If any ports are found to be open, Nmap may be able to determine what server software is running on the remote system. It does this by sending a variety of probes to the open ports and matching any responses against a database of thousands of more than 6,500 known service signatures.
-sV : Probe open ports to determine service/version info
--version-intensity <level> Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
-O Enable OS detection
If requested with the -O option, Nmap proceeds to OS detection. Different operating systems implement network standards in subtly different ways. By measuring these differences it is often possible to determine the operating system running on a remote host. Nmap matches responses to a standard set of probes against a database of more than a thousand known operating system responses
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5] Set timing template (higher is faster)
--min-hostgroup/max-hostgroup<size> Parallel host scan group sizes
--min-parallelism/max-parallelism <time> Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> Specifies probe round trip time.
--max-retries <tries> Caps number of port scan probe retransmissions.
--host-timeout <time> Give up on target after this long
--scan-delay/--max-scan-delay <time> Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu<val> fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...> Cloak a scan with decoys
-S <IP_Address> Spoof source address
-e <iface> :Use specified interface
-g/--source-port <portnum> : Use given port number
--data-length <num> Append random data to sent packets
--ttl<val> : Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name> :Spoof your MAC address
--badsum :Send packets with a bogus TCP/UDP checksum
Finally, Nmap collects all the information it has gathered and writes it to the screen or to a file. Nmap can write output in several formats. Its default, human-readable format (interactive format) is usually presented in this book. Nmap also offers an XML-based output format, among others.
-oN/-oX/-oS/-oG<file> Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA<basename> Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errors/warnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume <filename> :Resume an aborted scan
--stylesheet<path/URL> :XSL stylesheet to transform XML output to HTML
--webxml :Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir<dirname> Specify custom Nmap data file location
--send-eth/--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number