Nmap Port Scanning Techniques Explained

 

This article will explain how basic port scanning works and the various port scanning techniques.

But before you start to read this article, please consider reading the following articles to understand better:
1. How data travels over Internet? TCP/UDP
2. A Beginner’s Guide To Ports
3. Port Scanning : First Step Of Exploitation
4. TCP Header and 3-Way Handshake
There are a lot of Pokémon. Some can throw fire out of their mouth, some can zap their enemy with electricity, some can hit with blazing fast punches and so on.
But would you use a fire type pokémon against a water type? At least I will not lol because every pokémon is unique and have its on capabilities and you can’t fight every opponent with the same pokémon.
It applies to port scanning too. There are a lot of port scanning techniques which have their own capabilities and today we are going to talk about them.
TCP SYN Scan
It is the default scan of Nmap. It sends SYN packet to a port of the target host. If the host replies with a SYN-ACK packet, it means there is a service running on that port i.e. port is open. Once it gets to know that the port is open, it sends a RST (reset) packet which interrupts the 3 Way TCP Handshake and the connection is not established. As a connection is not made, the scan happens to be stealthy.
If the port is closed, our machine gets a RST packet in reply.
If the target host doesn’t reply that means a firewall is blocking the packets and the port is said to be a filtered port
The ability of not completing the connection makes TCP SYN Scan faster than other scans.
UDP Scan
As we know most of the applications use TCP protocol because of its reliability but there a many applications that use UDP protocol and we should not ignore their existence.
As the name suggest, a UDP scans for open UDP ports.
UDP scans are a bit complicated, Nmap sends a UDP packet to a port of the target hosts and the possible responses of the target host are:
1. If the target port replies with a port unreachable error then the port is closed. ICMP packet are used for error reporting and we may read about them in upcoming articles.
2. If the port replies with a UDP Packet, the port is open.
3. If the target host doesn’t reply it could mean that the service running on that port is not responding or the firewall is blocking packets. Due to this conspiracy, the port is said to be open|filtered.
UDP Scan are very very slow due to the nature of the UDP applications and involvement of ICMP packets.
TCP ACK scan
This scan is used to map which ports are filtered and which are not which gives the attacker a quick idea of what is easy to attack and what is not.
It sends a ACK packet to the target port, if the port is open or closed it will reply with a RST packet.
If the target port doesn’t reply at all or reply with an unreachable error (ICMP Packet), it means the firewall is blocking packets i.e. the port is filtered.
This scan might come in handy to test firewalls.
Well the list doesn’t end here. There are SCTP INIT scan, TCP NULL, FIN, Xmas and other scans too but I don’t think its the right time to discuss them so that’s all for now.