Port scanning

Types of scans

Port Scan Type Example Command
TCP Connect Scan nmap -sT
TCP SYN Scan sudo nmap -sS
UDP Scan sudo nmap -sU
TCP Null Scan sudo nmap -sN
TCP FIN Scan sudo nmap -sF
TCP Xmas Scan sudo nmap -sX
TCP Maimon Scan sudo nmap -sM
TCP ACK Scan sudo nmap -sA
TCP Window Scan sudo nmap -sW
Custom TCP Scan sudo nmap --scanflags URGACKPSHRSTSYNFIN
Spoofed Source IP sudo nmap -S SPOOFED_IP
Spoofed MAC Address --spoof-mac SPOOFED_MAC
Decoy Scan nmap -D DECOY_IP,ME
Idle (Zombie) Scan sudo nmap -sI ZOMBIE_IP
Fragment IP data into 8 bytes -f
Fragment IP data into 16 bytes -ff


Option Purpose
-p- all ports
-p1-1023 scan ports 1 to 1023
-F 100 most common ports
-r scan ports in consecutive order
-T<0-5> T0 being the slowest and T5 the fastest
--max-rate 50 rate <= 50 packets/sec
--min-rate 15 rate >= 15 packets/sec
--min-parallelism 100 at least 100 probes in parallel
--source-port PORT_NUM specify source port number
--data-length NUM append random data to reach given length

Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.

Option Purpose
--reason explains how Nmap made its conclusion
-v verbose
-vv very verbose
-d debugging
-dd more details for debugging