Window Scan, RPC Scan, List Scan [-sW, -sR, -sL]

The TCP Window scan is similar to the ACK scan but can sometimes detect open ports as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems (see the Nmap manual for a list, or the nmap-hackers mailing list for the full list of susceptible OS').

RPC Scans can be used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service, and if so, which program, and version numbers are running on it. Decoys are not supported with RPC scans (see section on Timing and Hiding Scans, below).

List scanning simply prints a list of IPs and names (DNS resolution will be used unless the -n option is passed to Nmap) without actually pinging or scanning the hosts.