Nmap Cheat Sheet

Posted on 02 Jun 2022 by Ray Heffer

Yes that’s right, the Nmap command in my header image was the same as Trinity used in The Matrix Reloaded (2003). But have you wondered what -sS does, or -O? I thought I’d share my cheat sheet which may come in handy if you need a quick reference for TryHackMe or HackTheBox.

First, a quick breakdown on the command Trinity used: nmap -v -sS -O 10.2.2.2

-v - Verbose mode. This provides additional information when verbose mode is used, such as the time of scans, and number of hosts and ports scanned.
-sS - This is the Scan Type. In this case a TCP SYN scan, also known as a Stealth Scan.
-O - Operating system detection. If you look closely at Trinity’s output, no OS was matched.

Types

-s Scan Types
-P Ping Types

Scans

-sA TCP ACK Scan
-sT TCP scan
-sF FIN scan
-sI IDLE scan
-sL DNS scan (LIST scan)
-sN NULL scan
-sO Protocol scan
-sP Ping scan
-sR RPC scan
-sS TCP SYN scan
-sW Window scan
-sX XMAS scan

Pings

-PP ICMP Timestamp Ping
-PS TCP SYN Ping
-PT TCP Ping
-Po No Ping
-PI ICMP Ping

Firewall/IDS Evasion and Spoofing

-D Decoy scan. This will make the scan appear that it’s coming from another IP, such as the sys admins host.
<IP> The IP address(es) you want to use as the decoy.
RND:# Number of random IP addresses to use.

nmap -D RND:10 [target]
nmap -D 10.0.3.24,10.0.3.25 [target]

Timing (How quickly it scans to avoid detection) -T0 Paranoid
–T1 Sneaky
-T2 Polite
-T3 Normal
-T4 Aggressive
-T5 Insane

Other

–F Scan fewer ports

Nmap Scripting Engine (NSE)

nmap --script - Specify a script
nmap -sC - Use default scripts. Same as --script=default

Stateful Firewalls

If ACK scan shows some ports as filtered then it is likely a stateful firewall.

Method: nmap -sN 10.2.2.2 - Send null TCP flag
nmap -sF 10.2.2.2 - Send FIN bit
nmap -sX 10.2.2.2 - Send XMAS scan bit

The first command sends a null TCP flag, the second one sets the FIN bit, and the last one sets FIN, PSH, and URG bits. This can trick non-stateful firewalls in giving up information about a ports’ state.

Detect the OS with This One Simple Trick!

Sorry for the clickbait, but actually you can (most of the time) detect a remote OS with one simple trick, the ping command. It’s all in the TLL (time-to-live) value, which indicates how many hops a packet can take before dying, hence ‘time-to-live’. The default TTL for Windows is 128, whereas Linux and Mac OS is 64. There are exceptions of course, so it’s not always accurate. Linux kernel 2.4 used a TTL of 255, or the sys admin may have changed it in /proc/sys/net/ipv4/ip_default_ttl.

$ ping 10.2.2.2
PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data.
64 bytes from 10.2.2.2: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.2.2.2: icmp_seq=2 ttl=64 time=0.069 ms

Another way to detect the operating system of a remote host is using Nmap with the -O flag. Nmap detects the operating system using the TCP/IP stack. It will send up to 16 TCP, UDP, and ICMP probes, and depending on the response it will detect the OS ‘fingerprint’. You can read the official documentation on that here.

Comments are closed for this post.