Nmap Network Mapper is an open source tool for network exploration and security auditing, and this a comprehensive nmap cheatsheet to analyze our network.

Avatar

Zuhri

  |  6 min reads

Introduction #

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Cheatsheet #

Beginner #

If you’re totally new to Nmap, you’ll want to start with some basic commands to get comfortable with it.

  • Domain IP
    This command scans a specific IP or domain:
nmap example.com
nmap 192.168.1.1
  • Range IP
    This command scans range of IP:
nmap 192.168.1.1-99
  • Subnet IP
    This command scans a subnet IP which mean full range of IP:
nmap 192.168.1.0/24

Advanced #

Once you’ve covered the basics, it’s time to explore advanced techniques. These are commands that help you dig deeper, identify specific services, versions, and possible vulnerabilities.

  • Services Version Detection
    This command scans a specific IP or domain with version of services:
nmap example.com -sV
nmap 192.168.1.1 -sV
  • OS Detection
    This command scans a Operation System Detection:
nmap example.com -O
  • Agressive Full Scan
    This command scans try to analyze OS detection, version detection, script scanning, and traceroute:
nmap example.com -A
  • Scan with Vulnerability NSE Script
    This command scans a Vulnerability of services:
nmap example.com --script vuln
  • Database Vulnerability Scans
    To detect known vulnerabilities in databases like MySQL or PostgreSQL, you can use specialized scripts:
nmap -p 3306 --script mysql-vuln-cve2022 example.com
  • Brute-forcing Logins
    Many NSE scripts can attempt brute-forcing common logins. For example:
nmap -p 21 --script ftp-brute example.com
  • TCP ACK Scan for Firewall Testing
    This is one of those “ninja” techniques used to probe whether a firewall is blocking specific ports. The ACK scan (-sA) sends TCP packets without expecting a response. Instead, you observe how the firewall responds.
nmap -sA -p 80,443 example.com

This can help you detect firewall rules and identify open ports indirectly. If a port shows up as “unfiltered,” it means it’s likely open but hidden behind a firewall.

  • Idle Scan (Zombie Scan)
    The Idle Scan (-sI) is an advanced stealth scan that involves using an idle host (a “zombie”) to send packets. This way, your IP address never shows up on the target’s logs, making it an effective way to remain anonymous.
nmap -sI zombie_host example.com

Note: Idle scans can be challenging to set up because they rely on finding a suitable “zombie” machine with predictable IP IDs.

  • Timing Optimization with Aggressive Timing (Fast Scan)
    Scanning large networks or remote targets can be slow. Using aggressive timing (-T4 or -T5) can speed up scans significantly, though it may raise flags.
nmap -T5 example.com

Be careful with this, as highly aggressive timing can flood the target with requests, potentially alerting intrusion detection systems (IDS) or firewalls.

  • OS Fingerprinting with TCP/IP Stack Analysis
    The TCP/IP stack behavior of a device often reveals the operating system it’s running. Use the -O option with verbose output to increase accuracy:
nmap -O --osscan-guess -v example.com

This is particularly useful for advanced bug hunting as it helps tailor exploit payloads and understand the network environment.

  • Exploiting Timing Gaps with Slow Scans
    Some firewalls and IDSs detect scans based on packet frequency. Slowing down your scan with (-T1 or -T0) can help evade these systems:
nmap -T1 example.com

Pro Tip: Use slow scans when working with well-protected targets, as they can reveal information over time without tripping alarms.

  • MAC Address Spoofing
    Some systems whitelist certain MAC addresses. Spoofing a MAC address can sometimes bypass access restrictions.
nmap --spoof-mac 00:11:22:33:44:55 example.com
  • Using Decoys to Mask Your IP
    Decoy scanning adds a layer of obfuscation by making it appear that multiple IP addresses are scanning the target. This can confuse IDSs, making it harder for defenders to pinpoint the true source of the scan.
nmap -D decoy1,decoy2,ME example.com
  • Fragmenting Packets
    Fragmented packets may evade certain firewalls or IDSs by breaking down the scan into small, inconspicuous packets.
nmap -f example.com
  • Randomizing Target Order
    Scanning hosts in a predictable sequence is another thing that can alert IDSs. Randomizing the scan order helps evade detection, especially when scanning multiple IPs or ranges.
nmap --randomize-hosts example.com
  • IP Range Scanning with Subnet Mask
    When bug hunting across multiple devices, using CIDR notation lets you target a broader range efficiently.
nmap -sP 192.168.1.0/24
  • Discovering Hidden Services with All-Ports Scans
    Some vulnerable services are hosted on unusual ports. Scanning every port can reveal these hidden gems.
nmap -p- example.com
  • Scanning IPv6 Addresses
    Some targets may expose different services on IPv6 than IPv4, as many assume it’s less monitored.
nmap -6 example.com
  • Banner Grabbing for Application Fingerprinting
    Banner grabbing captures information from services running on open ports, useful for identifying software and potential vulnerabilities.
nmap -sV --script=banner example.com
  • Port Scan with Intensity Levels
    This scans all ports (-p-) with a moderate intensity level (-T4), allowing a faster scan.
nmap -T4 -p- example.com
  • Finding Open Ports Only
    Filters out closed ports and saves you time when looking for vulnerable services.
nmap --open example.com
  • Stealth Scan
    The stealth scan (or SYN scan) sends SYN packets to avoid detection, helping to stay under the radar in some cases.
nmap -sS example.com
  • Tips avoiding Detection: Best Practices
    While using Nmap, detection is sometimes unavoidable, but a few tactics can help reduce your chances of being flagged.
    • Randomize Your Scan Timings: Use different timing options like -T2 or -T3 to reduce scan speeds and avoid generating noticeable traffic spikes.
    • Fragment Your Packets:
      Fragmenting packets can sometimes evade firewalls: -f
nmap -T2 -f example.com
  • Spoofing and Decoy Hosts
    Spoofing is a bit advanced but can help anonymize your scan:
nmap -D RND:10 example.com

  • Pro Tips for Effective Bug Hunting with Nmap
    Now, here’s where the real magic happens. These pro tips can turn a basic scan into a targeted, sophisticated bug-hunting operation.

    • Automate with NSE Scripts: Nmap’s scripting engine can automate complex tasks. Try using specific scripts like –script=exploit to search for known exploits.
    • Logging Your Scans for Review:
nmap --script=exploit -oN output.txt example.com

Keeping a log of your scans can save tons of time when you’re revisiting a target.

  • Custom Port Range Based on Common Vulnerabilities
    Focus on ports often associated with vulnerabilities to save time.
nmap -p 21,22,80,443 example.com
  • NMAP Scanning with Default Scripts
    This scan will determine version of services and use default nsa script and put the result into file.
nmap -sC -sV example.com -oN result.txt

Conclusion #

A Swiss Army Knife called NMAP, this tool is so useful to audit and got information about network devices. Still so many complex combination out there, but hope this page can be useful for you.

Thank you!

Installing OpenWrt Firmware on Mi Router 4A Gigabit
Get-rid Bufferbloat and Speed Up your Network with SQM in Linux