> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Nmap

> Nmap scanning techniques: host discovery, port scanning, service detection, scripts, evasion, and output formats.

## Basic Scans

```bash theme={"dark"}
nmap TARGET
nmap -sV -sC -p- TARGET
nmap -A -T4 TARGET
```

***

## Host Discovery

```bash theme={"dark"}
nmap -sn 10.10.10.0/24              # Ping sweep
nmap -Pn TARGET                      # Skip host discovery
nmap -PS22,80,443 TARGET             # TCP SYN discovery
nmap -PA80 TARGET                    # TCP ACK discovery
nmap -PU TARGET                      # UDP discovery
```

***

## Scan Types

```bash theme={"dark"}
nmap -sS TARGET                      # SYN scan (stealth, default root)
nmap -sT TARGET                      # TCP connect scan
nmap -sU TARGET                      # UDP scan
nmap -sA TARGET                      # ACK scan (firewall detection)
nmap -sW TARGET                      # Window scan
nmap -sN TARGET                      # NULL scan
nmap -sF TARGET                      # FIN scan
nmap -sX TARGET                      # Xmas scan
```

| Scan    | Flag  | Use Case             |
| ------- | ----- | -------------------- |
| SYN     | `-sS` | Default stealth scan |
| Connect | `-sT` | No root required     |
| UDP     | `-sU` | UDP services         |
| ACK     | `-sA` | Map firewall rules   |

***

## Port Specification

```bash theme={"dark"}
nmap -p 80 TARGET                    # Single port
nmap -p 80,443,8080 TARGET           # Multiple ports
nmap -p 1-1000 TARGET                # Range
nmap -p- TARGET                      # All 65535 ports
nmap --top-ports 100 TARGET          # Top 100 ports
nmap -p U:53,T:80 TARGET             # UDP + TCP
```

***

## Service & Version Detection

```bash theme={"dark"}
nmap -sV TARGET                      # Version detection
nmap -sV --version-intensity 5 TARGET
nmap -O TARGET                       # OS detection
nmap -A TARGET                       # OS + version + scripts + traceroute
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -sC TARGET                      # Default scripts
nmap --script=vuln TARGET            # Vulnerability scripts
nmap --script=http-enum TARGET       # Specific script
nmap --script "http-*" TARGET        # Wildcard
```

### Script Categories

```bash theme={"dark"}
nmap --script=auth TARGET
nmap --script=brute TARGET
nmap --script=discovery TARGET
nmap --script=exploit TARGET
nmap --script=vuln TARGET
nmap --script=safe TARGET
```

### Script Args

```bash theme={"dark"}
nmap --script=http-brute --script-args http-brute.path=/admin TARGET
```

### Find Scripts

```bash theme={"dark"}
ls /usr/share/nmap/scripts/ | grep smb
nmap --script-help=smb-vuln-ms17-010
```

***

## Timing & Performance

```bash theme={"dark"}
nmap -T0 TARGET                      # Paranoid (IDS evasion)
nmap -T1 TARGET                      # Sneaky
nmap -T2 TARGET                      # Polite
nmap -T3 TARGET                      # Normal (default)
nmap -T4 TARGET                      # Aggressive
nmap -T5 TARGET                      # Insane
```

```bash theme={"dark"}
nmap --min-rate 1000 TARGET
nmap --max-retries 2 TARGET
nmap --host-timeout 30m TARGET
```

***

## Evasion & Spoofing

```bash theme={"dark"}
nmap -f TARGET                       # Fragment packets
nmap -D RND:10 TARGET                # Decoy scan
nmap -S SPOOFED_IP TARGET            # Spoof source IP
nmap --source-port 53 TARGET         # Spoof source port
nmap --data-length 25 TARGET         # Append random data
nmap --randomize-hosts TARGET        # Random host order
nmap --spoof-mac 0 TARGET            # Random MAC
```

***

## Output Formats

```bash theme={"dark"}
nmap -oN scan.txt TARGET             # Normal
nmap -oX scan.xml TARGET             # XML
nmap -oG scan.gnmap TARGET           # Grepable
nmap -oA scan TARGET                 # All formats
```

### Parse Grepable

```bash theme={"dark"}
grep "open" scan.gnmap
grep "/open/" scan.gnmap | cut -d' ' -f2
```

***

## Useful Combinations

### Full TCP Scan

```bash theme={"dark"}
nmap -sV -sC -p- -oA full TARGET
```

### Quick Recon

```bash theme={"dark"}
nmap -sV -sC --top-ports 20 -oA quick TARGET
```

### UDP Top Ports

```bash theme={"dark"}
nmap -sU --top-ports 20 -sV TARGET
```

### Vuln Scan

```bash theme={"dark"}
nmap -sV --script=vuln -oA vuln TARGET
```

***

## Quick Reference

| Task       | Command                          |
| ---------- | -------------------------------- |
| Full scan  | `nmap -sV -sC -p- TARGET`        |
| Stealth    | `nmap -sS TARGET`                |
| UDP        | `nmap -sU --top-ports 20 TARGET` |
| Scripts    | `nmap --script=vuln TARGET`      |
| Evasion    | `nmap -f -D RND:10 TARGET`       |
| All output | `nmap -oA scan TARGET`           |
