Usage:

nmap [Scan Type(s)] [Options] {target specification}
# need to run as root

Standard Go-To Examples:

#TCP Ports:
nmap -sS -T4 -p- -A [IP Address]

#UDP Ports: 
nmap -sU -T4 -A [IP Address]

The following is a list and description of the 30 most common basic commands in nmap (for beginners).

• Source: Top 30 Basic NMAP Commands for Beginners

* Can pass hostnames, IP addresses, networks, etc.

• Examples: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans –scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan

-p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 –exclude-ports <port ranges>: Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize –top-ports <number>: Scan <number> most common ports –port-ratio <ratio>: Scan ports more common than <ratio>

-sV: Probe open ports to determine service/version info –version-intensity <level>: Set from 0 (light) to 9 (try all probes) –version-light: Limit to most likely probes (intensity 2) –version-all: Try every single probe (intensity 9) –version-trace: Show detailed version scan activity (for debugging)

Examples.

-sC: equivalent to –script=default –script=<Lua scripts>: <Lua scripts> is a comma separated list of

  directories, script-files or script-categories

–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts –script-args-file=filename: provide NSE script args in a file –script-trace: Show all data sent and received –script-updatedb: Update the script database. –script-help=<Lua scripts>: Show help about scripts.

  <Lua scripts> is a comma-separated list of script-files or
  script-categories.

-O: Enable OS detection –osscan-limit: Limit OS detection to promising targets –osscan-guess: Guess OS more aggressively

Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) –min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes –min-parallelism/max-parallelism <numprobes>: Probe parallelization –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. –max-retries <tries>: Caps number of port scan probe retransmissions. –host-timeout <time>: Give up on target after this long –scan-delay/–max-scan-delay <time>: Adjust delay between probes –min-rate <number>: Send packets no slower than <number> per second –max-rate <number>: Send packets no faster than <number> per second

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) –reason: Display the reason a port is in a particular state –open: Only show open (or possibly open) ports –packet-trace: Show all packets sent and received –iflist: Print host interfaces and routes (for debugging) –append-output: Append to rather than clobber specified output files –resume <filename>: Resume an aborted scan –noninteractive: Disable runtime interactions via keyboard –stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML –webxml: Reference stylesheet from Nmap.Org for more portable XML –no-stylesheet: Prevent associating of XSL stylesheet w/XML output