nmap(1) --script ftp-* -p21 -vv -oX nmap_ftp $IPHOST
Network exploration tool and security / port scanner
--script filename|category|directory|expression|all[,...] .
    Runs a script scan using the comma-separated list of filenames, script categories, and directories.
    Each element in the list may also be a Boolean expression describing a more complex set of scripts.
    Each element is interpreted first as an expression, then as a category, and finally as a file or
    directory name. The special argument all makes every script in Nmap´s script database eligible to
    run. The all argument should be used with caution as NSE may contain dangerous scripts including
    exploits, brute force authentication crackers, and denial of service attacks.

    File and directory names may be relative or absolute. Absolute names are used directly. Relative
    paths are looked for in the following places until found:
        ~/.nmap (not searched on Windows)
        the current directory
    A scripts subdirectory is also tried in each of these.

    When a directory name is given, Nmap loads every file in the directory whose name ends with .nse. All
    other files are ignored and directories are not searched recursively. When a filename is given, it
    does not have to have the .nse extension; it will be added automatically if necessary.  Nmap scripts
    are stored in a scripts subdirectory of the Nmap data directory by default (see

    For efficiency, scripts are indexed in a database stored in scripts/script.db,.  which lists the
    category or categories in which each script belongs.  When referring to scripts from script.db by
    name, you can use a shell-style ‘*’ wildcard.

    nmap --script "http-*"
        Loads all scripts whose name starts with http-, such as http-auth.nse and http-open-proxy.nse.
        The argument to --script had to be in quotes to protect the wildcard from the shell.

    More complicated script selection can be done using the and, or, and not operators to build Boolean
    expressions. The operators have the same precedence[12] as in Lua: not is the highest, followed by
    and and then or. You can alter precedence by using parentheses. Because expressions contain space
    characters it is necessary to quote them.

    nmap --script "not intrusive"
        Loads every script except for those in the intrusive category.

    nmap --script "default or safe"
        This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
        the default category or the safe category or both.

    nmap --script "default and safe"
        Loads those scripts that are in both the default and safe categories.

    nmap --script "(default or safe or intrusive) and not http-*"
        Loads scripts in the default, safe, or intrusive categories, except for those whose names start
        with http-.
-p port ranges (Only scan specified ports) .
    This option specifies which ports you want to scan and overrides the default. Individual port numbers
    are OK, as are ranges separated by a hyphen (e.g.  1-1023). The beginning and/or end values of a
    range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
    ports from 1 through 65535. Scanning port zero.  is allowed if you specify it explicitly. For IP
    protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).

    When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
    numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
    argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
    listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
    scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
    to all protocol lists.  Ports can also be specified by name according to what the port is referred to
    in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
    and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
    quote the argument to -p if unsure.

    Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
    in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
    1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
-v (Increase verbosity level) .
    Increases the verbosity level, causing Nmap to print more information about the scan in progress.
    Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a
    scan will take more than a few minutes. Use it twice or more for even greater verbosity.

    Most changes only affect interactive output, and some also affect normal and script kiddie output.
    The other output types are meant to be processed by machines, so Nmap can give substantial detail by
    default in those formats without fatiguing a human user. However, there are a few changes in other
    modes where output size can be reduced substantially by omitting some detail. For example, a comment
    line in the grepable output that provides a list of all ports scanned is only printed in verbose mode
    because it can be quite long.
-oX filespec (XML output) .
    Requests that XML output be directed to the given filename. Nmap includes a document type definition
    (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for
    programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal
    elements of the format, and often enumerates the attributes and values they can take on. The latest
    version is always available from http://nmap.org/data/nmap.dtd.

    XML offers a stable format that is easily parsed by software. Free XML parsers are available for all
    major computer languages, including C/C++, Perl, Python, and Java. People have even written bindings
    for most of these languages to handle Nmap output and execution specifically. Examples are
    Nmap::Scanner[15] and Nmap::Parser[16] in Perl CPAN. In almost all cases that a non-trivial
    application interfaces with Nmap, XML is the preferred format.

    The XML output references an XSL stylesheet which can be used to format the results as HTML. The
    easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By
    default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to
    the hard-coded nmap.xsl filesystem path. Use the --webxml or --stylesheet options to create portable
    XML files that render as HTML on any web-connected machine.
nmap [Scan Type...] [Options] {target specification}
source manpages: nmap