SERVICE/VERSION DETECTION:

If any ports are found to be open, Nmap may be able to determine what server software is running on the remote system. It does this by sending a variety of probes to the open ports and matching any responses against a database of thousands of more than 6,500 known service signatures.

-sV : Probe open ports to determine service/version info
--version-intensity <level>   Set from 0 (light) to 9 (try all probes)
--version-light  Limit to most likely probes (intensity 2)
--version-all     Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)

OS DETECTION:

-O        Enable OS detection

If requested with the -O option, Nmap proceeds to OS detection. Different operating systems implement network standards in subtly different ways. By measuring these differences it is often possible to determine the operating system running on a remote host. Nmap matches responses to a standard set of probes against a database of more than a thousand known operating system responses

--osscan-limit  Limit OS detection to promising targets
--osscan-guess           Guess OS more aggressively

TIMING AND PERFORMANCE:

Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5] Set timing template (higher is faster)
--min-hostgroup/max-hostgroup<size>          Parallel host scan group sizes
--min-parallelism/max-parallelism <time>      Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>     Specifies probe round trip time.
--max-retries <tries>   Caps number of port scan probe retransmissions.
--host-timeout <time> Give up on target after this long
--scan-delay/--max-scan-delay <time>          Adjust delay between probes

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu<val> fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>           Cloak a scan with decoys
-S <IP_Address>       Spoof source address
-e <iface> :Use specified interface
-g/--source-port <portnum> :  Use given port number
--data-length <num> Append random data to sent packets
--ttl<val>         : Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name> :Spoof your MAC address
--badsum :Send packets with a bogus TCP/UDP checksum

OUTPUT:

Finally, Nmap collects all the information it has gathered and writes it to the screen or to a file. Nmap can write output in several formats. Its default, human-readable format (interactive format) is usually presented in this book. Nmap also offers an XML-based output format, among others.

-oN/-oX/-oS/-oG<file>           Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA<basename>        Output in the three major formats at once
-v         Increase verbosity level (use twice for more effect)
-d[level]          Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist  Print host interfaces and routes (for debugging)
--log-errors    Log errors/warnings to the normal-format output file
--append-output        Append to rather than clobber specified output files
--resume <filename> :Resume an aborted scan
--stylesheet<path/URL> :XSL stylesheet to transform XML output to HTML
--webxml  :Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet          Prevent associating of XSL stylesheet w/XML output

MISC:

-6         Enable IPv6 scanning
-A        Enables OS detection and Version detection
--datadir<dirname>   Specify custom Nmap data file location
--send-eth/--send-ip  Send using raw ethernet frames or IP packets
--privileged    Assume that the user is fully privileged
-V        Print version number