nmap
NMAP Deep-Diving - Scanning, Brute Forcing, Exploiting
NMAP Flags
-sL List Scan (List Targets to Scan)
-sn Ping Scan (Disable Port Scan)
-sS SYN Scan
-sT TCP Connect Scan
-sP Ping Scan
-sU UDP Scan
-sO IP Scan
-b FTP Bounce Scan
-sN TCP Null Scan
-sF FIN Scan
-sX XMAS Scan
-sA ACK Scan
-sW Windows Scan
-sR RPC Scan
-sI <zombie host[:probeport]>: Idle scan
-sY SCTP INIT Scan
-sZ COOKIE-ECHO scans
-sV Probe Open Ports to Identify Service Version Info Scan
-sC SNMP Scan
-A Enable OS Detection, Version Detection, Script Scanning, and TraceRoute
-Pn Treat All Hosts as OnLine (Skip Host Discovery)
-PN Do Not Ask for ICMP Echo Response
-PS / PA / PU / PY[portlist] TCP SYN/ACK, UDP or SCTP Discovery to Specified Ports
-PE / PP / PM ICMP Echo, Timestamp, and Netmask Request Discovery Probes
-n / -R Never do DNS Resolution / Always Resolve [Default: Sometimes]
--dns-servers <serv1[,serv2],...> Specify Custom DNS Servers
--system-dns Use OS's DNS Resolver
--traceroute Trace Hop Path to Each Host
-F Fast Mode
-p <Port-Range>
-O OS Detection
-T<0-5> Timing Template (Higher is Faster)
FIREWALL/IDS EVASION and SPOOFING:
-f; --mtu <val> Fragment Packets (Optionally with specified MTU)
-D <decoy1,decoy2[,ME],...> Cloak a Scan with Decoys
-S <IP_Address> Spoof Source Address
-e <iface> Use Specified Network Interface
-g <portnum> Use specified Port Number
--data-length <num> Append Random Data to Sent Packets
--ip-options <options> Send Packets with Specified IP Options
--ttl <val> Set IP Time-To-Live Field
--spoof-mac <MAC Address/Prefix/Vendor Name> Spoof your MAC address
--badsum Send Packets with a Bogus TCP/UDP/SCTP Checksum