Network exploration tool and security / port scanner

-sT (TCP connect scan) .
    TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a
    user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets
    as most other scan types do, Nmap asks the underlying operating system to establish a connection with
    the target machine and port by issuing the connect system call. This is the same high-level system
    call that web browsers, P2P clients, and most other network-enabled applications use to establish a
    connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read
    raw packet responses off the wire, Nmap uses this API to obtain status information on each connection
    attempt.

    When SYN scan is available, it is usually a better choice. Nmap has less control over the high level
    connect call than with raw packets, making it less efficient. The system call completes connections
    to open target ports rather than performing the half-open reset that SYN scan does. Not only does
    this take longer and require more packets to obtain the same information, but target machines are
    more likely to log the connection. A decent IDS will catch either, but most machines have no such
    alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a
    cryptic error message, when Nmap connects and then closes the connection without sending data. Truly
    pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch
    of connection attempts in her logs from a single system should know that she has been connect
    scanned.

-PN (No ping) .
    This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine
    active machines for heavier scanning. By default, Nmap only performs heavy probing such as port
    scans, version detection, or OS detection against hosts that are found to be up. Disabling host
    discovery with -PN causes Nmap to attempt the requested scanning functions against every target IP
    address specified. So if a class B sized target address space (/16) is specified on the command line,
    all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but
    instead of stopping and printing the target list, Nmap continues to perform requested functions as if
    each target IP is active. To skip ping scan and port scan, while still allowing NSE to run, use the
    two options -PN -sP together.

    For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is
    specified) because Nmap needs MAC addresses to further scan target hosts. This option flag used to be
    P0 (uses zero), but was renamed to avoid confusion with protocol ping´s PO (uses the letter O) flag.

-n (No DNS resolution) .
    Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
    slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.

-sV (Version detection) .
    Enables version detection, as discussed above. Alternatively, you can use -A, which enables version
    detection among other things.

--version-intensity intensity (Set version scan intensity) .
    When performing a version scan (-sV), Nmap sends a series of probes, each of which is assigned a
    rarity value between one and nine. The lower-numbered probes are effective against a wide variety of
    common services, while the higher numbered ones are rarely useful. The intensity level specifies
    which probes should be applied. The higher the number, the more likely it is the service will be
    correctly identified. However, high intensity scans take longer. The intensity must be between 0 and
    9.  The default is 7.  When a probe is registered to the target port via the nmap-service-probes
    ports directive, that probe is tried regardless of intensity level. This ensures that the DNS probes
    will always be attempted against any open port 53, the SSL probe will be done against 443, etc.

--script filename|category|directory|expression|all[,...] .
    Runs a script scan using the comma-separated list of filenames, script categories, and directories.
    Each element in the list may also be a Boolean expression describing a more complex set of scripts.
    Each element is interpreted first as an expression, then as a category, and finally as a file or
    directory name. The special argument all makes every script in Nmap´s script database eligible to
    run. The all argument should be used with caution as NSE may contain dangerous scripts including
    exploits, brute force authentication crackers, and denial of service attacks.

    File and directory names may be relative or absolute. Absolute names are used directly. Relative
    paths are looked for in the following places until found:
        --datadir
        $NMAPDIR
        ~/.nmap (not searched on Windows)
        NMAPDATADIR
        the current directory
    A scripts subdirectory is also tried in each of these.

    When a directory name is given, Nmap loads every file in the directory whose name ends with .nse. All
    other files are ignored and directories are not searched recursively. When a filename is given, it
    does not have to have the .nse extension; it will be added automatically if necessary.  Nmap scripts
    are stored in a scripts subdirectory of the Nmap data directory by default (see
    http://nmap.org/book/data-files.html).

    For efficiency, scripts are indexed in a database stored in scripts/script.db,.  which lists the
    category or categories in which each script belongs.  When referring to scripts from script.db by
    name, you can use a shell-style ‘*’ wildcard.

    nmap --script "http-*"
        Loads all scripts whose name starts with http-, such as http-auth.nse and http-open-proxy.nse.
        The argument to --script had to be in quotes to protect the wildcard from the shell.

    More complicated script selection can be done using the and, or, and not operators to build Boolean
    expressions. The operators have the same precedence[12] as in Lua: not is the highest, followed by
    and and then or. You can alter precedence by using parentheses. Because expressions contain space
    characters it is necessary to quote them.

    nmap --script "not intrusive"
        Loads every script except for those in the intrusive category.

    nmap --script "default or safe"
        This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
        the default category or the safe category or both.

    nmap --script "default and safe"
        Loads those scripts that are in both the default and safe categories.

    nmap --script "(default or safe or intrusive) and not http-*"
        Loads scripts in the default, safe, or intrusive categories, except for those whose names start
        with http-.

--script-args name1=value1,name2={name3=value3},name4={value4,value5} .
    Lets you provide arguments to NSE scripts. Arguments are a comma-separated list of name=value pairs.
    Names and values may be strings not containing whitespace or the characters ‘{’, ‘}’, ‘=’, or ‘,’. To
    include one of these characters in a string, enclose the string in single or double quotes. Within a
    quoted string, ‘\’ escapes a quote. A backslash is only used to escape quotation marks in this
    special case; in all other cases a backslash is interpreted literally. Values may also be tables
    enclosed in {}, just as in Lua. A table may contain simple string values or more name-value pairs,
    including nested tables. An example of script arguments: --script-args
    auth={user=foo,pass=´,{}=bar´},userdb=C:\Path\To\File. The online NSE Documentation Portal at
    http://nmap.org/nsedoc/ lists the arguments that each script accepts.

--top-ports <integer of 1 or greater>
    Scans the N highest-ratio ports found in nmap-services file.