Port Scanning Techniques
1. TCP SYN Scan (-sS)
Description: The default scan type; it sends a SYN packet and waits for a response to determine the state of the port (open, closed, or filtered). It's fast and stealthy.
nmap -sS <target>
2. TCP Connect Scan (-sT)
Description: Used when SYN scan is not available. It uses the operating system's network API to establish a full TCP connection. It's less stealthy and slower than the SYN scan.
nmap -sT <target>
3. UDP Scan (-sU)
Description: Scans for open UDP ports. It's slower than TCP scanning since UDP doesn't provide as many responses. Useful for finding services like DNS or SNMP.
nmap -sU <target>
4. SCTP INIT Scan (-sY)
Description: Equivalent to the TCP SYN scan but for SCTP (Stream Control Transmission Protocol). It sends an INIT chunk and waits for a response to determine the port state.
nmap -sY <target>
5. TCP NULL Scan (-sN)
Description: Sends a packet with no flags set. According to RFC 793, closed ports should return a RST, while open ports will ignore the packet. Often used to bypass some firewalls.
nmap -sN <target>
6. TCP FIN Scan (-sF)
Description: Sends packets with only the FIN flag set. Closed ports should return a RST, while open ports will ignore the packet. Stealthy but unreliable on some systems.
nmap -sF <target>
7. TCP Xmas Scan (-sX)
Description: Sends packets with FIN, PSH, and URG flags set. It's similar to the FIN scan but more unusual, potentially bypassing some firewalls.
nmap -sX <target>
8. TCP ACK Scan (-sA)
Description: Used to map firewall rules. Sends ACK packets and determines which ports are filtered based on the responses. It doesn't identify open ports.
nmap -sA <target>
9. TCP Window Scan (-sW)
Description: Similar to the ACK scan, but uses the TCP window size in RST packets to identify whether a port is open or closed. Relies on specific system behaviors.
nmap -sW <target>
10. TCP Maimon Scan (-sM)
Description: Sends FIN/ACK packets. Many systems drop them if the port is open but return a RST if the port is closed. It can bypass certain filters.
nmap -sM <target>
11. Custom TCP Scan (--scanflags)
Description: Allows users to create custom TCP scans by specifying any combination of flags (e.g., URG, ACK, FIN, etc.) to bypass firewalls or IDS systems.
nmap --scanflags URGACKPSHRSTSYNFIN <target>
12. SCTP COOKIE ECHO Scan (-sZ)
Description: Similar to the SCTP INIT scan but uses COOKIE ECHO chunks. It's stealthier than INIT scan, but it can only mark ports as open|filtered.
nmap -sZ <target>
13. Idle Scan (-sI)
Description: A stealthy scan where the attacker's IP address is not used. Instead, a third-party (zombie) host is used to send packets, making the scan nearly undetectable.
nmap -sI <zombie_host> <target>
14. IP Protocol Scan (-sO)
Description: Scans for supported IP protocols on a host (e.g., TCP, UDP, ICMP, etc.) instead of traditional ports. Useful for determining protocol-level services.
nmap -sO <target>
15. FTP Bounce Scan (-b)
Description: Deprecated. Uses a vulnerable FTP server as a proxy to scan other machines. Once common, but now mostly obsolete as FTP servers typically block this behavior.
nmap -b <FTP_relay_host> <target>
Each scan is useful in different scenarios, depending on your needs (e.g., stealth, speed, or protocol types).
Last updated