Four Types of Nmap Scans Every Beginner Should Know (Part-1)
“Every expert is once a beginner”
Nmap is undoubtedly the best scanning tool ever but only if you know how to use it. I have already shared you performing a simple nmap
scan on any device. Here I am going to share the best beginner scans and first scans a pen-tester will do when he is pen-testing any network.
In this article, I will say you how these nmap
scans will work when they are trying to access available, unavailable, filtered ports.
Must Read: Performing simple nmap
scan
List of scans
TCP
SYN Scan(-sS)TCP
Scan(-sT)- Ping Scan(-sP)
- UDP Scan(-sU)
These four types of scans will give you very great information on the target. After learning these scans you will never run nmap
with default options.
TCP SYN Scan(-sS): TCP
SYN Scan syntax for the scan is
1 2 | Nmap –sS [Destination] Example: nmap –sS 192.168.1.1 |
How does this work?
Available Port: whenever TCP
SYN Scan is trying to access available port, for example, let us consider port 80, which is open in all the servers for open traffic.
Nmap will send SYN request to the destination. As the port was open it will get ACK reply with the corresponding SYN packet, SYN/ACK. Nmap again sends RST, reset request to stop 3 way TCP
handshake. This process will be repeated around 1500 times. The best thing is that this request won’t keep any load on the server.
Unavailable port or closed port: When nmap
tries to access closed port the conversation between them is much shorter.
Nmap sends SYN packet or request then destination sends RST frame to stop a conversation. As nmap
didn’t get any reply from the server it confirms that as closed one
Filtered ports: When nmap tries to open TCP session to the port which is filtered using firewall or packet filters then the conversation is shortest. Nmap sends SYN request and won’t get any reply then nmap
confirms that port as filtered but there is a glitch here. We can’t determine whether the port is filtered or there is any packet loss or something. In maximum situations, there won’t be any packet loss.
Advantages
- Never creates a session
- Never appears in the log because it didn’t create any session
Disadvantages
- Needed Administrative or root access
- A large number of reset, RST frames will be sent
- Due to the sudden increase of RST frames if target members may monitor your IP due to sudden unusual traffic
This scan only detects the ports but if you want the operating system, version number on the target then you need to switch to another scan.
TCP scan(-sT)
TCP Scan is the best alternative to SYN scan because this doesn’t need any privileged access.
The syntax for TCP
Scan is
1 2 | Nmap –sT [IP address] Example nmap-sT 192.168.1.1 |
Available Port: When
nmap
tries to open TCP
session to available port then it opens full connection called 3-way handshake. If you don’t know what is TCP
3-way handshake you can read it over here.Must Read: What is TCP
3 Way Handshake
After establishing a connection it will send RST(Reset) frame to terminate the connection and this process is repeated for all the open TCP
ports
Unavailable or closed port: If nmap
tries to open TCP
a session for any closed port then nmap
gets RST frame as a reply because that port is not available
Filtered port: For filtered port, the conversation is only a single frame. When Nmap sends SYN frame it won’t get any reply and it confirms that the port is filtered by the firewall or some other packet blockers
Advantages
- No need of any privileges, you can run on any user account
Disadvantages
- Very noisy.
As it opens TCP
the session you will be on the log
Read the second part here