NMAP syntax

Here are some NMAP commands I use often.

Enumerating the hosts on a couple of segments


nmap -sP -oA hostlist.active 192.168.1.0/24,172.16.20.0/24

This does a PING sweep in order. 
-R makes it do a reverse DNS lookup for every address, whether a host is up or not.

A basic SYN scan of a slash 24


nmap -sS -T4 -vv -r -sV -O -n -F -oA test208 208.22.79.*

-F makes it faster by skipping most of the default ports.
-r makes it scan the ports in order.
-sV detects service versions.
-O detects OS versions.

A SYN scan to look for useless services on a bunch of segments


nmap -sS -PN -T4 -oA echochargentest -p T:7,19 -v -r 172.16.20,21,22,5,6,7,16.*
nmap -sS -PN -T4 -oA testsmallservices -p T:7,9,13,17,19,U:7,9,13,17,19 -v -r 192.168.1.*

-PN tells it not to PING first, just check for the open ports.

Looking for web applications


nmap -PN -sT -A -p T:80,443,8080,8888,8088 -oA webapps -T4 192.168.1,2.*

Looking for certain specific services


nmap -sS -sV -PN -T4 -oA testsmtp -p T:25 -v -r 192.168.1.*
nmap -sU -sV -PN -T4 -oA tftptest -p U:69 -v -r 192.168.1.*
nmap -sSU -sV -PN -T4 -oA tftptest -p T:25,U:69 -v -r 192.168.1.*

-sS does a SYN scan; -sU does a UDP scan.
-sV does version detection.

Useful additional parameters

--dns-servers [,[,...]]
Specify your own DNS servers to use as resolvers for reverse queries
-p U:53,111,137,T:21-25,80,139,8080
Specify a list of UDP and TCP ports to scan
--version-trace
Print out extensive debugging info about what version scanning is doing.
-oN
Normal output.
-oG
Grepable output. Prints: Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status.