Nmap, 4 Scanning Methods

Why this post

Nmap, the network mapper, is one of the most important tool to a pentester and network/system admins. It can send raw IP packets to local and remote network machines, gets response from the target, and analyze the response.

Mapping network, scanning small and large range of targets, identifying services, predicting firewall configuration, predicting OS of the target, and much more is possible with nmap.  It is thus important to not only to understand the output / result of nmap, but also to understand how nmap works, under the hood.

This post will focus on Pro/Con of each scanning methods, when to use what type of scanning methods. Since I’m not an expert (I’m a learning student), I will not go too deep. Most of the information can be found via nmap’s -h help flag, or, the chaper 15 of the nmap book. (https://nmap.org/book/man.html).

Scanning Techniques

  1. SYN Scan

tcp connect scan 1

(-sS) The Syn scan is the default scan of nmap. SYN scan would not initiate a full threeway handshake between the attacker and the target, but it will initiate a split threeway handshake. The split threeway handshake involves a “SYN”, “SYN/ACK”, and a “RST” packet. This scan will not open a full connection. Before the connection is made, the attacker will send a RST packet and block the connection.

  • Open = Port is open for service
  • Filtered = Port is open, but access is filtered/restricted
  • Closed = Port is unreachable (there is no service running on that port)

A. Pro

  • Doesn’t create application layer connection to the target
  • Doesn’t create application layer log (well configured IDS will log)
  • Provides information about open, closed, filtered port

B. Cons

  • Nmap should be ran with privileged access
  • Can not identify UDP ports.

C. When to use

  • When the attacker has full control of nmap (attacker uses attacker’s machine)
  • Default scan. Often used with -sV to find out service version


2. Connect Scan

tcp connect scan

(-sT) Connect scan use the TCP full threeway handshake, the SYN → SYN + ACK → ACK threeway handshake. If Connect scan cannot establish a full threeway handshake because the port is filtered, Connect scan will just assume that it is “blocked” and will label it as unreachable/closed. Thus, Connect scan will only return the result of open or closed ports.

A. Pros

  • Uses TCP-based methods, which means ANY user in the machine can use.
  • Does not need privileged access

B. Cons

  • Makes a full TCP connection → Applications/services WILL log this.
  • Only shows open, or, closed ports. Does NOT show filtered ports.

C. When to use

  • Not much. Maybe when you got inside a target machine and want to scan the internal network, but don’t have privileged access to your current machine.
  • But then, what’s the use? Your attempt will get logged to every single machine inside the internal network. Sysadmins will know that you are inside an internal network.


3. Stealth scans → FIN Scan  (Xmas, Null as well)

fin scan

(-sF)  Sends intentionally mangled single FIN packet to each of the port. If the port responds with RST, that means the port is CLOSED. If the port responds nothing, that means the port is open, or, filtered. This is because often firewalls will just drop/ignore FIN packets without any response.

A. Pros

  • Not TCP sessions, no TCP connections. Very quiet.

B. Cons

  • Windows target will just ignore all FIN/Xmas/Null scans and respond with closed ports.

C. When to use

  • When you need a very quiet scan.  Will only show Closed + Open|filtered.


4. ACK Scan

nmap ack scan 2

(-sA)  ACK scan never determines if a port is open or not. It will only show if a port is filtered or unfiltered by the firewall. ACK scan uses a “ACK” → “RST” packet.
Open and closed ports will return a RST packet; which nmap will then label as an unfiltered port. This means the port is reachable.
If the port doesn’t respond, nmap will label the port as filtered. This usually means there is a firewall dropping/blocking the ACK scan attempt.

C. When to use

  • Use to make a list of filtered/unfiltered port numbers. See which ports are filtered by firewall.




Images Used in this post



Leave a Reply

Your email address will not be published. Required fields are marked *