-sT (TCP connect scan) .
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a
user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets
as most other scan types do, Nmap asks the underlying operating system to establish a connection with
the target machine and port by issuing the connect system call. This is the same high-level system
call that web browsers, P2P clients, and most other network-enabled applications use to establish a
connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read
raw packet responses off the wire, Nmap uses this API to obtain status information on each connection
When SYN scan is available, it is usually a better choice. Nmap has less control over the high level
connect call than with raw packets, making it less efficient. The system call completes connections
to open target ports rather than performing the half-open reset that SYN scan does. Not only does
this take longer and require more packets to obtain the same information, but target machines are
more likely to log the connection. A decent IDS will catch either, but most machines have no such
alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a
cryptic error message, when Nmap connects and then closes the connection without sending data. Truly
pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch
of connection attempts in her logs from a single system should know that she has been connect
-PN (No ping) .
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine
active machines for heavier scanning. By default, Nmap only performs heavy probing such as port
scans, version detection, or OS detection against hosts that are found to be up. Disabling host
discovery with -PN causes Nmap to attempt the requested scanning functions against every target IP
address specified. So if a class B sized target address space (/16) is specified on the command line,
all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but
instead of stopping and printing the target list, Nmap continues to perform requested functions as if
each target IP is active. To skip ping scan and port scan, while still allowing NSE to run, use the
two options -PN -sP together.
For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is
specified) because Nmap needs MAC addresses to further scan target hosts. This option flag used to be
P0 (uses zero), but was renamed to avoid confusion with protocol ping´s PO (uses the letter O) flag.