diff --git a/cheat_sheets/NMAP_cheat_sheet.md b/cheat_sheets/NMAP_cheat_sheet.md new file mode 100644 index 0000000..f84a3be --- /dev/null +++ b/cheat_sheets/NMAP_cheat_sheet.md @@ -0,0 +1,62 @@ +# NMAP Cheat Sheet + +Base nmap Syntax: + +``` +nmap [ScanType] [Options] {targets} +``` +If no port range is specified, Nmap scans the 1,000 most popular ports. + +``` +-F Scan 100 most popular ports +-p - Port range +-p ,,... Port List +-pU:53,U:110,T20-445 Mix TCP and UDP +-r Scan linearly (do not randomize ports) +--top-ports Scan n most popular ports +-p-65535 Leaving off initial port in range makes Nmap scan start at port 1 +-p0- Leaving off end port in range makes Nmap scan through p +``` + +## Nmap Scripting Engine + +The full list of Nmap Scripting Engine scripts: http://nmap.org/nsedoc/ + +Some particularly useful scripts include: + +- dns-zone-transfer: Attempts to pull a zone file (AXFR) from a DNS server. +``` +$ nmap --script dns-zonetransfer.nse --script-args dns-zonetransfer.domain= -p53 +``` + +- http-robots.txt: Harvests robots.txt files from discovered web servers. +``` +$ nmap --script http-robots.txt +``` + +- smb-brute: Attempts to determine valid username and password combinations via automated guessing. +``` +$ nmap --script smb-brute.nse -p445 +``` + +- smb-psexec: Attempts to run a series of programs on the target machine, using credentials provided as scriptargs. +``` +$ nmap --script smb-psexec.nse –script-args=smbuser=,smbpass=[,config=] -p445 +``` + +### Nmap Scripting Engine Categories +The most common Nmap scripting engine categories: +- auth: Utilize credentials or bypass authentication on target hosts. +- broadcast: Discover hosts not included on command line by broadcasting on local network. +- brute: Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc. +- default: Scripts run automatically when -sC or -A are used. +- discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more. +- dos: May cause denial of service conditions in target hosts. +- exploit: Attempt to exploit target systems. +- external: Interact with third-party systems not included in target list. +- fuzzer: Send unexpected input in network protocol fields. +- intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion. +- malware: Look for signs of malware infection on the target hosts. +- safe: Designed not to impact target in a negative fashion. +- version: Measure the version of software or protocols on the target hosts. +- vul: Measure whether target systems have a known vulnerability.