--- name: nmap description: Canonical Nmap CLI syntax, two-pass scanning workflow, and sandbox-safe bounded scan patterns. --- # Nmap CLI Playbook Official docs: - https://nmap.org/book/man-briefoptions.html - https://nmap.org/book/man.html - https://nmap.org/book/man-performance.html Canonical syntax: `nmap [Scan Type(s)] [Options] {target specification}` High-signal flags: - `-n` skip DNS resolution - `-Pn` skip host discovery when ICMP/ping is filtered - `-sS` SYN scan (root/privileged) - `-sT` TCP connect scan (no raw-socket privilege) - `-sV` detect service versions - `-sC` run default NSE scripts - `-p ` explicit ports (`-p-` for all TCP ports) - `--top-ports ` quick common-port sweep - `--open` show only hosts with open ports - `-T<0-5>` timing template (`-T4` common) - `--max-retries ` cap retransmissions - `--host-timeout