From 06dbb484565bf825dfdf4602289433a62d61be0c Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Wed, 26 Dec 2018 21:46:02 -0500 Subject: [PATCH] Updating the NMAP cheat sheet --- cheat_sheets/NMAP_cheat_sheet.md | 41 ++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/cheat_sheets/NMAP_cheat_sheet.md b/cheat_sheets/NMAP_cheat_sheet.md index 426e8d1..adaf472 100644 --- a/cheat_sheets/NMAP_cheat_sheet.md +++ b/cheat_sheets/NMAP_cheat_sheet.md @@ -27,6 +27,16 @@ If no port range is specified, Nmap scans the 1,000 most popular ports. - Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state. - Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state. +## Scan Types + +-`-sn`: Probe only (host discovery, not port scan) +-`-sS`: SYN Scan +-`-sT`: TCP Connect Scan +-`-sU`: UDP Scan +-`-sV`: Version Scan +-`-O`: Used for OS Detection/fingerprinting +-`--scanflags`: Sets custom list of TCP using `URG ACK PSH RST SYN FIN` in any order + ## Probing Options - `-Pn`: Don't probe (assume all hosts are up) @@ -36,6 +46,25 @@ If no port range is specified, Nmap scans the 1,000 most popular ports. - `-PP`: Using ICMP Timestamp Request - `-PM`: Using ICMP Netmask Request +## Timing Options +`-T0` (Paranoid): Very slow, used for IDS evasion +`-T1` (Sneaky): Quite slow, used for IDS evasion +`-T2` (Polite): Slows down to consume less bandwidth, runs ~10 times slower than default +`-T3` (Normal): Default, a dynamic timing model based on target responsiveness +`-T4` (Aggressive): Assumes a fast and reliable network and may overwhelm targets +`-T5` (Insane): Very aggressive; will likely overwhelm targets or miss open ports + +## Fine-Grained Timing Options + +`--min-hostgroup/max-hostgroup `: Parallel host scan group sizes +`--min-parallelism/max-parallelism `: Probes parallelization +`--min-rtt-timeout/max-rtttimeout/initial-rtt-timeout