Nmap Flags

Question 1

Flag

Answer 1

Description

Question 2

-sn

Answer 2

Host discovery scan (ping sweep). Skips port scan, just checks which hosts are alive.

Question 3

-sL

Answer 3

List scan. Lists targets and resolves hostnames without sending packets to them.

Question 4

-PS <port></port>

Answer 4

TCP SYN ping. Sends SYN packets to check if a port responds, indicating host is up.

Question 5

-PA <port></port>

Answer 5

TCP ACK ping. Sends ACK packets to check if ports respond, useful to bypass some filters.

Question 6

-PU <port></port>

Answer 6

UDP ping. Sends UDP packets to detect active hosts on specific ports like DNS or SNMP.

Question 7

-sY

Answer 7

SCTP INIT ping. Uses Stream Control Transmission Protocol to probe hosts.

Question 8

-Pn

Answer 8

Treat all hosts as up. Skips host discovery stage, useful when ICMP is blocked.

Question 9

-sS

Answer 9

TCP SYN (half-open) scan. Sends SYN packets without completing handshake; stealthier than full connect.

Question 10

-sT

Answer 10

TCP connect scan. Completes full 3-way handshake; easier to detect but works without raw socket access.

Question 11

-sN

Answer 11

Null scan. Sends packets with no flags set; relies on RFC behavior for closed ports.

Question 12

-sF

Answer 12

FIN scan. Sends FIN flag only; some systems reveal closed ports by responding with RST.

Question 13

-sX

Answer 13

Xmas scan. Sends FIN+PSH+URG flags; closed ports respond with RST, open ports ignore.

Question 14

-sU

Answer 14

UDP scan. Sends UDP packets to detect open/closed ports; slower, prone to false negatives.

Question 15

-sI

Answer 15

Idle (zombie) scan. Uses a third-party idle host to scan target, hiding tester’s IP.

Question 16

-p

Answer 16

Port specification. Allows scanning specific ports or ranges (e.g., -p 80,443 or -p 1-1000).

Question 17

-f / –mtu

Answer 17

Fragment packets into smaller pieces to evade firewalls/IDS; may bypass simple filtering rules.

Question 18

–scan-delay <time></time>

Answer 18

Adds delay between probes; reduces detection by IDS but makes scan slower.

Question 19

-T<0–5>

Answer 19

Timing template. Controls speed/aggressiveness (0=paranoid for stealth, 5=insane/fast for speed).

Question 20

-sV

Answer 20

Version detection. Probes services to determine exact software and version running.

Question 21

-A

Answer 21

Aggressive scan. Enables OS detection, version detection, NSE scripts, and traceroute in one command.

Question 22

-O

Answer 22

OS detection. Attempts to identify the target’s operating system from TCP/IP fingerprinting.

Question 23

-oN

Answer 23

Normal output. Saves scan results in human-readable text format.

Question 24

-oX

Answer 24

XML output. Saves scan results in XML format for parsing or reporting.

Question 25

-oG

Answer 25

Grepable output. Saves scan results in a simplified format for easy search/grep usage.