Updating the NMAP cheat sheet

This commit is contained in:
Omar Santos 2018-12-26 21:46:02 -05:00 committed by GitHub
parent 9d52fb87b9
commit 06dbb48456
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -27,6 +27,16 @@ If no port range is specified, Nmap scans the 1,000 most popular ports.
- Open/Filtered: This indicates that the port was filtered or open but Nmap couldnt establish the state. - Open/Filtered: This indicates that the port was filtered or open but Nmap couldnt establish the state.
- Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldnt establish the state. - Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldnt establish the state.
## Scan Types
-`-sn`: Probe only (host discovery, not port scan)
-`-sS`: SYN Scan
-`-sT`: TCP Connect Scan
-`-sU`: UDP Scan
-`-sV`: Version Scan
-`-O`: Used for OS Detection/fingerprinting
-`--scanflags`: Sets custom list of TCP using `URG ACK PSH RST SYN FIN` in any order
## Probing Options ## Probing Options
- `-Pn`: Don't probe (assume all hosts are up) - `-Pn`: Don't probe (assume all hosts are up)
@ -36,6 +46,25 @@ If no port range is specified, Nmap scans the 1,000 most popular ports.
- `-PP`: Using ICMP Timestamp Request - `-PP`: Using ICMP Timestamp Request
- `-PM`: Using ICMP Netmask Request - `-PM`: Using ICMP Netmask Request
## Timing Options
`-T0` (Paranoid): Very slow, used for IDS evasion
`-T1` (Sneaky): Quite slow, used for IDS evasion
`-T2` (Polite): Slows down to consume less bandwidth, runs ~10 times slower than default
`-T3` (Normal): Default, a dynamic timing model based on target responsiveness
`-T4` (Aggressive): Assumes a fast and reliable network and may overwhelm targets
`-T5` (Insane): Very aggressive; will likely overwhelm targets or miss open ports
## Fine-Grained Timing Options
`--min-hostgroup/max-hostgroup <size> `: Parallel host scan group sizes
`--min-parallelism/max-parallelism <numprobes>`: Probes parallelization
`--min-rtt-timeout/max-rtttimeout/initial-rtt-timeout <time>`: Specifies probe round trip time.
`--max-retries <tries>`: Caps number of port scan probe retransmissions.
`--host-timeout <time>`: Gives up on target after this long
`--scan-delay/--max-scan-delay <time>`: Adjusts delay between probes
`--min-rate <number>`: Send packets no slower than `<number>` per second
`--max-rate <number>`: Send packets no faster than `<number>` per second
## Nmap Scripting Engine ## Nmap Scripting Engine
The full list of Nmap Scripting Engine scripts: http://nmap.org/nsedoc/ The full list of Nmap Scripting Engine scripts: http://nmap.org/nsedoc/
@ -91,4 +120,16 @@ The most common Nmap scripting engine categories:
- version: Measure the version of software or protocols on the target hosts. - version: Measure the version of software or protocols on the target hosts.
- vul: Measure whether target systems have a known vulnerability. - vul: Measure whether target systems have a known vulnerability.
## Output Options
`-oN`: Standard Nmap output
`-oG`: Greppable format
`-oX`: XML format
`-oA`: <basename> Generate Nmap, Greppable, and XML output files using basename for files
## Additional Options
`-n`: Disables reverse IP address lookups
`-6`: Uses IPv6 only
`-A`: Uses several features, including OS Detection, Version Detection, Script Scanning (default), and traceroute
`--reason`: Displays the reason Nmap thinks that the port is open, closed, or filtered