# NMAP Scan types explained

## Connect Scan

Flag: `-sT` ([TCP Connect Scan](https://nmap.org/book/scan-methods-connect-scan.html))

Uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an `SYN` packet to the target port and waits for a response. It is considered open if the target port responds with an `SYN-ACK` packet and closed if it responds with an `RST` packet.

The `Connect` scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS). It is useful when we want to map the network and don't want to disturb the services running behind it, thus causing a minimal impact and sometimes considered a more polite scan method.

It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. However, it is important to note that the Connect scan is slower than other types of scans because it requires the scanner to wait for a response from the target after each packet it sends, which could take some time if the target is busy or unresponsive.

### Filtered Ports

Packets can either be dropped or rejected:

* **Dropped**: using `--packet-trace -n --disable-arp-ping -Pn` we observe 2 SEND and no RECV for SYN packaets
* **Rejected**: using the above flags the observe a SEND followed by a RECV ICMP packet `type=3/code=3` marking it as an unreachable port

### UDP Scan

Flag: `-sU`&#x20;

Usually longer due to no handshake. Can have flase negatives if the service doesn't respond to EMPTY UDP packets.

In this case, a ICMP error code 3 (port unreachable) means that the port is `closed`

For all other ICMP responses, the scanned ports are marked as (`open|filtered`).

## Scripts

Table of Scripts categories:

| `auth`      | Determination of authentication credentials.                                                                                            |
| ----------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| `broadcast` | Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans. |
| `brute`     | Executes scripts that try to log in to the respective service by brute-forcing with credentials.                                        |
| `default`   | Default scripts executed by using the `-sC` option.                                                                                     |
| `discovery` | Evaluation of accessible services.                                                                                                      |
| `dos`       | These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.              |
| `exploit`   | This category of scripts tries to exploit known vulnerabilities for the scanned port.                                                   |
| `external`  | Scripts that use external services for further processing.                                                                              |
| `fuzzer`    | This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.     |
| `intrusive` | Intrusive scripts that could negatively affect the target system.                                                                       |
| `malware`   | Checks if some malware infects the target system.                                                                                       |
| `safe`      | Defensive scripts that do not perform intrusive and destructive access.                                                                 |
| `version`   | Extension for service detection.                                                                                                        |
| `vuln`      | Identification of specific vulnerabilities.                                                                                             |

```shell-session
sudo nmap <target> --script <script-name>,<script-name>,...
```

```shell-session
sudo nmap <target> --script <category>
```

```shell-session
sudo nmap <target> -sC
```

### ACK Scan

Flag: `-sA`

Sending an `ACK` packet requires the service to reply with `RST` if the port is open.

Firewalls struggle detecting this because they can't usually decide if the connection was initiated by the internal network or external.

A filtered result can either be rejected (ICMP response) or dropped (no response)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rtlcopymemory.com/enumeration/nmap-scan-types-explained.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.