Port Scanning Techniques

1. TCP SYN Scan (-sS)

Description: The default scan type; it sends a SYN packet and waits for a response to determine the state of the port (open, closed, or filtered). It's fast and stealthy.

nmap -sS <target>

2. TCP Connect Scan (-sT)

Description: Used when SYN scan is not available. It uses the operating system's network API to establish a full TCP connection. It's less stealthy and slower than the SYN scan.

nmap -sT <target>

3. UDP Scan (-sU)

Description: Scans for open UDP ports. It's slower than TCP scanning since UDP doesn't provide as many responses. Useful for finding services like DNS or SNMP.

nmap -sU <target>

4. SCTP INIT Scan (-sY)

Description: Equivalent to the TCP SYN scan but for SCTP (Stream Control Transmission Protocol). It sends an INIT chunk and waits for a response to determine the port state.

nmap -sY <target>

5. TCP NULL Scan (-sN)

Description: Sends a packet with no flags set. According to RFC 793, closed ports should return a RST, while open ports will ignore the packet. Often used to bypass some firewalls.

nmap -sN <target>

6. TCP FIN Scan (-sF)

Description: Sends packets with only the FIN flag set. Closed ports should return a RST, while open ports will ignore the packet. Stealthy but unreliable on some systems.

nmap -sF <target>

7. TCP Xmas Scan (-sX)

Description: Sends packets with FIN, PSH, and URG flags set. It's similar to the FIN scan but more unusual, potentially bypassing some firewalls.

nmap -sX <target>

8. TCP ACK Scan (-sA)

Description: Used to map firewall rules. Sends ACK packets and determines which ports are filtered based on the responses. It doesn't identify open ports.

nmap -sA <target>

9. TCP Window Scan (-sW)

Description: Similar to the ACK scan, but uses the TCP window size in RST packets to identify whether a port is open or closed. Relies on specific system behaviors.

nmap -sW <target>

10. TCP Maimon Scan (-sM)

Description: Sends FIN/ACK packets. Many systems drop them if the port is open but return a RST if the port is closed. It can bypass certain filters.

nmap -sM <target>

11. Custom TCP Scan (--scanflags)

Description: Allows users to create custom TCP scans by specifying any combination of flags (e.g., URG, ACK, FIN, etc.) to bypass firewalls or IDS systems.

nmap --scanflags URGACKPSHRSTSYNFIN <target>

Description: Similar to the SCTP INIT scan but uses COOKIE ECHO chunks. It's stealthier than INIT scan, but it can only mark ports as open|filtered.

nmap -sZ <target>

13. Idle Scan (-sI)

Description: A stealthy scan where the attacker's IP address is not used. Instead, a third-party (zombie) host is used to send packets, making the scan nearly undetectable.

nmap -sI <zombie_host> <target>

14. IP Protocol Scan (-sO)

Description: Scans for supported IP protocols on a host (e.g., TCP, UDP, ICMP, etc.) instead of traditional ports. Useful for determining protocol-level services.

nmap -sO <target>

15. FTP Bounce Scan (-b)

Description: Deprecated. Uses a vulnerable FTP server as a proxy to scan other machines. Once common, but now mostly obsolete as FTP servers typically block this behavior.

nmap -b <FTP_relay_host> <target>

Each scan is useful in different scenarios, depending on your needs (e.g., stealth, speed, or protocol types).

Last updated