nmap(1) --script=smb-enum* --script-args=unsafe=1 -T5 -oX nmap_smb-enum
Network exploration tool and security / port scanner
--script filename|category|directory|expression|all[,...] .
    Runs a script scan using the comma-separated list of filenames, script categories, and directories.
    Each element in the list may also be a Boolean expression describing a more complex set of scripts.
    Each element is interpreted first as an expression, then as a category, and finally as a file or
    directory name. The special argument all makes every script in Nmap´s script database eligible to
    run. The all argument should be used with caution as NSE may contain dangerous scripts including
    exploits, brute force authentication crackers, and denial of service attacks.

    File and directory names may be relative or absolute. Absolute names are used directly. Relative
    paths are looked for in the following places until found:
        ~/.nmap (not searched on Windows)
        the current directory
    A scripts subdirectory is also tried in each of these.

    When a directory name is given, Nmap loads every file in the directory whose name ends with .nse. All
    other files are ignored and directories are not searched recursively. When a filename is given, it
    does not have to have the .nse extension; it will be added automatically if necessary.  Nmap scripts
    are stored in a scripts subdirectory of the Nmap data directory by default (see

    For efficiency, scripts are indexed in a database stored in scripts/script.db,.  which lists the
    category or categories in which each script belongs.  When referring to scripts from script.db by
    name, you can use a shell-style ‘*’ wildcard.

    nmap --script "http-*"
        Loads all scripts whose name starts with http-, such as http-auth.nse and http-open-proxy.nse.
        The argument to --script had to be in quotes to protect the wildcard from the shell.

    More complicated script selection can be done using the and, or, and not operators to build Boolean
    expressions. The operators have the same precedence[12] as in Lua: not is the highest, followed by
    and and then or. You can alter precedence by using parentheses. Because expressions contain space
    characters it is necessary to quote them.

    nmap --script "not intrusive"
        Loads every script except for those in the intrusive category.

    nmap --script "default or safe"
        This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
        the default category or the safe category or both.

    nmap --script "default and safe"
        Loads those scripts that are in both the default and safe categories.

    nmap --script "(default or safe or intrusive) and not http-*"
        Loads scripts in the default, safe, or intrusive categories, except for those whose names start
        with http-.
--script-args name1=value1,name2={name3=value3},name4={value4,value5} .
    Lets you provide arguments to NSE scripts. Arguments are a comma-separated list of name=value pairs.
    Names and values may be strings not containing whitespace or the characters ‘{’, ‘}’, ‘=’, or ‘,’. To
    include one of these characters in a string, enclose the string in single or double quotes. Within a
    quoted string, ‘\’ escapes a quote. A backslash is only used to escape quotation marks in this
    special case; in all other cases a backslash is interpreted literally. Values may also be tables
    enclosed in {}, just as in Lua. A table may contain simple string values or more name-value pairs,
    including nested tables. An example of script arguments: --script-args
    auth={user=foo,pass=´,{}=bar´},userdb=C:\Path\To\File. The online NSE Documentation Portal at
    http://nmap.org/nsedoc/ lists the arguments that each script accepts.
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) .
    While the fine-grained timing controls discussed in the previous section are powerful and effective,
    some people find them confusing. Moreover, choosing the appropriate values can sometimes take more
    time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing
    templates. You can specify them with the -T option and their number (0–5) or their name. The template
    names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first
    two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine
    resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by
    making the assumption that you are on a reasonably fast and reliable network. Finally insane mode.
    assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for

    These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick
    the exact timing values. The templates also make some minor speed adjustments for which fine-grained
    control options do not currently exist. For example, -T4.  prohibits the dynamic scan delay from
    exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used in combination
    with fine-grained controls, and the fine-grained controls will you specify will take precedence over
    the timing template default for that parameter. I recommend using -T4 when scanning reasonably modern
    and reliable networks. Keep that option even when you add fine-grained controls so that you benefit
    from those extra minor optimizations that it enables.

    If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some
    people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they
    think it is less likely to crash hosts or because they consider themselves to be polite in general.
    They often don´t realize just how slow -T polite.  really is. Their scan may take ten times longer
    than a default scan. Machine crashes and bandwidth problems are rare with the default timing options
    (-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more
    effective than playing with timing values at reducing these problems.

    While -T0.  and -T1.  may be useful for avoiding IDS alerts, they will take an extraordinarily long
    time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact
    timing values you need rather than rely on the canned -T0 and -T1 values.

    The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting
    five minutes between sending each probe.  T1 and T2 are similar but they only wait 15 seconds and 0.4
    seconds, respectively, between probes.  T3 is Nmap´s default behavior, which includes
    parallelization..  -T4 does the equivalent of --max-rtt-timeout 1250 --initial-rtt-timeout 500
    --max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds.  T5 does the equivalent of
    --max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --max-retries 2 --host-timeout
    15m as well as setting the maximum TCP scan delay to 5 ms.
-oX filespec (XML output) .
    Requests that XML output be directed to the given filename. Nmap includes a document type definition
    (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for
    programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal
    elements of the format, and often enumerates the attributes and values they can take on. The latest
    version is always available from http://nmap.org/data/nmap.dtd.

    XML offers a stable format that is easily parsed by software. Free XML parsers are available for all
    major computer languages, including C/C++, Perl, Python, and Java. People have even written bindings
    for most of these languages to handle Nmap output and execution specifically. Examples are
    Nmap::Scanner[15] and Nmap::Parser[16] in Perl CPAN. In almost all cases that a non-trivial
    application interfaces with Nmap, XML is the preferred format.

    The XML output references an XSL stylesheet which can be used to format the results as HTML. The
    easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By
    default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to
    the hard-coded nmap.xsl filesystem path. Use the --webxml or --stylesheet options to create portable
    XML files that render as HTML on any web-connected machine.
nmap [Scan Type...] [Options] {target specification}
source manpages: nmap