Nmap, the Network Mapper, is an open-source tool that is indispensable for network discovery and security auditing. It’s a powerful tool used by network administrators, security professionals, and enthusiasts alike to discover devices running on their networks, detect open ports, and determine what services are running on those devices. Here’s some handy commands to help you navigate the most common Nmap commands and understand what they do.

Target Specification:
-nmap 192.168.1.1: Scan a single IP.
-nmap 192.168.1.1 192.168.2.1: Scan specific IPs.
-nmap 192.168.1.1-254: Scan a range of IPs.
-nmap scanme.nmap.org: Scan a domain.
-nmap 192.168.1.0/24: Scan using CIDR notation.
-nmap -iL targets.txt: Scan targets from a file.
-nmap -iR 100: Scan 100 random hosts.
-nmap -exclude 192.168.1.1: Exclude listed hosts from the scan.

Scan Techniques:
-sS: TCP SYN port scan (Default).
-sT: TCP connect port scan (Default without root privilege).
-sU: UDP port scan.
-sA: TCP ACK port scan.
-sW: TCP Window port scan.
-sM: TCP Maimon port scan.

Host Discovery:
-sL: List targets only, without scanning.
-sn: Disable port scanning; host discovery only.
-Pn: Disable host discovery; port scan only.
-PS: TCP SYN discovery on specified ports.
-PA: TCP ACK discovery on specified ports.
-PU: UDP discovery on specified ports.
-PR: ARP discovery on local network.
-n: Never do DNS resolution during the scan.

Port Specification:
-p 21 : Port scan for port 21.
-p 21-100 : Scan a range of ports.
-p U:53,T:21-25,80 : Scan multiple TCP and UDP ports.
-p- : Scan all 65535 ports.
-p http,https : Scan ports by service name.
-F: Fast port scan (scans the 100 most common ports).
-top-ports 2000 : Scan the top 2000 most common ports.

Service and Version Detection:
-sV: Attempts to determine the version of the service running on port.
-sV -version-intensity: Intensity level 0 to 9. Higher number increases possibility of correctness.
-sV -version-light: Enable light mode. Lower possibility of correctness. Faster.
-sV -version-all: Enable intensity level 9. Higher possibility of correctness. Slower
-A: Enables OS detection, version detection, script scanning, and traceroute.

OS Detection:
-O: Remote OS detection using TCP/IP stack fingerprinting.
-O -osscan-limiit: If at least one open and one closed TCP port are not found it will not try OS detection against host.
-O -osscan-guess: Makes Nmap guess more aggressively.
-O -max-os-tries: Set the maximum number x of OS detection tries against a target.
-A: Enables OS detection, version detection, script scanning, and traceroute.

Timing and Performance:
-T0: Paranoid (0) Intrusion Detection System evasion.
-T1: Sneaky (1) Intrusion Detection System evasion.
-T2: Polite (2) slows down the scan to use less bandwidth and use less target machine resources.
-T3: Normal (3) which is default speed.
-T4: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network.
-T5: Insane (5) speeds scan; assumes you are on an extraordinarily fast network.

Timing and Performance Switches:
-host-timeout : Give up on target after this long.
-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time.
-min-hostgroup/max-hostgroup : Parallel host scan group sizes.
-min-parallelism/max-parallelism : Probe parallelization.
-max-retries : Specify the maximum number of port scan probe retransmissions.
-min-rate : Send packets no slower than per second.
-max-rate : Send packets no faster than per second.

NSE Scripts:
-sC: nmap 192.168.1.1 -sC: Scan with default NSE scripts. Considered useful for discovery and safe.
-script: default: nmap 192.168.1.1 -script default Scan with default NSE scripts. Considered useful for discovery and safe.
-script: nmap 192.168.1.1 -script=banner: Scan with a single script. Example banner.
-script: nmap 192.168.1.1 -script=http*: Scan with a wildcard. Example http.
-script: nmap 192.168.1.1 -script=http,banner: Scan with two scripts. Example http and banner
-script: nmap 192.168.1.1 -script “not intrusive”: Scan default, but remove intrusive scripts.
-script-args: nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1: NSE script with arguments.

Firewall / IDS Evasion and Spoofing:
-f: Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters.
-mtu: Set your own offset size.
-D: Send scans from spoofed IPs.
-S: Scan Facebook from Microsoft (-e eth0 -Pn may be required)
-g: Use given source port number.
-proxies: Relay connections through HTTP/SOCKS4 proxies.
-data-length: Appends random data to sent packets.

These commands are just the tip of the iceberg when it comes to the capabilities of Nmap. With its robust set of features, Nmap can be tailored to perform a wide variety of network tasks. Whether you’re conducting a simple network inventory, managing service upgrade schedules, or monitoring host or service uptime, Nmap’s flexible command options have you covered.

Always ensure you have permission to scan the network and devices you’re targeting with Nmap. Unauthorized scanning can be considered illegal or intrusive by network owners. Use Nmap wisely and ethically to enhance your network’s security posture. Happy scanning!