Ethical Hacking is becoming a very popular and important field. In the coming years, cybercrime might become the greatest threat to every person, place, and thing in the world. The best defense is to be prepared.
Still not convinced it’s really worth it to learn these skills? If these stats from Cybint don’t convince you, I don’t know what will:
- There is a hacker attack every 39 seconds
- 64% of companies have experienced web-based attacks
- Since COVID-19, the US FBI reported a 300% increase in reported cybercrimes
- Total spending on cybersecurity reach over $172 billion by the end of 2022
- Companies are desperate for cybersecurity workers and more than 700K positions need to be filled
There are a lot of Nmap commands that you can use that are very detailed and advanced. But the chances of ever needing to use them for the majority of users/students are quite low so I’ve kept this Nmap Cheat Sheet focusing on the most important commands that you need to know and will use most often.
Nmap overview: What is Nmap? Why is Nmap useful?
Nmap is an essential open-source tool for Ethical Hackers and Penetration testers. It was initially created by Gordon Lyon (aka Fyodor). Nmap themselves do a great job describing the tool (see below) and what it does, so why reinvent the wheel?
Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
We can use
nmap -h to display an extended help menu of Nmap. In this extended help menu, you can find an overview of all possible options, and which arguments some of them require in order to work. Note that you can also use
man npm an in-depth manual about Nmap.
Nmap is an interesting tool that can be used in various ways. You can scan one single target or multiple targets. Here is a list of examples, showing the ways you can target something:
||Scanning a single IP|
||Scanning a hostname|
||Scanning an IP range|
||Scanning a subnet|
||Scanning from a predefined list|
Nmap scan types
Besides the basic
nmap < target >, we can also use various scanning types in Nmap. Each of them has its own unique capabilities, but also often comes with the downside of one being noisier than the other. Let us see which types we have:
|Description||Root/Sudo required||Noise level|
||This is a TCP SYN SCAN, also known as a stealth scan. This scan only sends a SYN packet and awaits a SYN/ACK response. When nmap receives a SYN/ACK on a specific probed port, it means the port exists on the machine and is open. This is a fast and pretty accurate scan, which you will use most of the time.||Required||Very Low|
||The -sT scan is more accurate than a -sS scan, but the downside is that it is slower, makes more noise, and is easily detected by well-set-up firewalls. This is because it makes a full three-way handshake (or better said, a full TCP connection) with the host.||Not Required||Medium|
||This scan is used to scan for UDP ports. This is typically a slower and more difficult scan. Though most services use TCP, there are also services that use UDP, such as DNS, SNMP, and DHCP. So this scan is still useful as there are still exploitable UDP services. So don’t make the mistake of skipping this scan, you might find something!||Required||Medium|
||This is a simple and fast ping scan to see which hosts reply to ICMP ping packets. This is useful if you are on the same (sub)network as the IP range you are scanning and if you only want to know which devices are live. You can also get the same result by using -Pn.||Not Required||Very Low|
||This is a service version scan. In order to know what exploits will work, it is very helpful to know the service version behind an open port. It might be that a certain exploit only works in one specific version of a certain service, as it might be patched in a new version.||Not Required||Medium|
||This is a remote OS detection scan. We use this scan to learn what OS the target runs on. This is very useful as it gives an idea of what kind of exploits might work on the target, and which exploits won’t work. Note that this scan only works if there is at least 1 open port and 1 closed port.||Required||Medium|
||This is an aggressive scan. This scan performs OS detection, version detection, script scanning, and traceroute. Though it returns a lot of information, you will be alarming the target as this is probably the noisiest scan.||Required||Very High|
Nmap port scanning
Sometimes you want to know if a certain port is open on a target, or perhaps you want to know ALL open ports on the target. Luckily, Nmap provides its users with ways to specify this:
||Use -p <_port> to scan for one specific port on the target.|
||You can also use -p to scan for a range of ports, -p 1-20 <_target> would scan for the ports 1 to 20 on the target.|
||There is also the possibility to specify multiple specific ports by separating them with a comma.|
||If you want to scan for both UDP and TCP ports, you can use U:<_udp_port> and T:<_tcp_port>, separated by a comma.|
||The -F tells Nmap to scan for the 100 most common ports that can be open on a target.|
||With this option, you scan for the top # ports, depending on what amount you provide.|
||This option tells Nmap to scan the target for all the known ports there are in the world… there are 655,355 ports in total. This will clearly make the scan take longer to finish.|
Nmap timing options
Nmap allows for the use of “timing templates”, which allows the user to specify how aggressive they wish to be with their scans, while leaving Nmap to pick the exact timing values. There are 6 timing templates:
||T0 is the slowest scan, also referred to as the “Paranoid” scan. This option is good for IDS evasion.|
||T1 is an option faster then T0, but is still referred to as the “Sneaky” template. This timing option is also a good choice for IDS evasion.|
||The T2 option is for a timely scan and is also known as the “Polite” timing option. This one slows the scan, which results in less bandwidth usage and less target machine resources|
||T3 is also known as the default scan timer. Using this template would be the same as not using it at all. This is what Nmap uses by default when there is no template selected.|
||T4 is an option to speed up scans by making the assumption that you are on a reasonably fast and reliable network. This time template is also referred to as the “Aggressive” template.|
||T5 is an insanely fast mode, assuming that you are on an extraordinarily fast network… or if you are willing to sacrifice some accuracy for speed. That is why it is also referred to as the “Insane” mode.|
Last but not least… Nmap provides us with scripts. These scripts come in categories:
- default. discovery
We run a script in the following way:
nmap --script <_script/_script_group> <_taget>
Some scripts are very noisy, some not at all. Therefore, it is important to read what each script does and if it is easily detectable by the target or not.
Do note that you need to run
--script scans as root/sudo.
Extras & Additional Resources
When you are doing a pentest, it is useful to use the -oN option to output your scan to a text file. This way, you can copy-paste it later into your pentest report. Here is how to do it:
nmap -oN <_filename.txt> <_target>
You can also use multiple options in one scan. For example, this is probably the most common scan you will perform:
sudo nmap -sS <_target> -oN <_filename.txt>