# Port Scanning Techniques #### 1. **TCP SYN Scan (-sS)** **Description**: The default scan type; it sends a SYN packet and waits for a response to determine the state of the port (open, closed, or filtered). It's fast and stealthy. ```bash nmap -sS ``` #### 2. **TCP Connect Scan (-sT)** **Description**: Used when SYN scan is not available. It uses the operating system's network API to establish a full TCP connection. It's less stealthy and slower than the SYN scan. ```bash nmap -sT ``` #### 3. **UDP Scan (-sU)** **Description**: Scans for open UDP ports. It's slower than TCP scanning since UDP doesn't provide as many responses. Useful for finding services like DNS or SNMP. ```bash nmap -sU ``` #### 4. **SCTP INIT Scan (-sY)** **Description**: Equivalent to the TCP SYN scan but for SCTP (Stream Control Transmission Protocol). It sends an INIT chunk and waits for a response to determine the port state. ```bash nmap -sY ``` #### 5. **TCP NULL Scan (-sN)** **Description**: Sends a packet with no flags set. According to RFC 793, closed ports should return a RST, while open ports will ignore the packet. Often used to bypass some firewalls. ```bash nmap -sN ``` #### 6. **TCP FIN Scan (-sF)** **Description**: Sends packets with only the FIN flag set. Closed ports should return a RST, while open ports will ignore the packet. Stealthy but unreliable on some systems. ```bash nmap -sF ``` #### 7. **TCP Xmas Scan (-sX)** **Description**: Sends packets with FIN, PSH, and URG flags set. It's similar to the FIN scan but more unusual, potentially bypassing some firewalls. ```bash nmap -sX ``` #### 8. **TCP ACK Scan (-sA)** **Description**: Used to map firewall rules. Sends ACK packets and determines which ports are filtered based on the responses. It doesn't identify open ports. ```bash nmap -sA ``` #### 9. **TCP Window Scan (-sW)** **Description**: Similar to the ACK scan, but uses the TCP window size in RST packets to identify whether a port is open or closed. Relies on specific system behaviors. ```bash nmap -sW ``` #### 10. **TCP Maimon Scan (-sM)** **Description**: Sends FIN/ACK packets. Many systems drop them if the port is open but return a RST if the port is closed. It can bypass certain filters. ```bash nmap -sM ``` #### 11. **Custom TCP Scan (--scanflags)** **Description**: Allows users to create custom TCP scans by specifying any combination of flags (e.g., URG, ACK, FIN, etc.) to bypass firewalls or IDS systems. ```bash nmap --scanflags URGACKPSHRSTSYNFIN ``` #### 12. **SCTP COOKIE ECHO Scan (-sZ)** **Description**: Similar to the SCTP INIT scan but uses COOKIE ECHO chunks. It's stealthier than INIT scan, but it can only mark ports as open|filtered. ```bash nmap -sZ ``` #### 13. **Idle Scan (-sI)** **Description**: A stealthy scan where the attacker's IP address is not used. Instead, a third-party (zombie) host is used to send packets, making the scan nearly undetectable. ```bash nmap -sI ``` #### 14. **IP Protocol Scan (-sO)** **Description**: Scans for supported IP protocols on a host (e.g., TCP, UDP, ICMP, etc.) instead of traditional ports. Useful for determining protocol-level services. ```bash nmap -sO ``` #### 15. **FTP Bounce Scan (-b)** **Description**: Deprecated. Uses a vulnerable FTP server as a proxy to scan other machines. Once common, but now mostly obsolete as FTP servers typically block this behavior. ```bash nmap -b ``` Each scan is useful in different scenarios, depending on your needs (e.g., stealth, speed, or protocol types).