Nmap - Scan Modes

Scanning modes available in Nmap

Connect

The basic scanning method. Attempts to connect to ports on the target host, if a port is listening the connect is successful and then immediately shuts down. No special privileges required but easily detected. The default scan type if the user has no special privileges.

SYN Stealth

A more clandestine type of scan. Synchronization packets (SYN) are sent. Acknowledgment (SYN/ACK) packets indicate a listening port. Reset (RST) packets indicate closed ports. When a port is listening a RST is sent to tear down the connection. The default scan type if the user has root or (administrator) privileges.

FIN, Xmas, Null

Even more clandestine scan types that may get past Firewalls. FIN sends Finalize packets, Null sends FIN packets with all flags set to off, Xmas sends FIN packets with Urgent (URG) and Push (PSH) flags set to on. Closed ports on most systems reply with a RST, open ports ignore the packets. Some systems, like Windows and Cisco and some UNIX variants, incorrectly send RSTs for open ports. A possible way to detect the Operating System in use, but Nmap’s OS Detection option is better for this. Requires root or (administrator) privileges.

Ping Sweep

Tells you which hosts in a range of IP addresses are active without scanning ports. Uses three techniques in parallel. Sends ICMP Echo Request (commonly known as Ping) packets and waits for responses. In case sites block Pings TCP ACK packets using port 80 are sent. In addition SYN packets are sent. Any SYN/ACK or RST packets indicate active devices. Requires root or (administrator) privileges.

UDP Scan

Detects open UDP (User Datagram Protocol) ports. Port unreachable responses indicate closed ports, all other ports are assumed to be open. Bear in mind that many systems limit the number of ICMP Error messages that can be sent in a given time and so scanning all 65535 possible ports may be slow. Requires root or (administrator) privileges.

IP Protocol Scan

This scan attempts to find out the IP protocols being used by a host. As in UDP scanning a protocol unreachable message indicates a protocol not in use and everything else is assumed to be in use. Again Error messages may be limited but as there are only 256 possible protocols any delays should not be great.

ACK Scan

Sends ACK packets with random acknowledgment and sequence numbers to a specified range of ports. A RST or ICMP Port Unreachable response indicates a filtered port. Usually no responses in log indicates that your packets got through. Can be used to work out if a Firewall is simply blocking SYN packets or is more sophisticated.

Window Scan

Similar to the ACK scan above, but attempts to exploit a problem with the window size reporting in some host systems.

RPC Scan

Attempts to find RPC ports and the program and version number running.

List Scan

Makes a list if IP addresses against names. Does not Ping devices or scan ports, will perform DNS name resolution by default.

FTP Bounce

FTP can allow proxy connections which would allow files to be sent to any IP address. It could be exploited to send data to any open port. To use this click the Bounce Scan box and specify the device to use as a proxy.