π οΈ Nmap Cheat Sheet
π Introduction
This cheat sheet provides a quick reference for Nmap, including syntax, common flags, output formats, and advanced scripts for SMB and SSH enumeration.
π 1. Basic Syntax
# Standard scan
nmap <target IP>
# Stealth scan with verbose output and no ping
sudo nmap -sS -Pn -v 10.10.10.10
# Aggressive scan with version detection
sudo nmap -A -sS -Pn 10.10.10.10
# Full port scan with OS detection and vulnerability scripts
sudo nmap -sV -sT -O -p- -vv --script vulners 10.10.10.10
π 2. Common Flags
| Flag | Description |
|---|---|
-p <PORT> |
Scan specific port |
-p- |
Scan all ports (1-65535) |
-sT |
TCP Connect scan |
-sU |
UDP scan |
-sV |
Detect services and versions |
-Pn |
Disable host discovery (no ping) |
-sS |
SYN “Stealth” scan |
-oA |
Output in all formats |
-sn |
Host discovery only (no port scan) |
-A |
Enable OS detection and version scan |
-O |
OS detection |
-v, -vv, -vvv |
Verbose output (levels) |
--script=vuln |
Run vulnerability detection scripts |
--script=vulners |
Run detailed vulnerability checks |
--script=http-enum |
Enumerate web server endpoints |
π 3. Output Formats
| Flag | Description |
|---|---|
-oN |
Normal text output |
-oX |
XML output |
-oG |
Greppable output |
-oA |
Output in all three formats |
Example:
sudo nmap -sS -p- -oA scan_results 10.10.10.10
π 4. SMB Enumeration
π₯οΈ Security Mode
nmap -p445 --script smb-security-mode 192.168.1.1
π€ Enumerate Sessions
nmap -p445 --script smb-enum-sessions 192.168.1.1
nmap -p445 --script smb-enum-sessions --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π Enumerate Shares
nmap -p445 --script smb-enum-shares 192.168.1.1
nmap -p445 --script smb-enum-shares --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π List Share Contents
nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π₯ Enumerate Users
nmap -p445 --script smb-enum-users --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π Enumerate Stats
nmap -p445 --script smb-enum-stats --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π Enumerate Domains
nmap -p445 --script smb-enum-domains --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π Enumerate Groups
nmap -p445 --script smb-enum-groups --script-args smbusername=admin,smbpassword=pass 192.168.1.1
π 5. SSH Enumeration
π Enumerate Algorithms
nmap -p22 --script ssh2-enum-algos 192.168.1.1
π Enumerate Host Keys
nmap -p22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.1.1
π Authentication Methods for a User
nmap -p22 --script ssh-auth-methods --script-args="ssh.user=admin" 192.168.1.1
π Brute-Force SSH Login
hydra -l 'user' -P 'passwords_list.txt' 192.168.1.1 ssh
π 6. Advanced Nmap Commands
π¨ Vulnerability Scan
nmap -sV --script vuln 192.168.1.1
π‘οΈ Firewall Detection
sudo nmap -sA 192.168.1.1
π Website Enumeration
nmap --script=http-enum 192.168.1.1
π Detect Backdoors
nmap -p- --script=backdoor 192.168.1.1
π§ Scan Timing Options
| Flag | Timing Profile |
|---|---|
-T0 |
Paranoid (slowest) |
-T1 |
Sneaky |
-T2 |
Polite |
-T3 |
Normal (default) |
-T4 |
Aggressive |
-T5 |
Insane (fastest) |
Example:
sudo nmap -sS -T4 192.168.1.1
π 7. Performance Optimization
-
Scan Multiple Targets:
nmap -iL targets.txt -
Exclude Targets:
nmap 192.168.1.0/24 --exclude 192.168.1.5 -
Rate Limit Scans:
nmap --max-rate 100 192.168.1.1
π 8. Useful References
- Nmap Scripting Engine (NSE): Nmap NSE Scripts
- Nmap Documentation: Nmap Docs
π Quick Examples Recap
-
Aggressive Scan:
sudo nmap -A 10.10.10.10 -
Service Version Detection:
sudo nmap -sV 192.168.1.1 -
Full Vulnerability Scan:
sudo nmap --script=vuln 192.168.1.1