The Essential Nmap Cheat Sheet for Quick Reference

Nmap (Network Mapper) is an open-source tool for network exploration and security auditing. Widely used by network administrators, it’s crucial for vulnerability scanning and network inventory. This cheat sheet provides a quick reference to the most commonly used Nmap commands and options, ideal for both beginners and experienced users.

Basic Scanning Techniques

1. Basic Network Scan: Command: nmap [target]
   • Use to quickly scan a target IP or domain.
2. Scan Multiple IPs or Subnets: Command: nmap [target1, target2, etc.]
   • Handy for scanning multiple targets.
3. Ping Scan (No Port Scan): Command: nmap -sn [target]
   • Useful for checking if the host is online without performing a port scan.

Advanced Scanning Options

1. TCP SYN Scan (Stealth Scan): Command: nmap -sS [target] - Less intrusive and stealthier than a connect scan.
2. UDP Scan: Command: nmap -sU [target] - For scanning UDP ports. It’s slower but essential for a complete security audit.
3. Aggressive Scan: Command: nmap -A [target] - Provides a more comprehensive output including OS detection, version detection, script scanning, and traceroute.
4. Version Detection: Command: nmap -sV [target] - Detects the service version on the open ports.

Output Options

1. Saving Output in a Specific Format: Command: nmap -oX [output.xml] [target] (for XML format) - Other formats include oN for normal, oG for grepable, and oA for all.
2. Verbose Output: Command: nmap -v [target] - Provides more detailed output.

Scripts

Nmap’s scripting engine (NSE) is one of its most powerful and flexible features. It allows users to write (or use existing) scripts to automate a wide variety of networking tasks. This cheat sheet covers some of the most useful Nmap scripts for network discovery, vulnerability detection, and more.

Understanding Nmap Script Types:

1. Default Scripts: - Automatically used by Nmap for common tasks. - Example: nmap -sC [target] (Runs default scripts)
2. Safe Scripts: - Designed not to disrupt the target network. - Example: nmap --script safe [target]
3. Intrusive Scripts: - Potentially disruptive, should be used with caution. - Example: nmap --script intrusive [target]

Popular Script Categories

1. Discovery: - Scripts for network and service discovery. - Example: nmap --script discovery [target]
2. Vulnerability: - Identifies known vulnerabilities. - Example: nmap --script vuln [target]
3. Authentication: - Tests for authentication mechanisms and weaknesses. - Example: nmap --script auth [target]
4. Database: - Specific scripts for database servers. - Example: nmap --script "database* and safe" [target]
5. Malware: - Checks for signs of infection or backdoors. - Example: nmap --script malware [target]

Using Script Arguments

Some scripts accept arguments for more specific control.

• Example: nmap --script [script-name] --script-args=[arg]=[value] [target]

Combining Scripts and Scan Techniques

Scripts can be combined with standard Nmap scan techniques.

• Example: nmap -sV --script=default,vuln [target]

Output and Debugging

Use verbose and debugging options for detailed script output.

• Example: nmap --script [script] -d [target] (debugging mode)
• Example: nmap --script [script] -v [target] (verbose mode)