1.[root@dtd143 ~]# nmap -sP 9.186.96.0/24|grep -v      ##Check the hosts which were up.
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-07-16 09:19 EDT
Host 9.186.96.0 seems to be a subnet broadcast address (returned 11 extra pings).
Host 9.186.96.7 appears to be up.
Host 9.186.96.20 appears to be up.

2.#nmap -v target.example.com
This option scans all reserved TCP ports on the machine target.example.com . The -v means turn on verbose mode.

3.#nmap -sS -O target.example.com/24

Launches a stealth SYN scan against each machine that is up out of the 255 machines on class "C" where target.example.com resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and the OS detection.

4.#nmap -sX -p 22,53,110,143,4564 198.116.*.1-127

Sends an Xmas tree scan to the first half of each of the 255 possible 8 bit subnets in the 198.116 class "B" address space. We are testing whether the systems run sshd, DNS, pop3d, imapd, or port 4564. Note that Xmas scan doesn't work on Microsoft boxes due to their deficient TCP stack. Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.

5.#nmap -v --randomize_hosts -p 80 *.*.2.3-5

Rather than focus on a specific IP range, it is sometimes interesting to slice up the entire Internet and scan a small sample from each slice. This command finds all web servers on machines with IP addresses ending in .2.3, .2.4, or .2.5 find more interesting machines starting at 127. so you might want to use "127-222" instead of the first asterisks because that section has a greater density of interesting machines (IMHO).

6.#host -l company.com | cut -d -f 4 | ./nmap -v -iL -

Do a DNS zone transfer to find the hosts in company.com and then feed the IP addresses to nmap. The above commands are for my GNU/Linux box. You may need different commands/options on other operating systems.