https://www.stationx.net/nmap-cheat-sheet/
Nmap Cheat Sheet - CLI Commands
=================================
--- Target specification ---
nmap 192.168.1.1
nmap 10.0.0.1,2,5-10
nmap 192.168.1.0/24
nmap -iL targets.txt # read targets from file
nmap --exclude 192.168.1.10 # exclude host
--- Host discovery ---
nmap -sn 10.0.0.0/24 # ping sweep
nmap -Pn 192.168.1.1 # skip host discovery
nmap -PS22,80 192.168.1.1 # TCP SYN ping on 22 & 80
nmap -n 192.168.1.1 # no DNS resolution
--- Port scanning techniques ---
nmap -sS 192.168.1.1 # SYN scan
nmap -sT 192.168.1.1 # TCP connect scan
nmap -sU 192.168.1.1 # UDP scan
nmap -sA 192.168.1.1 # ACK scan
--- Port range & selection ---
nmap -p- 192.168.1.1 # all 65535 ports
nmap -p 1-1000 192.168.1.1
nmap --top-ports 100 192.168.1.1
--- Service & version detection ---
nmap -sV 192.168.1.1
nmap -sV --version-intensity 9 192.168.1.1
--- OS detection & advanced scan ---
nmap -O 192.168.1.1
nmap -A 192.168.1.1 # OS, version, scripts, traceroute
--- NSE scripts ---
nmap --script default 192.168.1.1
nmap --script vuln 192.168.1.1
nmap --script "http-,ftp-" 192.168.1.1
nmap -p 445 --script smb-vuln-ms17-010 192.168.1.1
nmap --script-args http-enum.basepath=/test --script http-enum 192.168.1.1
--- Timing & performance ---
nmap -T4 192.168.1.1
nmap --min-rate 1000 -T5 192.168.1.1
--- Output formats ---
nmap -oN scan.txt 192.168.1.1
nmap -oX scan.xml 192.168.1.1
nmap -oJ scan.json 192.168.1.1
nmap -oG scan.gnmap 192.168.1.1
--- Firewall / IDS evasion ---
nmap -f 192.168.1.1 # fragment packets
nmap --source-port 53 192.168.1.1
nmap --data-length 50 192.168.1.1
--- Miscellaneous ---
nmap --script-help smb-vuln-ms17-010
nmap -6 2001:db8::1 # IPv6 target