Scanning when pings are allowed:
1- Discover online hosts
nmap -v -iL [file with scope] -sn -n -oG live_hosts.txt.gnmap
cat live_hosts.txt.gnmap | grep Up | cut -d' ' -f2 > live_hosts.txt
2- Port discovery of online hosts
nmap -v -sS -top-ports 2000 -n -oA top2000.online -iL live_hosts.txt
3- OS and version detection, default scripts on the discovered hosts (noisy)
nmap -A -oA [output] -iL live_hosts.txt

SYN scan, used to test if ports are open/filtered
TCP scan (default when run without root)
ACK scan, used to test firewall settings
UDP scan
Performs -sV and -sC (scripts, version detection, etc)
Do not ping the host; just scan it
OS detection (not scripts)
Most noisy scan, maximum bandwidth.
Never do DNS resolution

-T4 or -T5
T5 results in the fastest possible scanning (may overload the target)
--max-rtt-timeout X
Per-port timeout: X time to get a result. X is seconds, for MS put "Xms"
--host-timeout X
Per-host timeout: X time to get all results from a host in seconds

Use default NSE scripts
--script dns-brute
Guess common subdomains

If you do not have the database running yet, follow this kali guide​
Stealth scan on an ip, no ping, with version detection, saving the information on the msfconsole database
msf6 > db_nmap -sS -Pn -A [ip]

mySQL Enumeration (courtesy of hacktricks)
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
SMB enumeration (courtesy of codecentric)
nmap -sV --script=smb-enum-shares -p445 $ip
note to self: if you get this far and you do not have the machine in your hosts file, you're going to miss subdomains.

Copy link
On this page
Scan Methodology
General flags
Speedy flags
Script flags
Nmap + msfconsole host database
More Resources