Nmap Quick Reference
====================

BASIC SCANS
  nmap target                    Default scan (top 1000 ports)
  nmap -p 80,443 target          Specific ports
  nmap -p 1-65535 target         All ports
  nmap -p- target                All ports (shorthand)
  nmap -F target                 Fast scan (top 100)

SCAN TYPES
  nmap -sT target                TCP connect scan
  nmap -sS target                SYN scan (stealth, needs root)
  nmap -sU target                UDP scan
  nmap -sV target                Version detection
  nmap -sC target                Default scripts
  nmap -A target                 Aggressive (OS + version + scripts)
  nmap -O target                 OS detection

SERVICE / VERSION
  nmap -sV target                Detect service versions
  nmap -sV --version-intensity 5 target   More aggressive

SCRIPTS
  nmap --script=default target   Default scripts
  nmap --script=vuln target      Vulnerability scripts
  nmap --script=http-enum target HTTP enumeration
  nmap --script=smb-vuln* target SMB vulnerabilities

OUTPUT
  nmap -oN output.txt target     Normal output
  nmap -oX output.xml target     XML output
  nmap -oG output.gnmap target   Grepable output
  nmap -oA basename target       All formats

HOST DISCOVERY
  nmap -sn 10.0.0.0/24          Ping sweep (no port scan)
  nmap -Pn target                Skip host discovery

TIMING
  nmap -T0 target                Paranoid (slowest)
  nmap -T3 target                Normal (default)
  nmap -T4 target                Aggressive
  nmap -T5 target                Insane (fastest)

COMMON CTF COMBOS
  # Full enumeration
  nmap -sC -sV -p- target

  # Quick overview
  nmap -sV -F target

  # UDP + TCP
  nmap -sS -sU -p 1-1000 target

  # Script scan for HTTP
  nmap --script=http-* -p 80,443,8080 target
