🛠Security Tool Cheatsheet
Alex Morgan — Senior Penetration Tester
What is Nmap?
Nmap (Network Mapper) is a free and open-source tool used for network discovery and security auditing. It is widely utilized by security professionals for tasks ranging from network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Installation
Nmap can be installed on various platforms. Below are the common installation methods:
- On Kali Linux: Nmap comes pre-installed. If you need to update, use
sudo apt update && sudo apt install nmap. - On macOS: You can install it using Homebrew with the command
brew install nmap. - On Windows: Download the installer from nmap.org and follow the installation instructions.
Basic Syntax
The basic syntax for Nmap is:
nmap [options] [target]
Discovery
Use Nmap to discover hosts and services on a network.
Ping Scan
nmap -sn 192.168.1.0/24
This command performs a ping scan on the specified subnet to see which hosts are up.
Service Version Detection
nmap -sV 192.168.1.5
This detects the version of services running on open ports.
Scanning
Perform deeper scans to identify vulnerabilities.
TCP Connect Scan
nmap -sT 192.168.1.5
This scans with a full TCP connection, useful for simple detection.
Stealth Scan
nmap -sS 192.168.1.5
This SYN scan is stealthier than a TCP connect scan.
Exploitation
Using Nmap scripts for exploitation.
Running Nmap Scripting Engine (NSE)
nmap --script http-vuln* -p 80 192.168.1.5
This command checks for common HTTP vulnerabilities on port 80.
Analysis
Analyzing scan results effectively.
Output to XML
nmap -oX scan_results.xml 192.168.1.5
Saves the scan results in XML format for later analysis.
Evasion
Avoid detection by IDS/IPS systems.
Fragmented Packets
nmap -f 192.168.1.5
This sends fragmented packets to evade detection.
Decoy Scan
nmap -D RND:10 192.168.1.5
This uses decoy addresses to stealthily scan.
Reporting
Generating human-readable reports.
Output to HTML
nmap -oH report.html 192.168.1.5
Generates an HTML report for easy viewing.
Quick Reference Table
| Flag | Description |
|---|---|
| -sT | TCP Connect Scan |
| -sS | SYN Scan (Stealth) |
| -sn | Ping Scan (discovery only) |
| -sV | Service version detection |
| -oX | Output results as XML |
| -f | Fragment packets |
| -D | Decoy scanning |
Pro Tips
- Use verbose mode: Add
-vfor more details on what Nmap is doing. - Scan multiple targets: You can specify a comma-separated list of IPs or use CIDR notation.
- Timing options: Use
-T4for faster execution; use-T0for stealth.
Real-World Examples
General Scan
nmap -sS -p 1-65535 -T4 192.168.1.5
A full TCP SYN scan of all ports on a single host with a faster timing template.
Service Detection with Scripts
nmap -sV --script=vuln 192.168.1.5
Service version detection combined with vulnerability checks in one command.