This article is part of a series. Check out the full series: Part 1: Port Scanning Responses, Part 2: Basic Port Scanning Types, Part 3: Other Port Scanning Types, Part 4: Network Scanning, Part 5: Firewall Evasion Options and Part 6: NSE Scripts!
There are three basic port scanning NMAP types that you need to know about:
TCP Connect Scans (-sT)
TCP SYN Scans / Half-Open Scans / Stealth Scans (-sS)
Instead of performing full three-way handshake, SYN scans sends a RST TCP packet after receiving a SYN/ACK from the server.
There are variety of advantages of doing this:
- It can be used to bypass older Intrusion Detection Systems as they will be looking for three-way handshake.
- SYN scans can remain stealthy as they are not usually not logged by applications listening on ports.
- SYN scans are slightly faster since it does not need to complete the whole three-way handshake.
Some disadvantages are:
- SYN scans require sudo permissions to work correctly in Linux as SYN scans require the ability to create raw packets.
- SYN scans could cause unstable services so it could be problematic if a client has a productive environment to test.
UDP Scans (-sU)
DNS, SNMP and DHCP (registered ports 53, 161/162 and 67/68) are three of the most common UDP ports.
UDP scans works by sending empty packet with no payload to the targeted ports. Exception applies for few common ports though where protocol-specific payload will be sent.
This contributes to one of the biggest challenges with UDP scanning as open ports rarely respond to empty probes. So, it is hard for NMAP to determine whether the port is open or filtered. If there’s no response received after several proving attempts, NMAP will then assign the state as open|filtered.
Due to the difficulty in identifying whether a UDP port is actually open, UDP scans tend to be very slow (approximately 20 minutes to scan the first 1000 ports). For this reason, it is usually best practice to run UDP scans with --top-ports <number> enabled. For example, nmap -sU --top-ports 20 <ipAddress>.