Nmap TCP Scans

Nmap (Network Mapper) offers various TCP scan techniques to discover open ports and services on a target system. Each scan type has its own characteristics, advantages, and limitations. Here are some of the most commonly used TCP scan types in Nmap:

1. TCP SYN Scan (-sS):

   • Also known as "half-open" or "stealth" scan.

   • Sends SYN packets to the target ports and analyzes the responses.

   • Does not complete the TCP handshake, resulting in less detectability.

   • Faster than full TCP connect scans.

   • Effective against most hosts and firewall configurations.

2. TCP Connect Scan (-sT):

   • Also known as a "full connect" scan.

   • Completes the TCP three-way handshake with the target ports.

   • Establishes a full TCP connection, making it more detectable.

   • Reliable and accurate but slower than SYN scan.

   • Often used when stealth is not a concern and accurate results are needed.

3. TCP ACK Scan (-sA):

   • Sends ACK packets to the target ports.

   • Analyzes the responses to determine if ports are filtered, unfiltered, or open.

   • Useful for bypassing firewall rules that allow outgoing ACK packets.

   • Does not determine open or closed ports, only whether the port is filtered or not.

4. TCP Window Scan (-sW):

   • Sends packets with a specified TCP window size to the target ports.

   • Analyzes the responses to determine if ports are open, closed, or filtered.

   • Useful for bypassing some firewall configurations.

   • Less commonly used compared to other scan types.

5. TCP NULL Scan (-sN), FIN Scan (-sF), Xmas Scan (-sX):

   • These are all stealthy scans that send packets with specific flags set to 0 (NULL scan), 1 (FIN scan), or a combination of flags (Xmas scan).

   • They rely on the behavior of the target's TCP stack to determine open, closed, or filtered ports.

   • Less reliable and less commonly used compared to SYN and connect scans.

6. TCP Idle Scan (-sI):

   • Also known as "spoofed" or "stealth" scan.

   • Uses a third-party host (usually with predictable IP ID increments) as a decoy to scan the target.

   • Exploits differences in IP ID sequences to identify open ports.

   • Extremely stealthy but requires careful configuration and understanding of network topology.

7. Spoofing IP:

   • Spoofing IP involves forging the source IP address of packets to hide the identity of the sender.

   • It can be used to bypass filtering or disguise the origin of an attack.

8. Spoofing MAC:

   • Spoofing MAC involves forging the source MAC address of packets to impersonate a legitimate network device.

   • It can be used for various purposes, including bypassing MAC address filtering or impersonating trusted devices.

9. Decoy Scan:

   • A Decoy scan involves sending packets from multiple IP addresses to make it more difficult to detect the true source of the scan.

   • Decoy IP addresses can be specified to confuse network defenders or evade intrusion detection systems.

10. Fragmented Packets:

    • Fragmented packet scanning involves splitting packets into smaller fragments to evade packet filtering or inspection.

    • It can be used to bypass firewall rules that only inspect the first fragment of a packet.

Each TCP scan type in Nmap has its own use case and effectiveness depending on the target network, firewall configurations, and desired level of stealth. It's important to understand the characteristics and limitations of each scan type before choosing the appropriate one for a specific scanning scenario.

---

The Null scan, FIN scan, and Xmas scan are all stealthy scanning techniques used in Nmap to probe for open ports on a target system. They exploit specific behaviors of the TCP protocol to determine the status of ports without completing a full TCP handshake. Here's an explanation of each:

1. Null Scan:

   • In a Null scan, Nmap sends TCP packets with all flags (also known as control bits) set to 0.

   • Normally, TCP packets contain flags such as SYN, ACK, RST, FIN, PSH, and URG. However, in a Null scan, none of these flags are set.

   • The Null scan relies on the fact that most systems will respond with a RST (reset) packet if a TCP packet with no flags set is sent to a closed port.

   • If no response is received, Nmap interprets the port as open or filtered (depending on the type of response, or lack thereof).

2. FIN Scan:

   • In a FIN scan, Nmap sends TCP packets with only the FIN (finish) flag set.

   • The FIN scan relies on the fact that many systems will not respond to TCP packets with the FIN flag set if they are sent to a closed port.

   • If no response is received, Nmap interprets the port as open or filtered.

3. Xmas Scan:

   • In an Xmas scan, Nmap sends TCP packets with the FIN, URG (urgent), and PSH (push) flags set, making the packet resemble the pattern of lights on a Christmas tree.

   • Like the FIN scan, the Xmas scan relies on the fact that many systems will not respond to TCP packets with certain flags set if they are sent to a closed port.

   • If no response is received, Nmap interprets the port as open or filtered.

These scans are considered stealthy because they do not complete the three-way TCP handshake, which is typically used to establish a connection with a service. Instead, they rely on subtle behavior differences in how systems respond to packets with certain flags set. However, they may not be as reliable as more conventional scans and may not work against all types of systems or configurations. Additionally, some systems and firewalls may detect and block these types of scans, so they should be used with caution and in accordance with ethical guidelines.

---

State	Description
open	This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed	When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered	Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered	This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered	If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered	This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.