☠️
smadi0x86 Playground
  • πŸ’€Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • πŸŽ“Certifications
    • πŸ“ŒPinned
    • ❓Questions
    • πŸ“žContact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • πŸ”¨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • πŸ‘ΎArchitecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • πŸ›©οΈCyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • πŸ΄β€β˜ οΈOffensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • πŸ’ŒCertifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • πŸ“œBlog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Full commands examples
  • Extract Live IPs
  • Extracting Live IPs with services
  • Target specification
  • Scan techniques
  • Host discovery
  • Services, ports and OS (fingerprinting)
  • NSE Scripts
  • MISC
  • Evading IDS
  • Output
  1. Offensive Security
  2. Recon
  3. Active

Nmap

This is an nmap cheatsheet for active information gathering.

Full commands examples

# Ping scan
nmap -sP 192.168.0.0/24

# Quick scan
nmap -T4 -F 192.168.1.1 -vvv

# Quick scan plus (more info but more aggressive)
nmap -sV -T4 -O -F –version-light 192.168.1.1 -vvv

# TCP Syn and UDP Scan (requires root)
nmap -sS -sU -PN -p T:80,T:445,U:161 192.168.1.1

# Soft nmap
nmap -v -Pn -n -T4 -sT -sV --version-intensity=5 --reason 192.168.1.1

# Full nmap
nmap -v -Pn -n -T4 -sT -p- --reason 192.168.1.1

# Dedicated nmap
nmap -v -Pn -n -T4 -sV --version-intensity=5 -sT -p T:ports_found --reason <IP>

Extract Live IPs

nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}'

Extracting Live IPs with services

nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips

Target specification

nmap 192.168.1.1
nmap 192.168.1.1-10
nmap 192.168.1.0/24
nmap google.com
nmap 192.168.1.0/24 --exclude192.168.1.1
nmap -iL targets.txt

Scan techniques

# TCP SYN port scan (default, root needed)
nmap -sS 192.168.1.1

# TCP CONNECT port scan (default without root privilege)
# Require full connection so it is slower 
nmap -sT 192.168.1.1

# UDP port scan
nmap -sU 192.168.1.1

nmap -sA 192.168.1.1
nmap -sW 192.168.1.1
nmap -sN 192.168.1.1

# Ping scan
nmap -sP 192.168.0.0/24

Host discovery

# No scan, only list targets (get hostnames)
nmap -sL 192.168.1.1

# Disable port scanning, only host discovery
nmap -sn 192.168.1.1

# Disable host discovery, only port scanning, can be usefull if firewall deny PING
nmap -Pn 192.168.1.1

# Disable DNS resolution
nmap 192.168.1.1 -n

Services, ports and OS (fingerprinting)

nmap -p 20 192.168.1.1
nmap -p 20-100 192.168.1.1
nmap -p U:53,T:25-100 192.168.1.1
nmap -p http,https 192.168.1.1

# All ports
nmap -p- 192.168.1.1

# Fast port scan (100 more common ports)
nmap 192.168.1.1 -F

# Top X ports
nmap 192.168.1.1 --top-ports 2000

# Try to get service version
nmap 192.168.1.1 -sV

# 0-9
nmap 192.168.1.1 -sV --version-intensity 3

# Light mode but faster
nmap 192.168.1.1 -sV --version-light

# Equivalent to version-intensity 9. Harder
nmap 192.168.1.1 -sV --version-all

# Aggressive mode (OS Detection, version, script, traceroute)
nmap 192.168.1.1 -A

# OS Detection using TCP/IP
nmap 192.168.1.1 -O 

# Disable OS dection if at least one open and one closed port are not found
nmap 192.168.1.1 -O --osscan-limit

# OS Scan guess more aggressive
nmap 192.168.1.1 -O --osscan-guess

# Set the maximum number x of OS detection tries against a target 
nmap 192.168.1.1 -O --max-os-tries 2

NSE Scripts

# Default script scanning, considered safe
nmap 192.168.1.1 -sC
nmap 192.168.1.1 --script default

nmap 192.168.1.1 --script=xxx
nmap 192.168.1.1 --script=xxx --script-args xx=xx

# Scan default, but remove intrusive scripts
nmap 192.168.1.1 --script β€œnot intrusive"

MISC

# Scan speed
# T0-T1 : Slow (useful for Intrusion Detection Systems evasion)
# T2-T3 : Normal
# T4-T5 : Agressive (Need a realiable and strong network)
nmap 192.168.1.1 -T0

nmap 192.168.1.1 --host-timeout 10s

# Delay between probes
nmap 192.168.1.1 --scan-delay 1s
nmap 192.168.1.1 --max-scan-delay 2s

nmap 192.168.1.1 --max-retries 3

# No faster or no slower than 100 packets/second
nmap 192.168.1.1 --min-rate 100
nmap 192.168.1.1 --max-rate 100

# If you need to scan a large network in a short period of time
# You can set up a timeout value for connection attemps
https://nmap.org/book/ncat-man-timing-options.html
nmap 192.168.0.0/16  --host-timeout <msec>

Evading IDS

# Tiny fragmented packets
nmap 192.168.1.1 -f

# Set your own offset size
nmap 192.168.1.1 -mtu 32

# Scan from spoofed IP
nmap 192.168.1.1 -D 192.168.1.2

# Scan Facebook from Microsoft
nmap -S www.microsoft.com www.facebook.com

# Use a specific source port
nmap 192.168.1.1 -g 53

# Proxy
nmap 192.168.1.1 --proxies http://X.X.X.X:8080

# Append random data to sent packets
nmap 192.168.1.1 --data-length 200

Output

# Save result (oN=normal oX=xml oG=grepable oA=all)
nmap 192.168.1.1 -oN scanResult.file

# Verbosity level (one v or more) and debugging level
nmap 192.168.1.1 -vvvvvv
nmap 192.168.1.1 -ddd

# Reason for the port state (equivalent to -vv)
nmap 192.168.1.1 --reason

# Show only open ports
nmap 192.168.1.1 --open

# Show all packets sent and received
nmap 192.168.1.1 --packets-trace

# Show the host interface and routes
nmap 192.168.1.1 --iflist

# Resume a scan
nmap --resume scan.file
nmap 192.168.1.1 -vvvvvv
nmap 192.168.1.1 -vvvvvv
PreviousHost discoveryNextMass Scan
πŸ΄β€β˜ οΈ
Page cover image