Results 1 to 4 of 4

Thread: nmap -PS -PA -PU flags

  1. #1
    Junior Member imported_seven's Avatar
    Join Date
    May 2007

    Default nmap -PS -PA -PU flags

    I have a question. I bought fyodor's book for NMAP and it's been great! I am really learning the internals and best practices. But one thing i'm confused with is the host discovery flags PS PA PU. Syntax should be P[A/S/U]<port list>
    Essentially, it should be probing for hosts sending either SYN,ACK or UDP probes to the ports suggested. However, when I use it, I detects hosts that are up but on ports I didn't specify.
    E.G. @my house
    nmap -PS80,21,25 -PA80,21,25 -PU53 -v
    will yield results for my http server,ftp,dns but also scan ports up to 4444 and higher.
    Any reason this is happening? Am I using the flag wrong?

    Thank you.
    Lying is my life.

  2. #2
    Join Date
    Jan 2010
    The new forums


    Try separating the ports with -p.

    ex: nmap -PS -p 21,25,80 -v

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010


    You're doing it the right way. The thing is the scan isn't limited by those probes/ports. After doing PS/PA/PU it still does the normal run of the default popular 1000 (or 1287) ports. If you don't want nmap to do that then you have to limit the ports to scan with the -p as Lincoln suggested.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Just burned his ISO
    Join Date
    Jan 2009


    The best choice is to use those discovery flags with -sP parameter, so it won't start SYN scan on active systems.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts