Nmap and Network Scanning

5.

Core Port Scanning Techniques

5.1.

TCP SYN Scan (-sS)

5.1.1.

Half-Open Scanning

5.1.1.1.

SYN Packet Transmission

5.1.1.2.

Response Analysis

5.1.2.

Stealth Characteristics

5.1.2.1.

Connection Avoidance

5.1.2.2.

5.1.3.

Privileges Required

5.1.3.1.

Raw Socket Access

5.1.3.2.

Root/Administrator Rights

5.1.4.

Typical Use Cases

5.1.4.1.

Default Scan Method

5.1.4.2.

Stealth Requirements

5.2.

TCP Connect Scan (-sT)

5.2.1.

Full Connection Establishment

5.2.1.1.

Complete TCP Handshake

5.2.1.2.

System Call Usage

5.2.2.

5.2.2.1.

Connection Logging

5.2.2.2.

5.2.3.

5.2.3.1.

Non-Privileged Scanning

5.2.3.2.

Compatibility Requirements

5.3.

5.3.1.

Connectionless Protocol Challenges

5.3.1.1.

No Connection State

5.3.1.2.

Response Variability

5.3.2.

Interpreting Responses

5.3.2.1.

5.3.2.2.

5.3.2.3.

5.3.3.

False Positives and Negatives

5.3.3.1.

ICMP Unreachable Messages

5.3.3.2.

Timeout Interpretation

5.3.4.

UDP Scan Optimization

5.3.4.1.

5.3.4.2.

Payload Customization

5.4.

TCP FIN Scan (-sF)

5.4.1.

FIN Flag Scanning

5.4.2.

RFC 793 Compliance

5.4.3.

Closed Port Responses

5.4.4.

Firewall Evasion

5.5.

TCP Null Scan (-sN)

5.5.1.

5.5.2.

System Response Patterns

5.5.3.

Stealth Characteristics

5.6.

TCP Xmas Scan (-sX)

5.6.1.

FIN, PSH, and URG Flags

5.6.2.

Christmas Tree Analogy

5.6.3.

Detection Signatures

5.7.

TCP ACK Scan (-sA)

5.7.1.

Firewall Rule Probing

5.7.2.

Differentiating Stateful vs Stateless Firewalls

5.7.2.1.

RST Response Analysis

5.7.2.2.

Filtered vs Unfiltered

5.7.3.

Network Topology Mapping

5.8.

TCP Window Scan (-sW)

5.8.1.

Window Size Analysis

5.8.2.

System-Specific Responses

5.8.3.

Limited Applicability

5.9.

TCP Maimon Scan (-sM)

5.9.1.

FIN/ACK Flag Combination

5.9.2.

BSD System Targeting

5.9.3.

Unique Response Patterns

5.10.

Custom TCP Scans

5.10.1.

--scanflags Option

5.10.1.1.

Custom Flag Combinations

5.10.1.2.

Manual Flag Setting

5.10.2.

Advanced Evasion Techniques

5.11.

SCTP INIT Scan (-sY)

5.11.1.

SCTP Protocol Overview

5.11.1.1.

Stream Control Transmission Protocol

5.11.1.2.

Multi-Homing Support

5.11.2.

INIT Chunk Scanning

5.11.3.

Specialized Applications

5.12.

IP Protocol Scan (-sO)

5.12.1.

Protocol-Level Scanning

5.12.2.

Supported IP Protocols

5.12.3.

Raw IP Packet Analysis

5.13.

Idle Scan (-sI)

5.13.1.

Zombie Host Concept

5.13.2.

IP ID Sequence Analysis

5.13.3.

Identifying Suitable Zombie Hosts

5.13.3.1.

Idle Host Requirements

5.13.3.2.

IP ID Predictability

5.13.4.

5.13.4.1.

Baseline Establishment

5.13.4.2.

5.13.4.3.

Result Interpretation

5.13.5.

Advantages and Limitations

5.13.5.1.

Ultimate Stealth

5.13.5.2.

Complexity Requirements

5.14.

Specifying Ports and Scan Order

5.14.1.

Port Range Specification (-p)

5.14.1.1.

Individual Ports

5.14.1.2.

5.14.1.3.

Protocol-Specific Ports

5.14.2.

5.14.2.1.

5.14.2.2.

Speed Optimization

5.14.3.

Don't Randomize Ports (-r)

5.14.3.1.

Sequential Port Scanning

5.14.3.2.

Predictable Order

5.14.4.

Top Ports (--top-ports)

5.14.4.1.

Most Common Ports

5.14.4.2.

Customizable Count

5.14.5.

Port Exclusion (--exclude-ports)

5.14.5.1.

Avoiding Specific Ports

5.14.5.2.

Service Disruption Prevention

Previous

4. Host Discovery

Go to top

Next

6. Service and Version Detection