Nmap from Scratch | Part-4 | Scanning techniques

A3h1nt
5 min readDec 21, 2020

--

Congratulations on making it to part-4, I cannot tell how important this blog is, this blog covers really cool and very important scan techniques, so let’s go!

Nmap provides lots of options when it comes to scanning, each type of scan works differently, and yes each scan is for a different scenario, some scans might work for a particular scenario and some won’t.

[Important] — I have already covered SYN and TCP Connect scan in the first part, so if you haven’t checked it out yet, then here’s the link.

Okay so moving on to scan techniques we have

  • - SA ( TCP ACK Scan )

ACK scan is a little bit different from other scans, it’ll show the port state as open or closed, it is used to determine if the firewall is stateful or stateless and what all ports are filtered, it sends an ACK flag, if the port state is open or closed the ports reply with an RST flag and Nmap labels them as unfiltered, which means that the port is reachable but whether it’s open or not is undetermined.

If the target system doesn’t respond back, then Nmap labels it as filtered, which signifies the presence of a firewall.

SYNTAX:

nmap -sA nmap.scanme.org 
  • -sW ( TCP Window Scan )

Window scan is very similar to ACK scan, but it uses a different technique to determine whether the port is open or closed, it exploits the implementation of detail, it doesn’t show port as unfiltered for an RST reply instead it checks for the window size of the TCP packet to determine if the port is closed or not, some systems return a positive ( non-zero ) value even for the RST packet and has zero window size for a closed port.

SYNTAX:

nmap -sW nmap.scanme.org
  • -sM ( Maimon Scan )

Maimon Scan is one of my favorites, because of the way it interprets information, but it doesn’t work in modern systems, but since I am writing this blog and it’s one of my favorites I’ll explain it .

Maimon scan sends FIN/ACK flags to the target system, a RST response should be generated for such packets, but some sytems simple drops the packets for open ports, maimon scan takes advantage of this .

SYNTAX:

nmap -sM nmap.scanme.org
  • -sU ( UDP Scan )

As the name suggests, this scan is used to scan only the UDP ports.

SYNTAX:

nmap -sU nmap.scanme.org
  • -sN, -sF, -sX ( Null Scan, FIN Scan, XMAS Scan )

NULL, FIN and XMAS scan work differently but the way they interpret results is the same.
Null Scan: Null scan doesn’t send any flag to the target, the TCP flag header is zero.

SYNTAX:

nmap -sN nmap.scanme.org

On analysing the result using Wireshark we can see the packets sent.

FIN Scan : In this scan the flag sent is FIN ( Finish ) flag.

SYNTAX:

nmap -sF nmap.scanme.org

On analysing the result using Wireshark we can see the packets sent.

XMAS Scan :XMAS scan is one of the interesting scans that I’ve come across, it sends three flags to the target FIN, PSH, URG.

SYNTAX:

nmap -sX nmap.scanme.org

On analysing the result using Wireshark we can see the packets sent.

Interpretation

In some systems, any packet received without SYN, ACK, and RST flag will result in an RST response if the port is closed and no response if the port is open. Null, FIN and XMAS scan don’t contain any of these flags, so if the target gives a response with the RST flag, the port is considered to be closed and if the target system doesn’t respond back at all, then the port is considered to be open.

  • Customising TCP Flags

Nmap provides an option which allows users to set any TCP flag they want.

SYNTAX:

nmap --scanflags [SYN|ACK|FIN|RST|PSH|URG] nmap.scanme.orgexample: Using RST flag to scan
nmap --scanflags RST nmap.scanme.org
  • -sI ( Idle Scan )

The idle scan involves three components attacker, zombie, and a target, idle scan allows us to scan the target machine without revealing our IP, instead, our zombie’s IP is revealed, so if the target hosts maintain logs then the zombie’s IP will be logged and not attacker’s IP. You can read more about this scan here.

SYNTAX:

nmap -Pn -sI [zombie IP] [Target IP]

We’ve covered a lot of scan techniques in this blog, there are still more options but they are not used much, so I’ve not included them here.
Thanks for reading this blog, in the next blog we’ll cover service and version detection techniques. If you think this blog needs any correction or if you have any doubt, you can ping me at A3h1nt.

--

--