Nmap Cheat Sheet
Nmap command in my header image was the same as Trinity used in The Matrix Reloaded (2003). But have you wondered what -sS does, or -O? I thought I’d share my cheat sheet which may come in handy if you need a quick reference for TryHackMe or HackTheBox.
First, a quick breakdown on the command Trinity used: nmap -v -sS -O 10.2.2.2
-v - Verbose mode. This provides additional information when verbose mode is used, such as the time of scans, and number of hosts and ports scanned.
-sS - This is the Scan Type. In this case a TCP SYN scan, also known as a Stealth Scan.
-O - Operating system detection. If you look closely at Trinity’s output, no OS was matched.
Types
-s Scan Types
-P Ping Types
Scans
-sA TCP ACK Scan
-sT TCP scan
-sF FIN scan
-sI IDLE scan
-sL DNS scan (LIST scan)
-sN NULL scan
-sO Protocol scan
-sP Ping scan
-sR RPC scan
-sS TCP SYN scan
-sW Window scan
-sX XMAS scan
Pings
-PP ICMP Timestamp Ping
-PS TCP SYN Ping
-PT TCP Ping
-Po No Ping
-PI ICMP Ping
Firewall/IDS Evasion and Spoofing
-D Decoy scan. This will make the scan appear that it’s coming from another IP, such as the sys admins host.
<IP> The IP address(es) you want to use as the decoy.
RND:# Number of random IP addresses to use.
nmap -D RND:10 [target]
nmap -D 10.0.3.24,10.0.3.25 [target]
Timing (How quickly it scans to avoid detection) -T0 Paranoid
-T1 Sneaky
-T2 Polite
-T3 Normal
-T4 Aggressive
-T5 Insane
Other
-F Scan fewer ports
Nmap Scripting Engine (NSE)
nmap --script - Specify a script
nmap -sC - Use default scripts. Same as --script=default
Stateful Firewalls
If ACK scan shows some ports as filtered then it is likely a stateful firewall.
Method: nmap -sN 10.2.2.2 - Send null TCP flag
nmap -sF 10.2.2.2 - Send FIN bit
nmap -sX 10.2.2.2 - Send XMAS scan bit
The first command sends a null TCP flag, the second one sets the FIN bit, and the last one sets FIN, PSH, and URG bits. This can trick non-stateful firewalls in giving up information about a ports’ state.