sW (TCP Window scan) Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. sA (TCP ACK scan) It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. sN, -sF, -sX (TCP NULL, FIN, and Xmas scans) These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed.
This is the case when a user does not have raw packet privileges. sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. It is also relatively unobtrusive and stealthy since it never completes TCP connections. Port Scanning Techniques Option Description -sS (TCP SYN scan) It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. This state is used when Nmap is unable to determine whether a port is closed or filtered. Nmap places ports in this state when it is unable to determine whether a port is open or filtered. The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. Nmap is able to recognize six port states:Īn application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port.Ī closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.