Linux 101 : Overview of some of the Nmap scanning techniques

Nmap only scans the first thousand "1000" ports - by default -.
To override this behavior, we could specify out "top" ports to be scanned using the "--top-ports number" parameter.

In the below example, we use the default number "1000":

We can also specify the ports we want to scan using the "-p" parameter.
We could also tell nmap what type of ports to scan - TCP, UDP -.

The below parameters tell nmap to scan the port TCP:25 and the UDP ports from 120 to 130:

An open port, means that a program is listening on that port, waiting for incoming connections

SYN/ACK response from the target to a SYN packets tells us that the port is open. 

A closed port means that no program is listening on incoming connections on that port.

An RST packet response from the target host to a SYN packet, means that the port is closed.

Below are some types of nmap scans.


The TCP connect is the default scanning mode.

This scan does a full TCP three-way handshake with the target and and establishes a connection. 
A TCP connect is slower and consumes more resources than other types of scans.

-Pn : assumes all hosts are running without doing host discovery.
-sT : refers to the TCP connect scan.
-p :  port number to scan.
-n : tells nmap to skip DNS resolution.

Nmap sends a SYN packet to the target on TCP port 22, the target answers with a SYN/ACK packet.
Nmap then sends an ACK packet as a response to the to SYN/ACK packet, and the connection is established.
After the connection gets established, nmap sends a RST to end the connection.


SYN scans are faster than the TCP connect scans. They only establish a "half" connection to the target port.
SYN scans go only through the first "half" of the three-way handshake, they send an RST packet before the connection is established.

-n : skips DNS resolution
-Pn : assumes all hosts are running without doing host discovery.
-sS : SYN scan
-p : port number to scan.

Nmap sends a SYN packet to the target host on port 22, the target host answers with a SYN/ACK - means port is open -, then nmap sends with an RST packet to stop the exchange.

ACK scan:

The ACK scan is used to show filtered ports rather than open ports.
It tells us if a firewall is "stateful" - if it monitors whole connections instead of analyzing individual packets -.

It use the "-sA" parameter.

TCP FIN scan:

The TCP FIN scan is designed to see if ports are closed. Usually hosts respond to unexpected packets with an RST packets.

It use the "-sF" parameter.

XMAS scan: 

The XMAS scan sets the the FIN, PSH, and URG flags on the TCP packet.

Below is a short description of each of these flags:
  • PSH: this flag tells the destination that the data must be sent immediately to the target program - listening on the destination port -.
  • URG: This flag specifies that the packets are urgent and must be prioritized.
  • FIN: FIN packets like RST packets terminate a connection, but FIN packets wait for an acknowledgment to end the connection.

Below are the different responses to a XMAS scan:
  • No response : means that the port may be either open or blocked by a firewall.
  • RST packet : means that the port is closed.
  • ICMP error : means that the port is blocked by a firewall.


Leave as a comment: