1. Scan Types
    1. -sA ACK Scan
    2. -sF FIN Scan
    3. -sI Idel Scan
    4. -sL List/DNS Scan
    5. -sM Maimon Scan FIN/ACK
    6. -sN Null Scan
    7. -sO Protocol Scan
    8. -sP Ping Scan
    9. -sR RPC Scan
    10. -sS SYN Scan
    11. -sT TCP Connect(default)
    12. -sU UDP Scan
    13. -sW Window Scan
    14. -sX XMAS Scan
    15. -b<ftp relay host>: FTP bounce Scan
  2. Scan Options
    1. -p <port range>
    2. --scanflags <TCP flags>
    3. -g/--source-port <port number>
    4. --spoof_mac <MAC/prefix/vendor>
    5. -F Fast Scan
    6. -r Ports Consecutively
    7. --randomize_hosts
    8. -S Spoof Source IP
    9. -D decoy1[,decoy2][,ME][,...]
    10. -e <interface>
    11. --interactive
    12. --send_eth/--send_ip
  3. Ping Options
    1. -PN/-PO No Ping
    2. -PS [port list] TCP SYN ping
    3. -PA [port list] TCP ACK ping
    4. -PU [port list] UDP ping
    5. -PE echo request ping
    6. -PP ICMP timestamp ping
    7. -PM ICMP Netmask request ping
  4. MISC
    1. --datadir custom NMAP data dir
    2. -6 Enable IPv6
    3. -V Print version number
    4. --privilieged User is full privilieged(root/admin)
    5. -f Use fragmented IP packages
    6. --mtu <val> using the specified MTU
    7. --data-length <val> Append random data to sent packets
    8. --ttl <val> Set IPv4 TTL field in send packets
    9. -R DNS resolution for all targets
    10. -n No DNS resolution
    11. -h Help
  5. Timing
    1. -T
      1. -T0 Paranoid, serial 300 sec wait (Avoiding IDS alerts)
      2. -T1 Sneaky serial 15 sec wait (Avoiding IDS alerts)
      3. -T2 Polite (serial 0.4 sec wait)
      4. -T3 Parallel scan
      5. -T4 Aggressive 300 sec timeout, 1.25sec/probe
      6. -T5 Insane(Parallel, 75 sec timeout and 0.3 sec/probe)
      7. --scan-delay <msec> Adjust delay between probes (evade IDS/IPS)
      8. --max-scan-delay <msec> Ajust delay between probes (evade IDS/IPS)
    2. --initial_rtt_timeout (6000 msec default)
    3. --min_rtt_timeout (6000 msec default)
    4. --max_rtt_timeout (9000 msec default)
    5. --host-timeout <time> Give up on target after this long
  6. Input Options
    1. --execludefile <filename>
    2. --execlude <host1 [,host2]...>
    3. -iR <num hosts> Choose random targets
    4. -iL [filename] Input from list
  7. OS detection
    1. -A OS version Detection
    2. -O OS scan
    3. --osscan-guess
    4. --osscan-limit
  8. Service/Version Detection
    1. -sV Version/Service Info Scanning
    2. --version-intensity <level> set from 0(light) to 9(try all probes)
    3. --version-light Limit to most likely probes (intensity 2)
    4. --version_all Try every single probe (intensity 9)
    5. --version_trace Show detailed version scan activity (for debugging)
  9. Output Options
    1. -oN Normal
    2. -oX XML
    3. -oG Grepable
    4. -oS Script kiddies
    5. -oA On three major formats
    6. --stylesheet <path URL>
    7. -d debug 1-9
    8. --packet_trace
    9. --iflist interface list
    10. --append_output
    11. --resume