-sA
— ACK scan. All ports should respond with a RST, but firewalls will generally block these requests except for open/forwarded ports. Thus, an ACK scan is useful for probing the configuration of intermediate firewalls (but says nothing about whether services are actually listening on the identified ports).-sF
— FIN scan. Use and output is similar to a null scan, but is slightly more likely to be blocked.-sI
— Idle/Zombie scan. The idea here is to choose a machine with no traffic on it and then spoof its IP address. Scans then consist of a SYN/ACK to the zombie to get the current IP ID value for the current port, then a SYN to the target (which should either reply with a RST to the zombie, which doesn’t trigger a response and thus doesn’t increment the IP ID, or a SYN/ACK to the zombie, which will respond with a RST which will increment the IP ID), then a second SYN/ACK to the zombie to see if the IP ID has been incremented by 1 (port closed or filtered on the target) or 2 (port open on the target). Note that zombies need to be systems that increment the IP ID sequentially and globally, and open/closed ports will be from the zombie’s perspective, not the attacker’s. These scans are also slooooow (though not as slow as-T0
).-sL
— Dummy scan. Show the hosts that would be scanned, but don’t actually do anything (except perhaps DNS resolution).-sM
— Maimon scan (named after Uriel Maimon); the FIN and ACK TCP flags are set. Should always receive a RST, but some older BSD systems drop the packet on open ports. Of limited modern utility.-sn
— Host discovery only (see the previous section for details). Note that the Windows Firewall blocks ICMP by default.-sN
— Null scan; no TCP flags are set. Used to circumvent stateless firewalls. Can distinguish betweenclosed
andopen|filtered
.-sS
— SYN scan. Most common scan, and Nmap’s default. Starts a TCP handshake but then sends a RST after receiving the SYN/ACK packet. Requires root, should not be used on OT. Also called a “stealth scan”, but most IDS solutions detect it these days.-sT
- TCP connect scan. This makes a full TCP handshake when connecting to each port, then sends a RST/ACK after the handshake is finished. Slow but accurate. This is the only scan available for unprivileged users.-sU
— UDP scan. Sends empty UDP packets (or more realistic packets for known ports) and listens for a response back (“open”) or a ICMP “port unreachable” packet (“closed”). Since UDP doesn’t require a response, most ports will get markedopen|filtered
. Can be specified with one of the TCP scans to scan TCP and UDP ports simultaneously. Very slow, so you probably want to use with-sU --top-ports 20
.-sW
— TCP windows scan. The same as an ACK scan except that it examines the TCP window field of returned RST packets and uses it to discern if a port responded differently. Note that ports may be reported as closed (and open!) erroneously (as not all systems respond in the same way), but unfiltered ports will be identified. Look for patterns of open/closed ports to try to discern how the target system is responding.-sX
— Xmas scan; the FIN, URG, and PSH TCP flags are set. Use and output is similar to a null scan.
Note that Nmap by default uses a TCP window of 1024 bytes and an MSS of 1460. This is actually an unusual combination, and makes most Nmap TCP scans stick out in packet captures. The exception to this is a full TCP connect scan, which uses the system TCP stack and thus tends to have more sensible options.