Nmap Switches

-sS

TCP SYN scan (Stealth scan)

-sU

UDP scan

-sP

Ping scan

-sT

TCP Connect scan

-sN

Null scan

-sF

FIN scan

-sX

XMAS scan

-sI

Idle scan

-S

Spoofing

-D

Using decoys

-PR

ARP ping/host discovery scan

-PE

ICMP ping scan

-PU

UDP ping scan

-PS

TCP SYN ping scan

-sn

ping scan for only listing hosts

-p

scans specified ports

-p-

entire ports scan

--top-ports

scans specified number of top ports

-O

OS detection

-sV

version and services detection

-A

all scan

-T0 to -T5

scans with timing templates

-iL

scans for provided file list with targets

-v

Verbose result

--reason

get reason for why Nmap concluded that the system is up or a particular port is open

-d

debug details

-vv

very verbose result

-dd

more details for debugging

-F

scan faster with only top 100 ports for quick overview

--max-rate 50

rate <= 50 packets/sec

--min-rate 15

rate >= 15 packets/sec

--min-parallelism 100

at least 100 probes in parallel

-Pn

bypasses the Windows default firewall that blocks all ICMP packets

-f

fragments or splits the packets, so that the firewall or IDS won't detect the packets

--mtu

accepts maximum transmission unit size to use for the packets sent

--scan-delay

adds delays between packets sent in ms and is useful in case of unstable network (can be used to evade time-based firewall/IDS)

--badsum

generates invalid checksum for packets

-data-length

appends specified bytes of random data for each packets