Nmap employs various techniques to detect open ports on a target system, each tailored to different scenarios and levels of stealth. These methods involve sending specific packets to target ports and analyzing the responses to determine their status. Here are some of the primary port scanning techniques used by Nmap:
1. TCP Connect Scan (-sT): This method utilizes the operating system's network functions to establish a full TCP connection with the target port. If the port is open, the three-way handshake completes successfully; if closed, the target responds with a reset (RST) packet. While reliable, this scan is more detectable, as it fully engages the target service.
2. TCP SYN Scan (-sS): Often referred to as a "half-open" scan, Nmap sends a SYN packet to the target port and awaits a response. An open port replies with a SYN/ACK, indicating readiness to establish a connection, upon which Nmap sends an RST to terminate the handshake prematurely. A closed port responds with an RST. This method is stealthier, as it doesn't complete the full TCP handshake.
3. UDP Scan (-sU): For scanning UDP ports, Nmap sends UDP packets to the target. If a port is closed, the target typically responds with an ICMP "port unreachable" message. The absence of a response may indicate an open or filtered port, though this method can be slower and less reliable due to UDP's connectionless nature and potential rate limiting.
4. FIN Scan (-sF), Xmas Scan (-sX), and Null Scan (-sN): These techniques send packets with unusual flag combinations—FIN, FIN-PSH-URG (Xmas), or no flags (Null)—to probe target ports. Closed ports typically respond with an RST, while open ports may ignore the probes, providing insight into firewall rules and port states. These methods can bypass certain firewalls and packet filters.
5. ACK Scan (-sA): This scan type is used to map firewall rulesets, determining whether ports are filtered. Nmap sends ACK packets to the target; a received RST indicates the port is unfiltered, while no response suggests it is filtered. This method doesn't ascertain open or closed states but reveals firewall configurations.
6. Window Scan (-sW): Similar to the ACK scan, the Window scan analyzes the TCP window size of RST packets returned from the target. Variations in window size can suggest whether a port is open or closed, though this method relies on specific TCP stack behaviors and may not be universally reliable.
7. TCP Null, FIN, and Xmas Scans: These scans send packets with specific flag combinations—no flags (Null), FIN flag, or FIN-PSH-URG flags (Xmas)—to detect open ports. Open ports may not respond, while closed ports typically return an RST packet. These methods can bypass certain firewalls and packet filters.
By employing these diverse scanning techniques, Nmap provides a comprehensive assessment of a target system's network defenses, aiding in the identification of open ports, firewall configurations, and potential vulnerabilities.
