Scanning for TCP ports
nmap -v s TARGET_HOST
The -v flag is to enable verbose mode.
Stealth SYN scan
nmap -sS -O TARGET_HOST/24
Launches a stealth SYN scan against each machine that is up out of the 256 IPs on the class C sized network. It also tries to determine what operating system is running on each host that is up and running.
This requires root privileges because of the SYN scan and OS detection.
Testing for common ports & Services
nmap -sV -p 22,53,110,143,4564 TARGET_HOST
Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space.
This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.
Scanning for Random WebSERVERS
nmap -v -iR 100000 -Pn -p 80
Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80).
Host enumeration is disabled with
-Pn since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host.
Scanning for WebSERVERS (Without ping)
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 220.127.116.11/20
This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.
Source: Examples | Nmap Network Scanning