Port Scanning with Nmap

• -sT: Connect TCP scan (aka “polite”)
• -sS: SYN scan (aka “half-open”)
• - Harder to detect
• - Much quicker
• -sF, -sN, -sX: FIN, NULL, and Xmas scans
• - RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
• - Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
• --scanflags: Custom Scan Types
• - Any combination of URG, ACK, PSH, RST, SYN, and FIN
• - Non-delimited list (URGACKPSHRSTSYNFIN)
• -sA: TCP ACK scan
• - Does not determine port state
• - Useful to map firewall rulesets and whether they are stateful or not
• - ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
• - ‘filtered’ ports don’t respond or send ICMP errors
• -sW: Window TCP scan
• - Same as ACK scan, however examines TCP Window value of RST
• -sM: Maimon scan (FIN/ACK)
• - Uriel Maimon (Phrack Magazine, Nov. 1996)