All the -P* options affect the method by which Nmap does host discovery. In particular, -PS means "send a SYN packet." If the target gives any reply (SYN/ACK or RST, usually) then it is marked as "up" and is subject to whatever port scan options have been selected (default is a TCP scan of 1000 most-common ports). For this and -PA (ACK packet), Nmap will intelligently change it to a TCP connect() call if you don't have the root privileges necessary to send raw packets and sniff the reply. This is why there's not a special "TCP connect host discovery" option. The -PT option that you might expect is actually an old, deprecated alias for -PA.
All the -s* options select what kind of port scan to do. The -sS option is a TCP half-open SYN scan. This scan requires root privilege. The non-privileged version, -sT, uses a TCP connect() call for each scanned port. If you don't specify any -s* option, Nmap defaults to -sS if you have root, or -sT if you don't. Because there are explicit options for each of these, it is a fatal error to select -sS if you don't have the requisite privilege.
|