While many security practitioners use Nmap, few understand its full power. Nmap deserves part of the blame for being too helpful. A simple command such as "nmap scanme.insecure.org" leaves Nmap to choose the scan type, timing details, target ports, output format, source ports and addresses, and more. You can even specify -iR (random input) and let Nmap choose the targets! Hiding all of these details makes Nmap easy to use, but also easy to grow complacent with. Many people never explore the hundreds of available options and scan techniques for more powerful scanning. In this presentation, Nmap author Fyodor details advanced Nmap usage -- from clever hacks for teaching Nmap new tricks, to new and undocumented features for bypassing firewalls, optimizing scan performance, finding free porn, defeating intrusion detection systems, and more. A special Shmoo version of Nmap will be released with new features discussed in the presentation. Fyodor authored the popular Nmap Security Scanner, which was named security tool of the year by Linux Journal, Info World, and the Codetalker Digest. Chicks dig it too, as demonstrated by Trinity in "Matrix Reloaded". He also maintains the Insecure.Org and Seclists.Org security resource sites and has authored seminal papers detailing techniques for stealth port scanning, remote operating system detection via TCP/IP stack fingerprinting, version detection, and the IPID Idle Scan. He is a member of the Honeynet project and a co-author of the books "Know Your Enemy: Honeynets" and "Stealing the Network: How to Own a Continent". He hopes to finish a book on Nmap in time for ShmooCon.