Skip to content

Instantly share code, notes, and snippets.

@tin-z
Last active November 10, 2023 23:51
Show Gist options
  • Save tin-z/fa3a77c063ae1ee5a03f448efb6af4fb to your computer and use it in GitHub Desktop.
Save tin-z/fa3a77c063ae1ee5a03f448efb6af4fb to your computer and use it in GitHub Desktop.
nmapazzo.md

ping my host:

Don’t Ping                        -PN     do port scan without checking if host is up by sending icmp
Perform a Ping Only Scan          -sP     do ping without port scan
TCP SYN Ping                      -PS     (a) you can also specify ports "-PS[port1,port1,..]", default port 80
TCP ACK Ping                      -PA     // (a)
UDP Ping                          -PU     // (a)
SCTP INIT Ping                    -PY     // (a)
ICMP Echo Ping                    -PE     (b) do ping without port scan
ICMP Timestamp Ping               -PP     // (b)
ICMP Address Mask Ping            -PM

IP Protocol Ping                  -PO     sends packets with the specified protocol to the target.
                                          you can specify protocols "-PO[proto1,proto2,..]
                                          if no arg then default protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP) are used

ARP Ping                          -PR     Available only if the target is on the same LAN

Traceroute                        --traceroute
Force Reverse DNS Resolution      -R
Disable Reverse DNS Resolution    -n
Alternative DNS Lookup            --system-dns    Use host system’s DNS resolver
Manually Specify DNS Server(s)    --dns-servers   you can specify DNS servers as "--dns-servers [server1,server2,..]"
Create a Host List                -sL

scan this then scan that:

TCP SYN Scan                -sS           default scan type for root
TCP Connect Scan            -sT           default scan type for non-root users
UDP Scan                    -sU
TCP NULL Scan               -sN
TCP FIN Scan                -sF
Xmas Scan                   -sX
TCP ACK Scan                -sA
Custom TCP Scan             --scanflags   custom scan by manually specifying TCP flags "--scanflags [flags, ..]
IP Protocol Scan            -sO
Send Raw Ethernet Packets   --send-eth    automatically implied by Nmap when needed
Send IP Packets             --send-ip     automatically implied by Nmap when needed
RPC scan                    -sR           displays information about RPC services (if) running on the target system


TCP scan flags:

SYN           Synchronize
ACK           Acknowledgment
PSH           Push
URG           Urgent
RST           Reset
FIN           Finished


Tweak a scan:

Perform a Fast Scan               -F                              scan the 100 most commonly used ports
Scan Specific Ports               -p [port]
Scan Ports by Name                -p [name]                       select ports by their port name, e.g. smtp, http.
                                                                  regex is also supported, e.g. "http*"

Scan TCP Ports                    -pT                             default option
Scan UDP Ports                    -pU
Scan All Ports                    -p “*”
Scan Top Ports                    --top-ports [number]            numers := [100,500,1000,5000,..]
Perform a Sequential Port Scan    -r                              default scanning algorithm randomizes the port scan order

Fingerprint services and OSs:

OS Detection                      -O [--osscan-guess]             If nmap can't find the OS then use the optional flag
Service Version Detection         -sV [--version-trace]           Print more info by using the optional flag

Just take your time:

Time argument default is interpreted as milliseconds, then we have (s)econds, (m)inutes, (h)ours. e.g. 100s

Timing Templates                    -T[0-5]
     0    paranoid:   Extremely slow
     1    sneaky:     Trying to avoid being monitored
     2    polite:     Less sneaky 
     3    normal:     default option
     4    aggressive: Aggressive and maybe fast scan 
     5    insane:     Very aggressive and maybe fast scan


Minimum # of Parallel scans/ping/..    --min-parallelism
Maximum # of Parallel scans/ping/..    --max-parallelism
Minimum Host Group Size             --min-hostgroup
Maximum Host Group Size             --max-hostgroup
Maximum RTT Timeout                 --max-rtt-timeout
Initial RTT Timeout                 --initial-rtt-timeout
Minimum Scan Delay                  --scan-delay
Maximum Scan Delay                  --max-scan-delay
Minimum Packet Rate                 --min-rate
Maximum Packet Rate                 --max-rate

Maximum Retries                     --max-retries
Set the Packet TTL                  --ttl
Host Timeout                        --host-timeout
Defeat Reset Rate Limits            --defeat-rst-ratelimit


My firewall is better than yours:

Fragment Packets                -f                  fragments packets into 8-bytes streams
Specify a Specific MTU          --mtu
Use a Decoy                     -D                  sppof traffic by having other addresses scanning your target
                                                    the arguments can be [address1,address2,..] OR [RND:number] to randomly generate decoy IP addresses
Idle Zombie Scan                -sI
Manually Specify a Source Port  --source-port
Append Random Data              --data-length       append random data to probe packets.
Randomize Target Scan Order     --randomize-hosts
Spoof MAC Address               --spoof-mac
Send Bad Checksums              --badsum


Here we get choosy:

Verbose Output                            -v
Debugging output                          -d
Display Port State Reason                 --reason
Only Display Open Ports                   --open
Trace Packets                             --packet-trace
Display Host Networking                   --iflist
Tell nmap which network interface to use  -e


Nmap Scripting Engine (NSE):

Execute Scripts by path and/or category     --script [filepath.nse|filepath*|category,..]
Append script arguments                     --script-args [key=value,...]
Troubleshoot Scripts                        --script-trace
Update the Script Database                  --script-updatedb

Script Categories := [all,auth,default,discovery,external,intrusive,malware,safe,vuln]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment