Nmap typically is used as a networking tool to find open ports. It has quite the suite of capabilities installed with it that give a incredible amount of reconissance power and push its pentest lifecycle use out of the reconissance phase into vulnerability scanning and detection.
This wget one liner exploits shellshock through cgi by injecting commands into the user agent.
Mutillae has a great SQLMAP target on it. I have been using owasp’s bwa vm to work on more web apps.