Target Specification
  -iL <inputfilename> (Input from list)
  -iR <num hosts> (Choose random targets)
  --exclude <host1>[,<host2>[,...]] (Exclude hosts/networks)
  --excludefile <exclude_file> (Exclude list from file)
  
  
  Host Discovery
  -sL (List Scan)
  -sn (No port scan)
  -Pn (No ping)
  -PS <port list> (TCP SYN Ping)
  -PA <port list> (TCP ACK Ping)
  -PU <port list> (UDP Ping)
  -PY <port list> (SCTP INIT Ping)
  -PE; -PP; -PM (ICMP Ping Types)
  -PO <protocol list> (IP Protocol Ping)
  -PR (ARP Ping)
  --disable-arp-ping (No ARP or ND Ping)
  --traceroute (Trace path to host)
  -n (No DNS resolution)
  -R (DNS resolution for all targets)
  --system-dns (Use system DNS resolver)
  --dns-servers <server1>[,<server2>[,...]] (Servers to use for reverse DNS queries)
  
  
  Port Scanning Basics
  port states: 
  open, 
  closed, 
  filtered, 
  unfiltered, 
  open|filtered 
  closed|filtered
  
  Port Scanning Techniques
  -sU (UDP scans)
  -sS (TCP SYN scan)
  -sT (TCP connect scan)
  -sY (SCTP INIT scan)
  -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
  -sA (TCP ACK scan)
  -sW (TCP Window scan)
  -sM (TCP Maimon scan
  --scanflags (Custom TCP scan)
  -sZ (SCTP COOKIE ECHO scan)
  -sI <zombie host>[:<probeport>] (idle sca)
  -sO (IP protocol scan)
  -b <FTP relay host> (FTP bounce scan)
  
  Port Specification and Scan Order
  -p <port ranges> (Only scan specified ports)
  --exclude-ports <port ranges> (Exclude the specified ports from scanning)
  -F (Fast (limited port) scan)
  -r (Don't randomize ports
  --port-ratio <ratio><decimal number between 0 and 1>
  --top-ports <n>
  
  Service and Version Detection
  -sV (Version detection)
  --allports (Don't exclude any ports from version detection)
  --version-intensity <intensity> (Set version scan intensity)
  --version-light (Enable light mode)
  --version-all (Try every single probe)
  --version-trace (Trace version scan activity)
  
  OS Detection
  -O (Enable OS detection)
  --osscan-limit (Limit OS detection to promising targets)
  --osscan-guess; --fuzzy (Guess OS detection results)
  --max-os-tries (Set the maximum number of OS detection tries against a target)
  
  Nmap Scripting Engine (NSE)
  -sC  --Performs a script scan using the default set of scripts. It is equivalent to --script=default.
  --script <filename>|<category>|<directory>|<expression>[,...] --Runs a script scan using the comma-separated list of filenames, script 
                                                                                                              categories, and directories.
  --script-args <n1>=<v1>,<n2>={<n3>=<v3>},<n4>={<v4>,<v5>} --Lets you provide arguments to NSE scripts
  --script-args-file <filename> --Lets you load arguments to NSE scripts from a file.
  --script-help <filename>|<category>|<directory>|<expression>|all[,...] --Shows help about scripts. 
  --script-trace --This option does what --packet-trace does, just one ISO layer higher.
  --script-updatedb --This option updates the script database found in scripts/script.db which is used by Nmap to determine the available 
                                    default scripts and categories.
  
  Timing and Performance
  --min-hostgroup <numhosts>; --max-hostgroup <numhosts> (Adjust parallel scan group sizes)
  --min-parallelism <numprobes>; --max-parallelism <numprobes> (Adjust probe parallelization)
  --min-rtt-timeout <time>, --max-rtt-timeout <time>, --initial-rtt-timeout <time> (Adjust probe timeouts)
  --max-retries <numtries> (Specify the maximum number of port scan probe retransmissions)
  --host-timeout <time> (Give up on slow target hosts)
  --script-timeout <time>
  --scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)
  --min-rate <number>; --max-rate <number> (Directly control the scanning rate)
  --defeat-rst-ratelimit
  --defeat-icmp-ratelimit
  --nsock-engine epoll|kqueue|poll|select
  -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)
  
  Firewall/IDS Evasion and Spoofing
  -f (fragment packets); --mtu (using the specified MTU)
  -D <decoy1>[,<decoy2>][,ME][,...] (Cloak a scan with decoys)
  -S <IP_Address> (Spoof source address)
  -e <interface> (Use specified interface)
  --source-port <portnumber>; -g <portnumber> (Spoof source port number)
  --data <hex string> (Append custom binary data to sent packets)
  --data-string <string> (Append custom string to sent packets)
  --data-length <number> (Append random data to sent packets)
  --ip-options <S|R [route]|L [route]|T|U ... >; --ip-options <hex string> (Send packets with specified ip options)
  --ttl <value> (Set IP time-to-live field)
  --randomize-hosts (Randomize target host order)
  --spoof-mac <MAC address, prefix, or vendor name> (Spoof MAC address)
  --proxies <Comma-separated list of proxy URLs> (Relay TCP connections through a chain of proxies)
  --badsum (Send packets with bogus TCP/UDP checksums)
  --adler32 (Use deprecated Adler32 instead of CRC32C for SCTP checksums)
  
  Output
  -oN <filespec> (normal output)
  -oX <filespec> (XML output)
  -oG <filespec> (grepable output)
  -oA <basename> (Output to all formats)
  Verbosity and debugging options
  -v (Increase verbosity level) , -v<level> (Set verbosity level)
  -d (Increase debugging level) , -d<level> (Set debugging level)
  --reason (Host and port state reasons)
  --stats-every <time> (Print periodic timing stats)
  --packet-trace (Trace packets and data sent and received)
  --open (Show only open (or possibly open) ports)
  --iflist (List interfaces and routes)
  Miscellaneous output options
  --append-output (Append to rather than clobber output files)
  --resume <filename> (Resume aborted scan)
  --stylesheet <path or URL> (Set XSL stylesheet to transform XML output)
  --webxml (Load stylesheet from Nmap.Org)
  --no-stylesheet (Omit XSL stylesheet declaration from XML)
  
  Miscellaneous Options
  -6 (Enable IPv6 scanning)
  -A (Aggressive scan options)
  --datadir <directoryname> (Specify custom Nmap data file location)
  --servicedb <services file> (Specify custom services file)
  --versiondb <service probes file> (Specify custom service probes file)
  --send-eth (Use raw ethernet sending)
  --send-ip (Send at raw IP level)
  --privileged (Assume that the user is fully privileged)
  --unprivileged (Assume that the user lacks raw socket privileges)
  --release-memory (Release memory before quitting)
  -V; --version (Print version number)
  -h; --help (Print help summary page)
  
  Runtime Interaction
  v / V
  Increase / decrease the verbosity level
  
  d / D
  Increase / decrease the debugging Level
  
  p / P
  Turn on / off packet tracing
  
  ?
  Print a runtime interaction help screen
  
  Examples
  nmap -v scanme.nmap.org
  nmap -sS -O scanme.nmap.org/24
  nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
  nmap -v -iR 100000 -Pn -p 80
  nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20
  
  https://nmap.org/book/toc.html
  
  
  
  nmap 172.16.60.208 /---top 1000 ports
  
  -n no resolution, -sP ping scan= icmp echo req, syn 443, ack 80, icmp timestmp req.
  nmap -sP 192.168.* or /24 or 1,2,3... -n
  
  nmap 172.16.65.91 -O /---per OS
  nmap -p80 172.16.60.208 /---specific tcp port
  nmap -p80-100 172.16.60.208 /---specific tcp port range
  nmap 172.16.60.1/24 -p- /--- -p- check all range ports
  nmap -sS -sV 172.16.1.172 -- -p5988 ### check specific port
  -sn: Ping Scan
  -Pn: Treat all hosts as online -- skip host discovery
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sV: Probe open ports to determine service/version info
  -sU: UDP Scan
  -sO: IP protocol scan
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  
  nmap -p445 --scripts smb-vuln-ms17-010 172.16.0.16 (tregon SMB vuln. infos