Playbook - Quick Reference Cheatsheets for Offensive Security Practitioners

#Getting Started

Basic Usage :

Scan a single IP

nmap 192.168.10.1

Scan specific IPs

nmap 192.168.1.1 192.168.2.1

Scan a range

nmap 192.168.10.0/24

nmap 192.168.1.1-254

Scan targets from a file

nmap -iL targets.txt

Scan targets not included in list

nmap -exclude 192.168.1.1

Common usage

Scan while Assuming Target is live & Port version

nmap -Pn -sV 192.168.10.1

Scan a target for OS and Port Information

nmap -sV -O 192.168.10.1

Scan a target quickly for all ports w/Version and OS

nmap -T5 -p- -O 10.10.20.22

Output a scan to a xml file

nmap -sV -O 10.20.30.40 -oX xml.file

Run Service Detection & default scripts

nmap -sV -sC 192.168.13.37

#Common Switches

Port Options :

Options	Purpose
`-p #`	Scan a specific port
`-p 1-1023`	scan a range of ports
`-F`	Fast Scan of 100 most common ports
`-r`	scan ports in consecutive order
`-top-ports #`	Port scan the top x ports
`--max-rate 50`	rate <= 50 packets/sec
`--min-rate 15`	rate >= 15 packets/sec
`--min-parallelism 100`	at least 100 probes in parallel
`-p0-`	Leaving off end port in the range designation makes the scan go through to port 65535

Scan Techniques

SWITCH	DESCRIPTION
`-sS`	TCP SYN port scan (Default)
`-sT`	TCP connect port scan (Default without root privilege)
`-sU`	UDP port scan
`-sA`	TCP ACK port scan
`-sW`	TCP Window port scan
`-sM`	TCP Maimon port scan

See: Port Scanning

Host Discovery

SWITCH	DESCRIPTION
`-sL`	No Scan. List targets only
`-sn`	Disable port scanning. Host discovery only.
`-Pn`	Disable host discovery. Port scan only.
`-PS`	TCP SYN discovery on port x. Port 80 by default
`-PA`	TCP ACK discovery on port x. Port 80 by default
`-PU`	UDP discovery on port x. Port 40125 by default
`-PR`	ARP discovery on local network
`-n`	Never do DNS resolution

Port Specification

SWITCH	DESCRIPTION
`-p ##`	Port scan for port x
`-p #-#`	Port range
`-p U:#,T:#,#`	Port scan multiple TCP and UDP ports
`-p`	Port scan all ports
`-p http,https`	Port scan from service name
`-F`	Fast port scan (100 ports)
`-top-ports ###`	Port scan the top x ports
`-p-65535`	Leaving off initial port in range makes the scan start at port 1
`-p0-`	Leaving off end port in range makes the scan go through to port 65535

Service and Version Detection

SWITCH	DESCRIPTION
`-sV`	Attempts to determine the version of the service running on port
`-sV -version-intensity`	Intensity level 0 to 9. Higher number increases possibility of correctness
`-sV -version-light`	Enable light mode. Lower possibility of correctness. Faster
`-sV -version-all`	Enable intensity level 9. Higher possibility of correctness. Slower
`-A`	Enables OS detection, version detection, script scanning, and traceroute

See: Services and App Version Detection

Timing Switches

SWITCH	DESCRIPTION
`-T0`	Paranoid (0) Intrusion Detection System evasion
`-T1`	Sneaky (1) Intrusion Detection System evasion
`-T2`	Polite (2) slows down the scan to use less bandwidth and use less target machine resources
`-T3`	Normal (3) which is default speed
`-T4`	Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
`-T5`	Insane (5) speeds scan; assumes you are on an extraordinarily fast network

Details & Report

Option	Purpose
`--reason`	explains how Nmap made its conclusion
`-v`	verbose
`-vv`	very verbose
`-d`	debugging
`-dd`	more details for debugging
`-oN`	Normal output
`-oX`	XML output
`-oG`	`grep`-able output
`-oA`	Output in all major formats

OS Detection

SWITCH	DESCRIPTION
`-O`	Remote OS detection using TCP/IP stack fingerprinting
`-O -osscan-limit`	If at least one open and one closed TCP port are not found it will not try OS detection against host
`-O -osscan-guess`	Makes Nmap guess more aggressively
`-O -max-os-tries`	Set the maximum number x of OS detection tries against a target
`-A`	Enables OS detection, version detection, script scanning, and traceroute

See: Remote OS Detection

NSE Scripts

SWITCH DESCRIPTION

-sC Scan with default NSE scripts. Considered useful for discovery and safe

-script default Scan with default NSE scripts. Considered useful for discovery and safe

-script=
Playbook
EmulatedCriminals
Back to all cheatsheets
Nmap cheatsheet
A quick cheatsheet for common usage and examples of Network Mapper(NMap). Includes common switches, examples, and red team/penetration testing examples.
networkscanportpenetration testingred teaming
#Getting Started
Basic Usage :
Scan a single IP
nmap 192.168.10.1

Scan specific IPs
nmap 192.168.1.1 192.168.2.1

Scan a range
nmap 192.168.10.0/24

or
nmap 192.168.1.1-254


Scan targets from a file
nmap -iL targets.txt

Scan targets not included in list
nmap -exclude 192.168.1.1
Common usage
Scan while Assuming Target is live & Port version
nmap -Pn -sV 192.168.10.1


Scan a target for OS and Port Information
nmap -sV -O 192.168.10.1


Scan a target quickly for all ports w/Version and OS

nmap -T5 -p- -O 10.10.20.22


Output a scan to a xml file
nmap -sV -O 10.20.30.40 -oX xml.file


Run Service Detection & default scripts
nmap -sV -sC 192.168.13.37
#Common Switches
Port Options :
Options Purpose
-p # Scan a specific port
-p 1-1023 scan a range of ports
-F Fast Scan of 100 most common ports
-r scan ports in consecutive order
-top-ports # Port scan the top x ports
--max-rate 50 rate <= 50 packets/sec
--min-rate 15 rate >= 15 packets/sec
--min-parallelism 100 at least 100 probes in parallel
-p0- Leaving off end port in the range designation makes the scan go through to port 65535
Scan Techniques
SWITCH DESCRIPTION
-sS TCP SYN port scan (Default)
-sT TCP connect port scan (Default without root privilege)
-sU UDP port scan
-sA TCP ACK port scan
-sW TCP Window port scan
-sM TCP Maimon port scan
See: Port Scanning
Host Discovery
SWITCH DESCRIPTION
-sL No Scan. List targets only
-sn Disable port scanning. Host discovery only.
-Pn Disable host discovery. Port scan only.
-PS TCP SYN discovery on port x. Port 80 by default
-PA TCP ACK discovery on port x. Port 80 by default
-PU UDP discovery on port x. Port 40125 by default
-PR ARP discovery on local network
-n Never do DNS resolution
Port Specification
SWITCH DESCRIPTION
-p ## Port scan for port x
-p #-# Port range
-p U:#,T:#,# Port scan multiple TCP and UDP ports
-p Port scan all ports
-p http,https Port scan from service name
-F Fast port scan (100 ports)
-top-ports ### Port scan the top x ports
-p-65535 Leaving off initial port in range makes the scan start at port 1
-p0- Leaving off end port in range makes the scan go through to port 65535
Service and Version Detection
SWITCH DESCRIPTION
-sV Attempts to determine the version of the service running on port
-sV -version-intensity Intensity level 0 to 9. Higher number increases possibility of correctness
-sV -version-light Enable light mode. Lower possibility of correctness. Faster
-sV -version-all Enable intensity level 9. Higher possibility of correctness. Slower
-A Enables OS detection, version detection, script scanning, and traceroute
See: Services and App Version Detection
Timing Switches
SWITCH DESCRIPTION
-T0 Paranoid (0) Intrusion Detection System evasion
-T1 Sneaky (1) Intrusion Detection System evasion
-T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3 Normal (3) which is default speed
-T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network
Details & Report
Option Purpose
--reason explains how Nmap made its conclusion
-v verbose
-vv very verbose
-d debugging
-dd more details for debugging
-oN Normal output
-oX XML output
-oG grep-able output
-oA Output in all major formats
OS Detection
SWITCH DESCRIPTION
-O Remote OS detection using TCP/IP stack fingerprinting
-O -osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host
-O -osscan-guess Makes Nmap guess more aggressively
-O -max-os-tries Set the maximum number x of OS detection tries against a target
-A Enables OS detection, version detection, script scanning, and traceroute
See: Remote OS Detection
NSE Scripts
SWITCH DESCRIPTION
-sC Scan with default NSE scripts. Considered useful for discovery and safe
-script default Scan with default NSE scripts. Considered useful for discovery and safe
-script=