# nmap Quick Reference

*Port scanning, host discovery, service detection, and NSE scripts*

> Source: Nmap Documentation (nmap.org/docs) · MIT

## Basic Scans

### Scan Targets

```
nmap 192.168.1.1              # single host
nmap 192.168.1.0/24           # entire subnet
nmap 192.168.1.1-50           # IP range
nmap -iL targets.txt          # hosts from file
```

### Target Specification

| Command | Description |
|---------|-------------|
| `192.168.1.1` | Single IP address |
| `192.168.1.0/24` | CIDR notation (256 hosts) |
| `192.168.1.1-254` | IP range |
| `example.com` | Hostname (resolved to IP) |
| `-iL file.txt` | Read targets from file |
| `--exclude 192.168.1.1` | Exclude specific hosts |
| `--excludefile skip.txt` | Exclude hosts from file |

## Port Scanning

### Scan Types

| Command | Description |
|---------|-------------|
| `-sS` | TCP SYN scan (default, stealthy, needs root) |
| `-sT` | TCP connect scan (full handshake, no root) |
| `-sU` | UDP scan (slow, often filtered) |
| `-sA` | TCP ACK scan (detect firewalls) |
| `-sN` | TCP NULL scan (no flags set) |
| `-sF` | TCP FIN scan (only FIN flag) |
| `-sX` | Xmas scan (FIN+PSH+URG flags) |

### Port Selection

```
nmap -p 80,443 target         # specific ports
nmap -p 1-1000 target         # port range
nmap -p- target               # all 65535 ports
nmap --top-ports 100 target   # most common 100 ports
```

### Port States

| Command | Description |
|---------|-------------|
| `open` | Application is accepting connections |
| `closed` | Port reachable but no service listening |
| `filtered` | Firewall blocking, can't determine state |
| `unfiltered` | Port accessible, open/closed unknown |
| `open\|filtered` | Can't determine if open or filtered |

## Host Discovery

### Discovery Methods

| Command | Description |
|---------|-------------|
| `-sn` | Ping scan only (no port scan) |
| `-Pn` | Skip host discovery (treat all as up) |
| `-PS 80,443` | TCP SYN discovery on ports |
| `-PA 80` | TCP ACK discovery |
| `-PU 53` | UDP discovery |
| `-PE` | ICMP echo request |
| `-PR` | ARP discovery (local network) |

### Network Sweep

```
nmap -sn 192.168.1.0/24       # ping sweep subnet
nmap -sn -n 10.0.0.0/24       # sweep, skip DNS
nmap -sn -PR 192.168.1.0/24   # ARP scan (fastest)
```

## Service Detection

### Version Detection

```
nmap -sV target               # detect service versions
nmap -sV --version-intensity 5 target  # deeper probing
nmap -sV --version-all target  # try every probe (slow)
nmap -A target                 # OS + version + scripts + traceroute
```

### Service Flags

| Command | Description |
|---------|-------------|
| `-sV` | Probe open ports for service/version |
| `--version-intensity 0-9` | Probe intensity (default 7) |
| `--version-light` | Light probing (intensity 2) |
| `--version-all` | Try every probe (intensity 9) |
| `-A` | Aggressive: -sV -O --script=default -traceroute |
| `-sC` | Run default NSE scripts |

## OS Detection

### OS Fingerprinting

```
nmap -O target                # OS detection (needs root)
nmap -O --osscan-limit target # only scan promising hosts
nmap -O --osscan-guess target # aggressive OS guessing
nmap -A target                # includes OS detection
```

### OS Detection Flags

| Command | Description |
|---------|-------------|
| `-O` | Enable OS detection |
| `--osscan-limit` | Skip hosts without open+closed TCP ports |
| `--osscan-guess` | Guess OS more aggressively |
| `--max-os-tries N` | Max OS detection attempts per host |

## Scripts (NSE)

### Script Usage

```
nmap --script=default target   # default category
nmap --script=vuln target      # vulnerability scripts
nmap --script=http-headers target
nmap --script="http-*" target  # wildcard match
```

### Script Categories

| Command | Description |
|---------|-------------|
| `default` | Safe, useful scripts (-sC shorthand) |
| `vuln` | Check for known vulnerabilities |
| `safe` | Non-intrusive scripts |
| `intrusive` | May crash targets or trigger IDS |
| `discovery` | Network & service discovery |
| `auth` | Authentication-related checks |
| `brute` | Brute-force credential testing |
| `exploit` | Active exploitation attempts |

### Useful Scripts

| Command | Description |
|---------|-------------|
| `http-title` | Grab web page titles |
| `ssl-cert` | Show SSL certificate details |
| `ssh-hostkey` | Show SSH host key fingerprints |
| `dns-brute` | Enumerate DNS subdomains |
| `smb-os-discovery` | Detect Windows OS via SMB |
| `vuln` | Run all vulnerability checks |

## Output Formats

### Output Options

```
nmap -oN scan.txt target      # normal text output
nmap -oX scan.xml target      # XML output
nmap -oG scan.gnmap target    # grepable output
nmap -oA scan_all target      # all formats at once
```

### Output Flags

| Command | Description |
|---------|-------------|
| `-oN file` | Normal output to file |
| `-oX file` | XML output (for tools/parsing) |
| `-oG file` | Grepable output (one host per line) |
| `-oA basename` | All three formats (basename.nmap/xml/gnmap) |
| `-v` | Increase verbosity (-vv for more) |
| `-d` | Debug output (-dd for more) |
| `--open` | Show only open ports |
| `--reason` | Show reason for port state |

## Timing & Performance

### Timing Templates

| Command | Description |
|---------|-------------|
| `-T0 (paranoid)` | Very slow, IDS evasion (5 min between probes) |
| `-T1 (sneaky)` | Slow, IDS evasion (15 sec between probes) |
| `-T2 (polite)` | Reduced speed, less bandwidth |
| `-T3 (normal)` | Default timing |
| `-T4 (aggressive)` | Fast, assumes reliable network |
| `-T5 (insane)` | Fastest, may miss results |

### Fine-Grained Tuning

| Command | Description |
|---------|-------------|
| `--min-rate 1000` | Send at least 1000 packets/sec |
| `--max-rate 500` | Cap at 500 packets/sec |
| `--max-retries 2` | Max probe retransmissions |
| `--host-timeout 30m` | Skip host if scan exceeds 30 min |
| `--scan-delay 1s` | Delay between probes |
| `--min-parallelism 10` | Min parallel probe groups |

## Firewall Evasion

### Evasion Techniques

| Command | Description |
|---------|-------------|
| `-f` | Fragment packets (8-byte chunks) |
| `-D RND:5` | Decoy scan with 5 random IPs |
| `-S spoof_ip` | Spoof source IP (needs raw packets) |
| `-e eth0` | Use specific network interface |
| `--source-port 53` | Use specific source port (e.g. DNS) |
| `--data-length 25` | Append random data to packets |
| `--spoof-mac 0` | Randomize MAC address |

### Evasion Examples

```
nmap -f -D RND:3 target        # fragments + decoys
nmap --source-port 53 target   # DNS port (often allowed)
nmap -T1 --scan-delay 5s target  # slow to evade IDS
```

## Common Patterns

### Quick Recon

```
nmap -T4 -F target             # fast common ports
nmap -T4 -A -v target          # OS + service detection
nmap -sV --top-ports 1000 target  # top 1000 + versions
```

### Comprehensive Scan

```
# Full TCP + service + OS + scripts
nmap -sS -sV -O -sC -p- -T4 -oA full target
# UDP scan on common ports
nmap -sU --top-ports 50 target
```

### Web Server Audit

```
nmap -p 80,443 --script=http-title,http-headers,\
ssl-cert,http-methods target
# Check for open proxies and vulns
nmap -p 80,443,8080 --script=http-open-proxy,vuln target
```

### Network Inventory

```
# Discover all live hosts with OS info
nmap -sn 192.168.1.0/24 -oG - | grep "Up"
# Service inventory for subnet
nmap -sV -T4 192.168.1.0/24 -oX inventory.xml
```