Nmap is a powerful tool for network exploration, management, and security auditing. It allows you to discover hosts and services on a computer network, as well as create a map of the network topology. With its flexibility and broad range of features, Nmap can be used for a variety of tasks such as network inventory, vulnerability assessment, and penetration testing.
In this blog post, we will provide a complete Nmap cheat sheet to help you get started with this tool. Whether you are a beginner or an experienced user, this cheat sheet will provide you with the essential Nmap commands, options, and techniques to make the most of your Nmap scans.
Basic Nmap Commands:-
Scan a Single Host: nmap <host>
This command will scan a single host and provide basic information about it such as open ports, services running, and operating system.
Scan a Range of IP Addresses: nmap <start-ip> - <end-ip>
This command will scan a range of IP addresses, for example, nmap 192.168.1.1-10, to scan the IP addresses from 192.168.1.1 to 192.168.1.10.
Scan a Subnet: nmap <subnet>
This command will scan an entire subnet, for example, nmap 192.168.1.0/24, to scan all the IP addresses in the subnet 192.168.1.0 with a netmask of 255.255.255.0.
Scan Multiple Hosts: nmap <host1> <host2> <host3>
This command will scan multiple hosts, for example, nmap 192.168.1.1 192.168.1.2 192.168.1.3, to scan three hosts.
Scan Hosts from a File: nmap -iL <file>
This command will scan hosts from a file, for example, nmap -iL hosts.txt, to scan hosts listed in the file hosts.txt.
Nmap Options:-
1. Scan Types
Nmap supports several scan types, which determine the way the scan is conducted. The most commonly used scan types are:
TCP SYN scan (-sS): This is the default scan type, which sends a SYN packet to each port to determine if it is open or closed.
TCP connect scan (-sT): This scan type establishes a full TCP connection with the target host to determine if the port is open.
UDP scan (-sU): This scan type sends UDP packets to each port to determine if it is open or closed
2. Port Scanning Options
Nmap provides several options to specify the ports to scan. The most commonly used options are:
Scan all ports (-p-): This option will scan all 65,535 ports.
Scan specific ports (-p <port>): This option will scan a specific port, for example, nmap -p 80 <host> will scan port 80 on the host.
Scan a range of ports (-p <start-port>-<end-port>): This option will scan a range of ports, for example, nmap -p 1-100 <host> will scan ports 1 to 100 on the host.
Scan the most common ports (-F): This option will scan the 100 most common ports.
3. Timing Options
Nmap provides several timing options that control the speed and aggressiveness of the scan. The most commonly used timing options are:
Sneaky mode (-T0): This option will slow down the scan to avoid detection.
Polite mode (-T2): This option will slow down the scan to reduce network congestion.
Normal mode (-T4): This option is the default mode, which balances speed and accuracy.
Aggressive mode (-T5): This option will speed up the scan to get results quickly.
4. Output Options
Nmap provides several output options to save the results of the scan. The most commonly used output options are:
Save results to a file (-oN <file>): This option will save the results to a file in a normal format.
Save results in XML format (-oX <file>): This option will save the results in XML format, which can be easily parsed by other tools.
Save results in grepable format (-oG <file>): This option will save the results in a format that can be easily searched and filtered using grep.
Save results in all formats (-oA <file>): This option will save the results in all formats (normal, XML, and grepable) in the same file.
5. Other Options
Nmap provides several other options that can be useful in certain situations. Some of these options include:
Perform a ping sweep (-sn): This option will only perform a ping sweep to determine if the host is up or down, without scanning any ports.
Disable DNS resolution (-n): This option will disable DNS resolution, which can speed up the scan.
Perform a traceroute before the scan (-traceroute): This option will perform a traceroute to the target host before the scan, which can help identify any network bottlenecks.
Conclusion
Nmap is a powerful tool that can be used for a variety of purposes, including network mapping, vulnerability scanning, and penetration testing. By understanding the basic commands and options of Nmap, you can perform a wide range of scans to gather information about your network and identify any potential security risks. This Nmap cheat sheet provides a quick reference guide to the most commonly used commands and options, but there is much more to explore in Nmap. With practice and experimentation, you can become an expert in using Nmap to secure your network.