.0/24



Nmap: Advanced Options


Timing Template

Nmap offers six timing templates to allow you to specify how aggressive you would like to scan.

  • 0 - paranoid
  • 1 - sneaky
  • 2 - polite
  • 3 - normal
  • 4 - aggressive
  • 5 - insane
nmap -T[0-5] 192.168.1.0/24

Host Timeout

The host timeout sets the maximum time to spend on each host.

nmap --host-timeout 1m 192.168.1.0/24

Fragment Packets

Fragment packets use tiny fragmented IP packets to split up the TCP header over several packets. This makes it harder for a packet filter or IDS to detect the activity.

nmap -f 192.168.1.0/24

Verbosity

There are 9 levels of verbosity (-4 to 4).

nmap -v 192.168.1.0/24
nmap -vv 192.168.1.0/24
nmap -vvv 192.168.1.0/24
nmap -v3 192.168.1.0/24
nmap -v-3 192.168.1.0/24

Debugging

There are 7 levels of debugging (0 to 6).

nmap -d 192.168.1.0/24
nmap -dd 192.168.1.0/24
nmap -d2 192.168.1.0/24
nmap -d6 192.168.1.0/24

Runtime Interaction

Increase / decrease the verbosity level.

v / V

Increase / decrease the debugging level.

d / D

Turn on / off packet tracing.

p / P

Print a runtime interaction help screen.

?

Print out a status message.

Any other key



Nmap: Scripting Engine


Nmap Scripting Engine

The Nmap Scripting Engine (NSE) runs simple scripts built in the Lua programming language. These scripts can help automate tasks.

Listing Nmap Scripts

List Nmap scripts.

ls -l /usr/share/nmap/scripts/

List "http-*" scripts (Notice the space in the command " http-").

ls -l /usr/share/nmap/scripts/ | grep " http-"

List "http-*" scripts, excluding "cve"

ls -l /usr/share/nmap/scripts/ | grep " http-" | grep -v cve

Scripting Engine Usage 1

NSE scripts

--script |||[,...]
--script=|||[,...]

Script arguments

--script-args =,={=},={,}

Scripting Engine Usage 2

Select a specific script.

nmap --script=http-headers

Select a specific script, specifying port and version detection.

nmap -p80,443 -sV --script=http-headers

Use the '*' wildcard to run all "http-*" scripts.

nmap --script "http-*"

Scripting Engine Categories

  • Auth
  • Broadcast
  • Default
  • Discovery
  • DoS
  • Exploit
  • External
  • Fuzzer
  • Intrusive
  • Malware
  • Safe
  • Version
  • Vuln

Scripting Engine Usage 3

Load scripts in the default category or the safe category or both.

nmap --script "default or safe"
nmap --script "default,safe"

Load scripts in both the default and safe categories.

nmap --script "default and safe"

Scripting Engine Usage 4

Load every script except for those in the intrusive category.

nmap --script "not intrusive"

Load scripts in the default or safe categories, except http

nmap --script "(default or safe) and not http-*"

Script Timeout

Set a script timeout.

nmap --script-timeout 5m 192.168.1.0/24



Nmap: Example Commands


Example Nmap Scans

No DNS resolution, fast scan, do not exclude any ports, version detection, OS detection, no external scripts.

sudo nmap -n -F -r --allports -A -sT -T5 --script "not external" 

Add decoy IP addresses and a spoofed IP.

sudo nmap -n -F -r --allports -A -sT -T5 -D  -S  --script "not external" 

Scan all ports.

sudo nmap -n -p- -r --allports -sV -O -sT -T5 -D  -S  --script "not external" 



Zenmap


Zenmap

Zenmap is the official Nmap Security Scanner GUI. It is multi-platform, free and open source, and easy for beginners to use.




Best Pen Test Companies

Central InfoSec was rated the "best boutique pentesting company" and the "best pentesting firm" by two independent third-party organizations that review many contributing factors.




Professional Security Services Offered by Central InfoSec

Central InfoSec offers a variety of professional security services including:

  • Red Teaming
    • Attack simulation to test, measure, and improve your detection and response
  • Penetration Testing
  • Password Audit
    • Detection of weak passwords to help you improve your password policies
  • C2 & Pivot Testing
    • Command and control (C2) communications, pivoting, and data exfiltration testing



Best Boutique Pentesting Company

Central InfoSec was named Best Boutique Pentesting Company in the Global 100 Awards.

Central InfoSec Best Boutique Pentesting Company


Best Pentesting Firm

Central InfoSec was also named Best Pentesting Firm in the Corporate Excellence Awards.

Central InfoSec Best Pentesting & Security Consulting Firm

"Central InfoSec helps organizations by discovering network and web application vulnerabilities before the hackers do!"


Central InfoSec is an award-winning cyber security company that offers professional security services including Red Teaming and Penetration testing.

The Central InfoSec team consists of skilled security professionals bringing decades of red teaming, penetration testing, web application, and exploitation experience. Central InfoSec team members have achieved industry leading professional certifications including CRTO, OSCP, OSWP, GXPN, GPEN, GCPN, GWAPT, GMOB, AWS-CSS, PNPT, PenTest+, CEH, CISSP, and more.

Contact Central InfoSec Today!

Don't wait for a data breach to invest into your cybersecurity.

Central InfoSec can uncover your vulnerabilities before the cyber criminals do!