NMAP Scan types explained

Connect Scan

Flag: -sT (TCP Connect Scan)

Uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an SYN packet to the target port and waits for a response. It is considered open if the target port responds with an SYN-ACK packet and closed if it responds with an RST packet.

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS). It is useful when we want to map the network and don't want to disturb the services running behind it, thus causing a minimal impact and sometimes considered a more polite scan method.

It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. However, it is important to note that the Connect scan is slower than other types of scans because it requires the scanner to wait for a response from the target after each packet it sends, which could take some time if the target is busy or unresponsive.

Filtered Ports

Packets can either be dropped or rejected:

  • Dropped: using --packet-trace -n --disable-arp-ping -Pn we observe 2 SEND and no RECV for SYN packaets

  • Rejected: using the above flags the observe a SEND followed by a RECV ICMP packet type=3/code=3 marking it as an unreachable port

UDP Scan

Flag: -sU

Usually longer due to no handshake. Can have flase negatives if the service doesn't respond to EMPTY UDP packets.

In this case, a ICMP error code 3 (port unreachable) means that the port is closed

For all other ICMP responses, the scanned ports are marked as (open|filtered).

Scripts

Table of Scripts categories:

auth

Determination of authentication credentials.

broadcast

Scripts, which are used for host discovery by broadcasting and the discovered hosts, can be automatically added to the remaining scans.

brute

Executes scripts that try to log in to the respective service by brute-forcing with credentials.

default

Default scripts executed by using the -sC option.

discovery

Evaluation of accessible services.

dos

These scripts are used to check services for denial of service vulnerabilities and are used less as it harms the services.

exploit

This category of scripts tries to exploit known vulnerabilities for the scanned port.

external

Scripts that use external services for further processing.

fuzzer

This uses scripts to identify vulnerabilities and unexpected packet handling by sending different fields, which can take much time.

intrusive

Intrusive scripts that could negatively affect the target system.

malware

Checks if some malware infects the target system.

safe

Defensive scripts that do not perform intrusive and destructive access.

version

Extension for service detection.

vuln

Identification of specific vulnerabilities.

sudo nmap <target> --script <script-name>,<script-name>,...
sudo nmap <target> --script <category>
sudo nmap <target> -sC

ACK Scan

Flag: -sA

Sending an ACK packet requires the service to reply with RST if the port is open.

Firewalls struggle detecting this because they can't usually decide if the connection was initiated by the internal network or external.

A filtered result can either be rejected (ICMP response) or dropped (no response)

Last updated