Port Scanning Techniques

This section documents the dozen or so port scan techniques supported by Nmap.

TCP SYN Scan

SYN scan is the default and most popular scan option.

Nmapr.scan :cmd do
  tcp :syn
end

TCP Connect Scan

TCP connect scan is the default TCP scan type when SYN scan is not an option.

Nmapr.scan :cmd do
  tcp :connect
end

TCP ACK Scan

The ACK scan probe packet has only the ACK flag set.

Nmapr.scan :cmd do
  tcp :ack
end

TCP Window Scan

Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned.

Nmapr.scan :cmd do
  tcp :window
end

TCP Maimon Scan

The Maimon scan is named after its discoverer, Uriel Maimon. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.

Nmapr.scan :cmd do
  tcp :maimon
end

TCP XMAS Scan

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Nmapr.scan :cmd do
  tcp :xmas
end

TCP FIN Scan

Sets just the TCP FIN bit.

Nmapr.scan :cmd do
  tcp :fin
end

TCP NULL Scan

Does not set any bits (TCP flag header is 0)

Nmapr.scan :cmd do
  tcp :null
end

TCP Custom Scan

Truly advanced Nmap users need not limit themselves to the canned scan types offered. Design your own scan by specifying arbitrary TCP flags. Let your creative juices flow! Like, mash together any combination of URG, ACK, PSH, RST, SYN, and FIN.

Nmapr.scan :cmd do
  tcp :custom, "URGACKPSHRSTSYNFIN"
end

SCTP INIT Scan

SCTP INIT scan is the SCTP equivalent of a TCP SYN scan.

Nmapr.scan :cmd do
  sctp :init
end

SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.

Nmapr.scan :cmd do
  sctp :cookie_echo
end

UDP Scan

While most popular services on the Internet run over the TCP protocol,UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common.

Nmapr.scan :cmd do
  udp
end

results matching ""

    No results matching ""