- [[UDP]] scan switch: -sU --- + SYN (half-open/stealth scan): -sS In relation to the [[TCP Three Way Handshake]], this scan type will send the initial TCP request with the SYN flag set followed by receiving the TCP response with the SYN & ACK flag set. Now the difference is instead of sending the received the TCP request with the ACK flag set, it will send the TCP request with the RST flag set as to not establish a connection. This makes SYN scan faster than a standard TCP Connect scan. SYN scans are often not logged by applications running on the scanned ports since they often require an established connection. SYN scans have the potential to take down unstable services. --- - TCP Connect scan: -sT --- - TCP Null Scan: -sN --- - TCP FIN Scan: -sF --- - TCP Xmas Scan: -sX --- - Identify which operating system is running: -O --- - Identify what versions of services are running on host: -sV --- - Set verbosity level 2: -vv --- - Save scan results in 3 major formats: -oA --- - Save scan in normal format: -oN --- - Save scan in grepable format: -oG --- - Enable Aggressive mode scanning: -A --- - Set timing of scan: -T4 (options range from 1 to 5 with 5 being noisier and more prone to errors) --- - Activating scripts: --script --- - Choosing scripts from a specific category: --script=directory/category Example of nmap scan for the top 100 ports and some other flags: ``` User@VM$ nmap -sV -A --top-ports 100 -T4 <Target IP> ```