Port scanning techniques (only one method at a time except UDP -sU)
-sS TCP SYN
-sT TCP connect (done when users have none root privilage or when using tor) Slow and greater detection risk
-sU (UDP scan) DNS SNMP DHCP ports 53 161/162 and 67/68 MORE EXPLOITABLE
use --host-timeout to speed up search
-sY (SCTP SS7/SIGTRAN
-sN , sF , -sX TCP null no flag header, FIN tcp fin bit, Xmas FIN PSH URC flags . These flags can get past some firewalls
-sA TCP ACK used to map out firewall rulesets
-sI <zombie host>[<probeport>] idle scan blind TCP port scan specify up-host that IDS sees packets coming from instead of own machine
-sO Ip protocol scan send ip packet headers
-b <ftp relay host> <username>:<password>@<server>:<port>. <Server>As with a normal URL, you may omit <username>:<password>, in which case anonymous login credentials (user: anonymous password:-wwwuser@) are used.
-p <port range> ex -p <100-10000>
Ip protcol scanning -sO (0-255)
sV (Version detection) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.
-A version and OS
--allports scans all ports
--version-intensity <1-9>
--version-light
--version--all level 9 intensity
-O OS scan
--osscan-limit usfull when scannong many host wit -Pn
--osscan-guess; --fuzzy Guess os detection results
