Port Scanning Techniques Using Nmap

In this Port Scanning Techniques using nmap we are looking at some of the commands you can use when running nmap command like idle scan, syn scan and more, please keep on reading.

Port Scanning Techniques using Nmap
Port Scanning Techniques using Nmap | Image by Thomas Breher from Pixabay

In the active recognition phase (at the time of performing a pentest) we begin to perform procedures that interact directly with the system we are analyzing when going into port scanning techniques. Our main objective should be to identify everything within our reach, collect as much information as possible, and then initiate some kind of attack.

We should:

  • Identify active systems
  • Identify open ports
  • Identify services and versions on those open ports
  • Identify operating systems

For this, we will use NMAP, I think I should explain that it is a great open-source tool, to perform network audits, scan ports and in some cases, exploit vulnerabilities using scripts. Nmap does not require root privileges to run, this should be made clear. The tool will adapt to the current privileges in the account being executed, the point is that, in some cases, the output of the command may be different when using it as root or as a normal user. It will also alert you when it requires root privileges to execute a specific action. An example of this is that NMAP, by default on a non-root account, uses scan (-sT) and root (-sS). Now, what is this -sT and -sS?

First we’ll look at the basic usage of Nmap:

By default, it scans the 1000 most “common” or “frequent” ports for most services.

$ nmap [ip]

As we can see, nmap returns the list of open ports it has found, and the service that runs on those ports. Nmap defines 6 states for the ports, these are

  • Open
  • Closed
  • Filtered
  • Unfiltered
  • Open|filtered
  • Closed|filtered

Well, now we start with the first port scanning technique.

The Port Scanning Techniques:

TCP Connect Scan (-sT)

This technique has the normal behavior that occurs when a TCP connection is established, i.e. it uses the 3-way greeting


This has advantages and disadvantages because the fact of establishing the 3-way greeting is not at all stealthy and it is a little slower and this makes it easier to detect the attack, but it also has a very low probability of throwing us a false positive. For Nmap, this is the scan (-sT), which runs by default on a non-privileged account.

root> nmap -sT

TCP Syn Scan (-sS)

This kind of analysis, it doesn’t get to establish the three-way salute. A SYN packet is sent, as in a normal connection, but everything changes when a response is received. If a SYN/ACK packet is received, this indicates that the port is open, but if a RST is received, it means that the port is closed and ends the connection. If no response is received, or an ICMP error is received, the port is filtered. This is a very reliable type of scan, and also very stealthy.

It is a scan that runs by default on an account with administrator privileges. In fact, if we try to use it on an account without privileges, it will give us…

root> nmap -sS

You requested a scan type which requires root privileges.


TCP Idle Scan(-sI)

The Idle Scan is one of the most complex types of scans that exist and will really depend a lot on the machine we choose to play the zombie.

The attack is very difficult to be detected because no packet is sent directly to the source address, besides that it can skip different controls that filter packets to avoid the connection with computers outside the network, because it “spoofs” the identity of a computer that does have permissions on that network.

We need a scenario of at least 3 machines, one the attacker, one victim and one that we’ll use as a Zombie. First we must identify that the machine we will choose as a zombie uses a predictable algorithm, with which it marks and identifies the IP packets. For this, a chain of SYN+ACK packets are sent, the aim is to obtain a RST and check the IDs of the response. Then check if these IDs are successive or predictable, in many cases, the packets are consecutive. It is also necessary that the Zombie machine, is not having traffic, otherwise the scan would be unfeasible.

Once the zombie machine is identified, we proceed to perform IP Spoofing by sending multiple SYN packets to the victim machine with the Zombie machine’s IP. These packets are a normal scan, the difference is that, in our case, the response packets coming from the victim, don’t come to us, but they go to the zombie machine. Now, in order for us to get the status of the ports of the victim machine, we ask for the ID of the packets to the zombie machine, and here 2 things happen. If the ID has increased by a number that we have previously identified, the port on the victim machine is open. If the ID is the same, the port is closed.

It’s very complex, to understand this, at least the first time we read it. On the Nmap page, this process is also explained very well, and we find this image.

root> nmap -sI [IP ZOMBIE] [IP VICTIM]

This example is very basic, in another post I will go deeper into the Idle Scan, because it really is one of the most dangerous and complex that exist.

TCP Ack Scan (-sA)

This technique is not specifically used to detect the state of a port, but rather is used to verify the state of the firewall. If an ACK packet is sent on a normal connection, this would do nothing.

If the firewall did not save the state of the connections, it would let the packet through without any problems, and two things would happen. If the port is open, normally the system would not respond at all, but if it is closed, a RST will be returned. This way you can know if the port is open or closed, and also, if the firewall keeps the state of the connections or not.

root> nmap -sA [IP]

TCP X-Mas Scan (-sX)

This technique is based on sending a package with the flags FIN, URG and PSH active. Currently Windows does not respond to this technique, although in the past TCP/IP responded with a RST+ACK when the port was closed and if the port was open, there was simply no response.

root> nmap -sX [IP]

TCP Null Scan (-sN)

This type of scan sends a packet that contains no bit, if the port is open, no response is received, but on the contrary, if the port is closed, the system will respond with a RST + ACK.

root> nmap -sN [IP]

I would recommend you to read about TCP/IP, common ports and their services, so you can understand the second part better.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.