Previously, I noted some basic scan techniques which are great for understanding and basic overview.
These are some advanced scanning techniques for nmap to run and try out. Nmap, (by default) performs a basic TCP scan on each target system.

You must have sudo privileges to run these commands.


nmap -sS [target] | nmap -sS

The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending a SYN packet to the target and listening for a response. This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to the remote host. This prevents many systems from logging a connection attempt from your scan.

TCP Connect Scan

nmap -sT [target] | nmap -sT

The TCP Connect Scan is a simple probe that attempts to directly connect to the remote system without using any stealth

UDP Scan

nmap -sU [target] | nmap -sU

While TCP is the most commonly used protocol, many network services (like DNS, DHCP, and SNMP) still utilize UDP. When performing a network audit, it’s always a good idea to check for both TCP and UDP services to get a more complete picture of the target host/network.


nmap -sN [target] | nmap -sN

This scan causes Nmap to send packets with no TCP flags enabled. Sending NULL packets to a target is a method of tricking a firewalled system to generate a response but not all systems respond.


nmap -sF [target] | nmap -sF

This is another method of sending unexpected packets to a target in an attempt to produce results from a system protected by a firewall.

Xmas Scan

nmap -sX [target] | nmap -sX

This scan sends packets with URG, FIN, and PSH, and flags activated. This has the effect of “lighting the packet up like a Christmas tree” and can occasionally solicit a response from a firewalled system.

Custom TCP Scan

--scanflags [flag(s)] [target] | nmap --scanflags SYNURG | nmap --scanflags FINACK

advanced scanning techniques for nmap


nmap -sA [target] | nmap -sA

The -sA option can be used to determine if the target system is protected by a firewall. When performing a TCP ACK scan, Nmap will probe a target and look for RST responses. If no response is received the system is considered to be filtered. If the system does return an RST packet, then it is labeled as unfiltered. (Its only purpose is to determine whether or not the system is filtering ports.)

IP Protocol Scan

nmap -sO [target] | nmap -sO

The IP protocol scan displays the IP protocols that are supported on the target system.

advanced scanning techniques for nmap

Send Raw Ethernet Packets

nmap --send-eth [target] | nmap --send-eth

Enabling this option instructs Nmap to bypass the IP layer on your system and send raw ethernet packets on the data link layer. This can be used to overcome problems with your system’s IP stack.

Send IP Packets

nmap --send-ip [target] | nmap --send-ip

The –send-ip option instructs Nmap to use IP packets while scanning. Enabling this option forces Nmap to scan using the local system’s IP stack instead of generating raw ethernet packets.

:Advanced scanning techniques for nmap. I have heavily referred the Nmap book for explanations because they are the simplest.