# Nmap

* `-V` Prints version number
* `-A` Aggressive scanning
* `-v` verbose
* `-vv` double verbose
* `-oG` output in greppable format. It saves the Nmap scan results in a grep-friendly plain text format
* `-p [port]` scans a specific port
* `-p-` Scan all 65,535 ports
* `-sV` service version detection - It attempts to **detect the version** of the services running on open ports of a target system.
* `-F` Fast scan - targets only common ports
* `--open` only scans open ports (fast)
* `-sS` Performs a SYN scan - good for stealth scanning and can't be detected,
* `-sU` Scans for UDP
* `-sC` Script scan - Nmap runs its own default scripts to gather more information
* `-O` OS detection
* `-sT` Does a full TCP 3 way handshake with the port and immediately closes it
* `-sN` **"Ping Scan"** - it tells Nmap **not to perform a port scan**, but instead to **only discover hosts** on the network. (undetectable)
* `-Pn` "No Ping" - tells Nmap to **skip host discovery** and **treat all targets as online**, even if they don’t respond to ping or discovery probes.
* `--max-retries 0` The `--max-retries 0` option in **Nmap** tells it to **not retry** sending a probe if it doesn't get a response the first time.
* `-vvv` max verbosity (basically shows the scanning realtime)
* `-sA` this type of scan is more suitable to discover firewall rule sets and configuration.