Table Of Contents

• Nmap
  • Scan Types
  • Scan Options
  • Output/Input Options
  • Firewall Evasion
  • Misc Flags

---

Nmap

Scan Types

• -sn | Ping scan
• -sS | Syn scan
• -sT | Connect scan
• -sU | UDP scan
• -sO | IP protocol scan

SCAN OPTIONS

• -p <PORT_RANGES> | Ports
• -T[0-5] | Speed presets: 0 Slowest, 5 fastest
• -n | No DNS resolution
• -O | OS Detection
• -A | Aggressive Scan
• -sV | Service/Version detection
• -Pn | No ping nmap scan
• -6 | IPv6 Scan
• --randomize-hosts | Randomizes target hosts (will not scan each host in sequence)
• --traceroute | Run traceroute against host
• --ttl <TTL_VALUE> | Set TTL
• --script <SCRIPT_NAME> | Execute script against host
• --script-args <ARGUMENTS> | Set script arguments

OUTPUT/INPUT OPTIONS

• -oX <FILE_PATH> | Write to XML file
• -oG <FILE_PATH> | Write to grep file
• -oA <FILE_PATH> | Save as all 3 formats
• -iL <FILE_PATH> | Read hosts/IPs from file
• --excludefile <FILE_PATH> | Excludes hosts in file

FIREWALL EVASION

• -f | Fragment packets
• -S <IP_ADDRESS> | Spoof source IP
• -g <PORT> | Spoof source port
• -D <IP_ADDRESS>,<IP_ADDRESS> | Scan with decoys
• --mtu <MTU> | Set MTU size
• --spoof-mac <MAC> | Spoof MAC address
• --data-length <SIZE> | Append random data
• --scan-delay <TIME> | Scan delay

MISC FLAGS

Convert Nmap XML file to HTML

xsltproc <INPUT_NMAP_XML>.xml -o <OUTPUT_PATH>.html

Generate live host file

nmap -sP -n -oX out.xml <IP_CIDR> | grep "Nmap" | cut -d " " -f 5 > <OUTPUT_PATH>.txt

Compare Nmap results

ndiff <FILE_PATH1>.xml <FILE_PATH2>.xml

DNS reverse lookup on IP range

nmap -R -sL -dns-server <DNS_SERVER_IP> <IP_CIDR>