Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Basic Scans

nmap TARGET
nmap -sV -sC -p- TARGET
nmap -A -T4 TARGET

Host Discovery

nmap -sn 10.10.10.0/24              # Ping sweep
nmap -Pn TARGET                      # Skip host discovery
nmap -PS22,80,443 TARGET             # TCP SYN discovery
nmap -PA80 TARGET                    # TCP ACK discovery
nmap -PU TARGET                      # UDP discovery

Scan Types

nmap -sS TARGET                      # SYN scan (stealth, default root)
nmap -sT TARGET                      # TCP connect scan
nmap -sU TARGET                      # UDP scan
nmap -sA TARGET                      # ACK scan (firewall detection)
nmap -sW TARGET                      # Window scan
nmap -sN TARGET                      # NULL scan
nmap -sF TARGET                      # FIN scan
nmap -sX TARGET                      # Xmas scan
ScanFlagUse Case
SYN-sSDefault stealth scan
Connect-sTNo root required
UDP-sUUDP services
ACK-sAMap firewall rules

Port Specification

nmap -p 80 TARGET                    # Single port
nmap -p 80,443,8080 TARGET           # Multiple ports
nmap -p 1-1000 TARGET                # Range
nmap -p- TARGET                      # All 65535 ports
nmap --top-ports 100 TARGET          # Top 100 ports
nmap -p U:53,T:80 TARGET             # UDP + TCP

Service & Version Detection

nmap -sV TARGET                      # Version detection
nmap -sV --version-intensity 5 TARGET
nmap -O TARGET                       # OS detection
nmap -A TARGET                       # OS + version + scripts + traceroute

NSE Scripts

nmap -sC TARGET                      # Default scripts
nmap --script=vuln TARGET            # Vulnerability scripts
nmap --script=http-enum TARGET       # Specific script
nmap --script "http-*" TARGET        # Wildcard

Script Categories

nmap --script=auth TARGET
nmap --script=brute TARGET
nmap --script=discovery TARGET
nmap --script=exploit TARGET
nmap --script=vuln TARGET
nmap --script=safe TARGET

Script Args

nmap --script=http-brute --script-args http-brute.path=/admin TARGET

Find Scripts

ls /usr/share/nmap/scripts/ | grep smb
nmap --script-help=smb-vuln-ms17-010

Timing & Performance

nmap -T0 TARGET                      # Paranoid (IDS evasion)
nmap -T1 TARGET                      # Sneaky
nmap -T2 TARGET                      # Polite
nmap -T3 TARGET                      # Normal (default)
nmap -T4 TARGET                      # Aggressive
nmap -T5 TARGET                      # Insane

nmap --min-rate 1000 TARGET
nmap --max-retries 2 TARGET
nmap --host-timeout 30m TARGET

Evasion & Spoofing

nmap -f TARGET                       # Fragment packets
nmap -D RND:10 TARGET                # Decoy scan
nmap -S SPOOFED_IP TARGET            # Spoof source IP
nmap --source-port 53 TARGET         # Spoof source port
nmap --data-length 25 TARGET         # Append random data
nmap --randomize-hosts TARGET        # Random host order
nmap --spoof-mac 0 TARGET            # Random MAC

Output Formats

nmap -oN scan.txt TARGET             # Normal
nmap -oX scan.xml TARGET             # XML
nmap -oG scan.gnmap TARGET           # Grepable
nmap -oA scan TARGET                 # All formats

Parse Grepable

grep "open" scan.gnmap
grep "/open/" scan.gnmap | cut -d' ' -f2

Useful Combinations

Full TCP Scan

nmap -sV -sC -p- -oA full TARGET

Quick Recon

nmap -sV -sC --top-ports 20 -oA quick TARGET

UDP Top Ports

nmap -sU --top-ports 20 -sV TARGET

Vuln Scan

nmap -sV --script=vuln -oA vuln TARGET

Quick Reference

TaskCommand
Full scannmap -sV -sC -p- TARGET
Stealthnmap -sS TARGET
UDPnmap -sU --top-ports 20 TARGET
Scriptsnmap --script=vuln TARGET
Evasionnmap -f -D RND:10 TARGET
All outputnmap -oA scan TARGET