| Scan | Command | Purpose |
|---|
| Ping Scan | nmap -sn <target> | Check if host is up. |
| SYN Scan | nmap -sS <target> | Stealthy fast TCP scan. |
| Service Version Scan | nmap -sV <target> | Scan service version of open ports. |
| Connect Scan | nmap -sT <target> | Full TCP handshake; accurate but noisy. |
| UDP Scan | nmap -sU <target> | Scan UDP ports (slow). |
| Version Scan | nmap -sV <target> | Identify service versions. |
| OS Detection | nmap -O <target> | Guess OS. |
| Aggressive Scan | nmap -A <target> | OS, version, scripts, traceroute. |
| Option | Meaning |
|---|
-p 22 | Scan one port |
-p 22,80,443 | Scan list |
-p 1-65535 | Scan range |
-p- | Scan all ports |
--top-ports=10 | Scan most common ports |
-F | Fast scan (top 100) |
| Flag | Description |
|---|
-Pn | No host discovery; treat host as up |
-n | No DNS resolution |
--disable-arp-ping | Disable ARP ping |
--packet-trace | Show all sent/received packets |
--reason | Explain port states |
-T4 | Faster timing template |
--stats-every=5s | Show stats every 5 seconds |
| State | Meaning |
|---|
| open | Accepts connections |
| closed | Responds with RST |
| filtered | Blocked by firewall |
| unfiltered | Reachable, state unknown |
| open|filtered | No response |
| closed|filtered | Idle scan ambiguity |
nmap --top-ports=10 <target>
nmap -sS -sU -sV -O <target>
nmap -p 21 --packet-trace -Pn -n --disable-arp-ping <target>
nmap -sV -p <port> <target>