Whats the difference between -sS and -PS in nmap?

Question

I was learning how to use nmap and i have gone through many documentations and tutorials but no where iam getting perfect information about what is the use of -sS and -PS. In general what is the differences between all -s 's and -P 's? Both are for scanning right?

sudo nmap -sS 192.168.0.50
sudo nmap -PS 192.168.0.50

Whats the difference between both of them?

Thanks in advance.

Answer 1

This is well described in documentation.

Before doing port scan, nmap will ping the host to check if it's online. -P options are used to select different ping methods. When -PS is selected, nmap will check if hosts are online by sending single SYN packet. -Pn will skip this phase and jump right to port scan.

-s* options select the method of detecting open ports (for hosts which were determined to be online). With -sS this will be done by sending single SYN packet to each port.

It makes sense to combine those options together: nmap -sS -PS 192.168.0.50 will cause nmap to use SYN packets both for ping and to discover open ports.

Answer 2

http://nmap.org/book/man-briefoptions.html

One is for host discovery, the other is for scanning techniques (in case a firewall/host blocks the default techniques or you have a reason to use other than defaults)

-PS: TCP SYN/ACK, UDP or SCTP discover to given ports

-sS: TCP SYN/Connect scans

As a sidenote - you don't need any cmd line flags to do a scan, just nmap <your_host> will work.

I usually use the -A flag which does OS detection, version detection, script scanning, and traceroute.

When a host doesn't respond but I know it's online, I add the -Pn flag which skips the initial host discovery part and starts scanning services, etc.

Like: nmap -A 8.8.8.8 or nmap -Pn -A 8.8.8.8