Scan Methodology

Scanning when pings are allowed:
1- Discover online hosts
nmap -v -iL [file with scope] -sn -n -oG live_hosts.txt.gnmap
cat live_hosts.txt.gnmap | grep Up | cut -d' ' -f2 > live_hosts.txt
2- Port discovery of online hosts
nmap -v -sS -top-ports 2000 -n -oA top2000.online -iL live_hosts.txt
3- OS and version detection, default scripts on the discovered hosts (noisy)
nmap -A -oA [output] -iL live_hosts.txt

General flags

SYN scan, used to test if ports are open/filtered
TCP scan (default when run without root)
ACK scan, used to test firewall settings
UDP scan
Performs -sV and -sC (scripts, version detection, etc)
Do not ping the host; just scan it
OS detection (not scripts)
Most noisy scan, maximum bandwidth.
Never do DNS resolution

Speedy flags

-T4 or -T5
T5 results in the fastest possible scanning (may overload the target)
--max-rtt-timeout X
Per-port timeout: X time to get a result. X is seconds, for MS put "Xms"
--host-timeout X
Per-host timeout: X time to get all results from a host in seconds

Script flags

Use default NSE scripts
--script dns-brute
Guess common subdomains

Nmap + msfconsole host database

If you do not have the database running yet, follow this kali guide​
Stealth scan on an ip, no ping, with version detection, saving the information on the msfconsole database
msf6 > db_nmap -sS -Pn -A [ip]


mySQL Enumeration (courtesy of hacktricks)
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
SMB enumeration (courtesy of codecentric)
nmap -sV --script=smb-enum-shares -p445 $ip
note to self: if you get this far and you do not have the machine in your hosts file, you're going to miss subdomains.

More Resources