Port scanning checks which ports are open, closed, or filtered on a device. Each open port may host a service like SSH, HTTP, or FTP. This helps identify what the target system is running and whether it’s exposed to potential attacks.
TCP SYN Scan (-sS)
This scan sends a TCP SYN packet and waits for a response. If the port replies with a SYN-ACK, it is open. If it replies with RST, it is closed. The connection is never completed, so it is less likely to be logged.
nmap -sS 192.168.1.10Key points
- Fast and stealthy
- Default scan type (when run as root)
- Commonly used in most assessments
TCP Connect Scan (-sT)
This scan uses the full 3-step TCP handshake: SYN, SYN-ACK, and ACK. It establishes a complete connection, making it easier to detect but works without root privileges.
nmap -sT 192.168.1.10Key points
- More visible on logs
- Works for regular users
- Useful when SYN scan isn’t available
UDP Scan (-sU)
UDP scans send empty packets to UDP ports. If no response comes back, the port may be open or filtered. If an ICMP “port unreachable” error is received, the port is closed.
nmap -sU -p 53,161 192.168.1.10Key points
- Useful for discovering DNS, SNMP, and other UDP services
- Slower and less reliable than TCP scans
- Often combined with
-sSfor full coverage
ACK Scan (-sA)
This scan sends TCP ACK packets. It doesn’t find open ports, but checks if a port is filtered by a firewall. A response means it’s unfiltered; no response means it may be filtered.
nmap -sA -p 80 192.168.1.10Key points
- Used for firewall rule detection
- Not for finding open ports
- Helps map security filtering behavior
Null Scan (-sN)
Sends a TCP packet with no flags set. If the target responds with RST, the port is closed. No response might mean it’s open or filtered.
nmap -sN 192.168.1.10Key points
- Very stealthy
- Can bypass basic firewalls
- Doesn’t work on Windows systems
FIN Scan (-sF)
Sends a TCP packet with only the FIN flag set. Works similarly to Null Scan but may trigger different firewall behavior.
nmap -sF 192.168.1.10Key points
- Used for stealth and evasion
- Works best on Unix-based systems
- Unreliable on modern OS firewalls
Xmas Scan (-sX)
Sends a TCP packet with FIN, URG, and PSH flags. Called “Xmas” because the packet has multiple flags lit up. Often used to test how targets handle unusual traffic.
nmap -sX 192.168.1.10Key points
- Obscure and experimental
- Used to test IDS and firewall behavior
- Not reliable on all systems
Port Scan Type Comparison
| Scan Type | Nmap Option | Stealthy | Requires Root | Finds Open Ports | Use Case |
|---|---|---|---|---|---|
| TCP SYN | -sS | Yes | Yes | Yes | Default scan, fast and stealthy |
| TCP Connect | -sT | No | No | Yes | When not running as root |
| UDP | -sU | No | Yes | Yes | Checking UDP services |
| ACK | -sA | Partial | Yes | No | Detecting firewall behavior |
| Null | -sN | Yes | Yes | Yes | Stealth scan on Unix systems |
| FIN | -sF | Yes | Yes | Yes | Evasion on simple firewalls |
| Xmas | -sX | Yes | Yes | Yes | IDS/IPS evasion experiments |