Scan types:
-sS (default) TCP SYN Scan -sT TCP connect Scan -sF FIN -sX Xmas tree -sN NULL -sP Ping -sU UDP Scan -sO IP Scan -sI <zombie host[:probeport]> Idlescan -sA ACK scan (used to map out firewall rulesets) -sW Window scan (advanced ACK scan) -sL only list with DNS lookup -sV version detection -O OS identification (fingerprints)
Ping:
-P0 no ping -PA [portlist] TCP ACK -PS [portlist] TCP SYN -PP ICMP timestamp request -PB (default) ACK and ICMP
Other:
-oN <logfilename> normal ouput to file -oA <basefilename> output in all formats -f fragmentation -A enables additional advanced and aggressive options (-O -sV) -T timing (0-5)
Paranoid 5 min Sneaky 15 sec Polite 0.4 sec Normal without overloading the network or missing hosts/ports Aggressive SYN scans against heavily filtered hosts are much faster Insane < 0.3 sec
Maskovanie:
-b <ftp relay host name:password@server:port> ftp proxy -D <decoy1 [,decoy2][,ME],…> simuluje scan z viacerych IP -S <IP_Address> nastavenie zdrojovej IP –randomize_hosts zamiesa poradie scanovania