π Security Tool Cheatsheet
James Calloway — Ethical Hacker & Trainer
What is Nmap?
Nmap (Network Mapper) is an open-source tool used for network exploration and security auditing. It is utilized by network administrators to discover hosts and services on a computer network, thus creating a ‘map’ of the network. Often referred to as a security assessment tool, Nmap can be employed for various tasks, such as network inventory, monitoring host or service uptime, and managing service upgrade schedules.
Installation
Nmap can be easily installed on various operating systems. Below are installation steps for common platforms:
- Linux: Most distros have Nmap in their package repositories. Use the package manager:
sudo apt-get install nmap
- Windows: Download the installer from the Nmap official site and follow the instructions.
- macOS: Install using Homebrew:
brew install nmap
Basic Syntax
The basic syntax for Nmap is:
nmap [options] [target]
Here, [options] are the command flags and [target] is the IP address or hostname you want to scan.
Discovery
To discover hosts on a network, you can utilize the following Nmap commands:
nmap -sn 192.168.1.0/24– Performs a ping scan and discovers active hosts within the subnet.
For more in-depth discovery, use:
nmap -sL 192.168.1.0/24– Lists all hosts in the specified range without sending any packets.
Scanning
When performing scans, various flags can enhance your results:
nmap -sS -p 1-65535 192.168.1.10– Conducts a stealthy SYN scan on all ports of a target.
To scan for specific services:
nmap -sV -p 80,443 192.168.1.10– Scans ports 80 and 443 and attempts to determine the service version.
Exploitation
Though not an exploitation tool per se, Nmap can help identify vulnerable services:
nmap --script=vuln 192.168.1.10– Runs vulnerability detection scripts against the target.
Analysis
Post-scan analysis can be streamlined by outputting results in various formats:
nmap -oN scan_results.txt 192.168.1.10– Writes scan results in a human-readable format to a file.
Evasion
To evade network detection systems, consider adjusting the timing and using decoys:
nmap -D RND:10 192.168.1.10– Uses decoy scanning to obscure the source of the scan.
Reporting
For thorough reporting, Nmap supports XML output, which can be reformatted or processed as needed:
nmap -oX scan_results.xml 192.168.1.10– Outputs scan results in XML format for further analysis with tools.
Quick Reference Table
| Flag | Description |
|---|---|
| -sn | Ping scan – no port scan |
| -sS | SYN scan |
| -sV | Service version detection |
| -oN | Output results in normal format |
| -D | Decoy scans |
| -oX | Output results in XML format |
Pro Tips
- Use `-p-` to scan all ports (1-65535) to identify overlooked services.
- Try `–traceroute` to see the path packets take to reach the target, useful in diagnosing network issues.
- Use `-T4` for faster scans while minimizing packet loss, safe for most networks.
- Chains of scripts: Employ multiple scripts together for advanced reconnaissance.
Real-World Examples
Often, analysts need to gather information quickly. Here are practical examples:
- To perform a quick scan of a single host while avoiding detection:
nmap -sS -T4 -p 1-65535 192.168.1.10
nmap -sV -oA all_services 192.168.1.0/24
These commands illustrate Nmap’s versatility in rapid assessments, especially beneficial in time-sensitive penetration tests.