Here are some nmap command examples:

Scan a single host or an IP address (IPv4)

Scan a single ip address

#nmap 192.168.1.1 

Scan a host name

#nmap fibrevillage.com 

Scan a host name with more info

# nmap -v fibrevillage.com

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-18 23:29 PDT
Initiating ARP Ping Scan at 23:29
Scanning fibrevillage.com (209.15.192.186) [1 port]
Completed ARP Ping Scan at 23:29, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:29
Scanning fibrevillage.com (209.15.192.186) [1000 ports]
Discovered open port 3306/tcp on 209.15.192.186
Discovered open port 22/tcp on 209.15.192.186
Discovered open port 111/tcp on 209.15.192.186
Discovered open port 8649/tcp on 209.15.192.186
Completed SYN Stealth Scan at 23:29, 0.03s elapsed (1000 total ports)
Nmap scan report for fibrevillage.com (209.15.192.186)
Host is up (0.00025s latency).
rDNS record for 209.15.192.186: fibrevillage.com
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
3306/tcp open  mysql
8649/tcp open  unknown
MAC Address: 00:14:4F:F2:87:84 (Oracle)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.044KB)

Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3

works with same subnet i.e. 192.168.1.0/24

nmap 192.168.1.1,2,3

You can scan a range of IP address too:

nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

Finally, you scan an entire subnet:

nmap 192.168.1.0/24

Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt

Sample outputs:

server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost
The syntax is:

nmap -iL /tmp/test.txt

 Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:

nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

OR exclude list from a file called /tmp/exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt

Find out if a host/network is protected by a firewall

nmap -sA 192.168.1.254
nmap -sA fibrevillage.com

Scan a host when protected by the firewall

nmap -PN 192.168.1.1
nmap -PN fibrevillage.com

Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here
nmap -6 fibrevillage.com
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:

# nmap -sP 10.0.8.1/24

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-18 23:38 PDT
Nmap scan report for 10.0.8.1
Host is up (0.00024s latency).
...
Host is up (0.00056s latency).
Nmap done: 256 IP addresses (15 hosts up) scanned in 3.62 seconds

How do I perform a fast scan?

nmap -F 192.168.1.1

Display the reason a port is in a particular state

nmap --reason 192.168.1.1
nmap --reason fibrevillage.com

 Only show open (or possibly open) ports

nmap --open 192.168.1.1
nmap --open fibrevillage.com

Show all packets sent and received

nmap --packet-trace 192.168.1.1
nmap --packet-trace server1.cyberciti.biz

Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)

# nmap --iflist

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-18 23:41 PDT
************************INTERFACES************************
DEV  (SHORT) IP/MASK         TYPE     UP   MTU   MAC
lo   (lo)    127.0.0.1/8     loopback up   65536
net0 (net0)  209.15.192.186/24 ethernet up   9000  00:15:C5:E3:80:6A
net1 (net1)  (null)/0        ethernet down 1500  00:15:C5:E3:80:6C
net2 (net2)  (null)/0        ethernet down 1500  00:14:22:FE:CA:50
net3 (net3)  (null)/0        ethernet down 1500  00:14:22:FE:CA:51

**************************ROUTES**************************
DST/MASK      DEV  METRIC GATEWAY
209.15.192.0/24 net0 0
0.0.0.0/0     net0 0      209.15.192.254

How do I scan specific ports?

## Scan port 80

nmap -p 80 192.168.1.1 

## Scan TCP port 80

nmap -p T:80 192.168.1.1 

## Scan UDP port 53

nmap -p U:53 192.168.1.1 

## Scan two ports ##

nmap -p 80,443 192.168.1.1 

## Scan port ranges ##

nmap -p 80-200 192.168.1.1 

## Combine all options ##

nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

## Scan all ports with * wildcard ##

nmap -p "*" 192.168.1.1

## Scan top ports i.e. scan $number most common ports ##

# nmap --top-ports 5 abc.com    

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-18 23:46 PDT
Nmap scan report for fibrevillage.com (209.15.192.186)
Host is up (0.0011s latency).
rDNS record for 192.10.10.10: abc.com
PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  open   ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

The fastest way to scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24

How do I detect remote operating system?

You can identify a remote host apps and OS using the -O option:

nmap -O 192.168.1.1
nmap -O  --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1

Note: Some OS don't support this feature.

How do I detect remote services (server / daemon) version numbers?

nmap -sV 192.168.1.1

Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:

nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1

Scan a host using IP protocol ping

nmap -PO 192.168.1.1

Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1

Find out the most commonly used TCP ports using TCP SYN Scan

### Stealthy scan ###

nmap -sS 192.168.1.1 

### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)
###  OS Fingerprinting ###

nmap -sT 192.168.1.1 

### Find out the most commonly used TCP ports using TCP ACK scan

nmap -sA 192.168.1.1 

### Find out the most commonly used TCP ports using TCP Window scan

nmap -sW 192.168.1.1 

### Find out the most commonly used TCP ports using TCP Maimon scan

nmap -sM 192.168.1.1

Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

nmap -sU 192.168.1.1

Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

nmap -sO 192.168.1.1

Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##

nmap -sN 192.168.1.254 

## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##

nmap -sF 192.168.1.254 

## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##

nmap -sX 192.168.1.254

See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

nmap -f 192.168.1.1

## Set your own offset size with the --mtu option ##

nmap --mtu 32 192.168.1.1

Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

Scan a firewall for MAC address spoofing

### Spoof your MAC address ##

nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1 

### Add other options ###

nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1  

### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###

nmap -v -sT -PN --spoof-mac 0 192.168.1.1

How do I save output to a text file?

The syntax is:

nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1