Nmap’s default scan is in my view, fairly inadequate for a port scan. My primary concerns are that it won’t attempt to scan for OS version and it doesn’t scan UDP at all. If you’re scanning multiple hosts it will also attempt to scan as much as your connection will allow (starting at five and climbing until it hits a wall), which is a bit too conspicuous.
-v increases the verbosity of nmap’s output. With it, you’ll see periodic updates on scan progress and reports of any speed adjustments nmap makes.
-O enabled OS detection. It’s rarely terribly reliable, but can be very valuable when you encounter something you don’t recognize just from the open ports.
-Pn prevents nmap from attempting to determine whether or not a host is available before it begins its scan. It goes through a number of checks before determining a host is offline, but it gives false readings often enough that I think it’s worth disabling.
-sS enables the (default) TCP SYN scan (this is the only switch here that would have been included regardless as a default).
-sU enables UDP scanning (not default).
-sV enables attempting version detection on any services nmap finds on the host.
-oA [basename] outputs the scan results in all three formats (normal, XML and grepable).
--max-retries allows you to reduce the number of times nmap retries a port. The default is 10 which is a little too high for me.
--script="default not intrusive" enables script scanning, but only with scripts from the default set that aren’t also classified as “intrusive”.
--max-hostgroups 1 limits the numbers of hosts scanned in parallel to one. You can omit or bump this if you don’t care how much noise you make.
Other useful switches:
-6 enables IPv6 scanning.
--resume will resume a partially-complete scan if you’ve been logging the output to a file (only works for normal and greppable output).
-sC enables script scanning with the entire default set, even the intrusive ones.
--open will limit nmap reporting to open or maybe open only (nmap will not report filtered or closed ports at all).
Like any other nmap scan, this will not check all 65K ports, but only the top 1K (according to nmap-services) for each protocol. Use
-p [range] to scan a specific set.
Including UDP in your scan will significantly increase the runtime.
The scan type switches can be combined (-sSUV) and are separate here just to better illustrate each switch.
For a further speed increase, you can use –max-rtt-timeout and calibrate it based on a generously padded round trip time to the host from a ping or similar.
Nmap has dozens more switches than are discussed here, read the man page to learn more.