| Flag | What Does it Do? | Purpose | Notes |
|---|---|---|---|
Service Versioning | Host Discovery | ||
Service and OS Versioning | Host Discovery | ||
Add Verbosity | Quality of Life | You ‘can’ add extra verbosity with -vv but I find that to be useless | |
Specify Port(s) | Host Discovery | ||
Read Targets from List | Quality of Life | ||
Output Results to a File (.txt, .xml) | Quality of Life | I always output to .xml so you can upload to Zenmap or Legion | |
Only Display Open ports | Quality of Life | ||
Load an NSE script | Host DiscoveryQuality of LifeVulnerability Analysis | ||
Specify a UDP Port Scan | Host Discovery | ||
Enable IPv6 scanning | Host Discovery | ||
Set Speed | Obfuscation | Likely you do not need to go slower than T2, and should never go faster than T4. | |
Fragment the Packets — The idea is to split the TCP packet up over several tiny fragmented packets | Obfuscation | Does not work with Windows, NSE scripts, or service versioning | |
Scan the Target Range in a Random Order | Obfuscation | No good reason not to use this one | |
Append Bytes of Random Data on Each Packet | Obfuscation | A typical TCP packet is 40 Bytes, I find appending 5 (12.5%) variance is a good amount | |
Disable ICMP ping | Obfuscation | A lot of networks block ICMP | |
Disable ARP Ping | Obfuscation | ||
Ignore RST responses from the host | Obfuscation | ||
Specifies a Time for The Scan to Move On | Obfuscation | ||
Specifies How Many Times a Host Should Be Attempted Before Moving On | Obfuscation | ||
Adds a Delay Between Hosts Scanned | Obfuscation | 1075ms seems to work well and be plenty of a delay | |
Excludes Specific Port(s) From the Scan | Obfuscation |