NMAP Scan types explained

Connect Scan

Flag: -sT (TCP Connect Scan)

Uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an SYN packet to the target port and waits for a response. It is considered open if the target port responds with an SYN-ACK packet and closed if it responds with an RST packet.

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS). It is useful when we want to map the network and don't want to disturb the services running behind it, thus causing a minimal impact and sometimes considered a more polite scan method.

It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. However, it is important to note that the Connect scan is slower than other types of scans because it requires the scanner to wait for a response from the target after each packet it sends, which could take some time if the target is busy or unresponsive.

Filtered Ports

Packets can either be dropped or rejected:

  • Dropped: using --packet-trace -n --disable-arp-ping -Pn we observe 2 SEND and no RECV for SYN packaets

  • Rejected: using the above flags the observe a SEND followed by a RECV ICMP packet type=3/code=3 marking it as an unreachable port

UDP Scan

Flag: -sU

Usually longer due to no handshake. Can have flase negatives if the service doesn't respond to EMPTY UDP packets.

In this case, a ICMP error code 3 (port unreachable) means that the port is closed

For all other ICMP responses, the scanned ports are marked as (open|filtered).

Scripts

Table of Scripts categories:

sudo nmap <target> --script <script-name>,<script-name>,...
sudo nmap <target> --script <category>
sudo nmap <target> -sC

ACK Scan

Flag: -sA

Sending an ACK packet requires the service to reply with RST if the port is open.

Firewalls struggle detecting this because they can't usually decide if the connection was initiated by the internal network or external.

A filtered result can either be rejected (ICMP response) or dropped (no response)

Last updated