nmap scan techniques

Here we’ll look at all the available type of scan you can do with nmap, how they work, and the pros and cons of each. As with everything to do with nmap, apparent simplicity belies the depth and scope of the information you can elicit using the tool. Some of these scan techniques are nice and simple ‘bangs on the door’ whist others will help a pen tester get through an IDS undetected.

TCP Connect Scan

The first we’ll look at the most straightforward of them all – the TCP connect scan using the -sT argument. An example would be:

nmap -sT

This scan, as you’d expect, completes the TCP connection between nmap and the target – the scanner sends a SYN packet, the target system responds with SYN/ACK and the scanner then responds with the ACK to complete the fabled three-way handshake. This is the most reliable method of scanning for TCP-based services. You, as the scanner, are making proper connections to available ports. This is good because the responses you get from any ports will be the real deal. It’s bad because, well, if you look at what’s going on it should be pretty obvious. First of all, completing the three-way handshake results in more network traffic, second of all (from the perspective of a pen tester) a completed TCP connection is highly likely to have been logged somewhere – not really desirable if you want to stay quiet.

SYN Scan

That leads us on to the -sS argument, the SYN scan, a.k.a stealth scanning. The latter is something of a misnomer now; any IDS will pick up a SYN scan immediately and slam the door on you. However, if there is no IDS present, the SYN scan is the way to go for the most part. An example would be:

nmap -sS

This scan works by sending a SYN to the target, which then responds with the same SYN/ACK on open ports. Unlike the previous example, this time we don’t send the ACK, never completing the three-way handshake. The scanner gets all it needs from the target to establish it is there and then gives nothing else. It’s called a stealth scan due to the fact that such half-open scans were never logged by firewalls. Well, they are now. Ironically, the previous scan (TCP connect) is less likely to flag as suspicious to an IDS.

ACK Scan

We’ll look at the ACK scan next, which uses the argument -sA. An example of this would be:

nmap -sA

This scan works, as you have probably worked out, by sending TCP packets to the target with the ACK flag set. The ACK is the last stage of the three-way handshake and consequently this scan will never confirm that a port is definitely open, just that it is either filtered or unfiltered, i.e. there is or isn’t a firewall filtering your packets. An open port would respond with a RST flag which is its way of telling the scanner “I have never heard from you before, why are you sending me an ACK? Can we please start again so I am less confused?”. I hope the mention of a firewall has made you realise when you might use this scan. It is well-suited for very light recon of a target and establishing the existence and behaviour of any firewall sitting in front of it. It may set alarm bells ringing in a sensitive IDS, but you would be unlucky to come across such a setup because network white noise would drive the admins crazy with alerts.