3. Nmap Port scanning techniques - Complete Nmap beginners guide

We'll in the past couple of tutorials we have learnt Nmap basic scanning and techniques of host discovery. In this post we're gonna learn various port scanning techniques.

• -sS (TCP SYN Scan) - SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It allows clear, reliable differentiation between the open, closed, and filtered states.

• -sT (TCP connect Scan) - This is the case when a user does not have root/admin privileges.This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. When SYN scan is available, it is usually a better choice.

• -sU (UDP Scans) - While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed.Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol.

• -sN; -sF; -sX  (TCP NULL, FIN, and Xmas scans) - The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though—most modern IDS (Intrusion Detection System) products can be configured to detect them.This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open | filtered.

1. Null scan (-sN) - Does not set any bits (TCP flag header is 0)
2. FIN scan (-sF) - Sets just the TCP FIN bit.
3. Xmas scan (-sX) - 
4. Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree

• -sA (TCP ACK scan) - This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

 The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond,or send certain ICMP error messages back, are labeled filtered.

• -sO (IP scan) - IP protocol scan allows you to determine  which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.

So, these were some of the basic port scanning techniques. In next tutorial we'll cover the topic "port scanning specification."