Updated April 6, 2023
Introduction to Nmap Scan Types
Network Mapper or Nmap is defined as a network scanner to discover the networks related to one IP address by sending the packets and analyzing the results. This is provided for free and was developed by Gordon Lyon to analyze the host networks, operating systems associated with the same network and detecting any vulnerability if present in the network. Written in C, C++, Python, and Lua, it was developed to work with Linux but now it is made to work in Windows, Mac, and BSD. Scripts can be written to extend the services of Nmap so that many vulnerabilities can be figured out.
Let us discuss types of Nmap Scan.
1. Ping Sweep:
The simple type of Nmap scan where it pings to all the available IP addresses to check which IP addresses respond to ICMP or Internet Control Message protocol is called Ping Sweep. If the users need to know only the number of IP addresses and not many details, this Ping Sweep is very useful. This is faster and hence the results to be known is fetched easily.
2. SYN Scan:
This is the most useful type of Nmap scan which does it work quietly. Here, it sends an SYN packet via TCP or Transfer Control Protocol to all the intended ports. If an acknowledgment pack is received back to the system, it is sure that a port is opened there. No response means that the port is either closed or not available. Here the acknowledgment pack is not sent back to the system assuming that the connection is not valid. Thus, the full connection is not scanned as per the system. This scan is not shown in most of the scan logs and hence it is safe to use SYN scan to identify the ports.
3. TCP Connect Scan:
This is similar to SYN scan in many aspects as it uses the TCP layer to sent packets and it is passed to all the ports. Here, the difference is that the full connection is done by sending the acknowledgment packets back. The logs can easily find the TCP scan and need more power from the machines to do the work. But this is more accurate than SYN scans. If all the accesses related to OS are available to the user, it is better to do a TCP scan than a SYN scan as all the low-level and high-level accesses are required for this scan. The network is also loaded more and hence user must be careful about loading the systems and networks.
4. Idle Scan:
This type of scan is really used to check whether any malicious attacks are planned on any particular network. This is the most recent type of Nmap scan where the scan packets send to a port are moved away by another host to check the presence of malware. Users need not control the external host but an IP address and a port should be given to the same. All other requirements are taken from the scanner itself.
5. RPC Scan:
Remote Procedure Calls are done by hackers to make the system vulnerable to virus attacks. It is thus necessary to know whether our system answers such calls and makes our system open to malware attacks. RPC scan is done to check this by finding the ports open with certain commands being run by RPC. It is good to do an RPC scan now and then to find whether the ports in a network is having RPC commands as RPC commands might run on the system and collect all the information from the system.
6. Windows Scan:
This is a simple scan where the application scans the acknowledgment packets received from the ports once SYN packets are sent. If there are any abnormalities in the ACK packets received, this scan reports the same and helps in recognizing which ports are functioning in a different way.
7. Bounce Scan:
This scan is used to check the security in the File Transfer Protocol layer. FTP layers mostly do not accept any packets and once it is rejected from FTP layers, there are chances that it might be sent to an internal layer so that it can access the internal machines. Bounce scan checks this loophole by doing exactly the same process and identifies whether our FTP layer is open for vulnerability or not. The IP address of the server and FTP server is required to do this scan.
8. UDP Scan:
This scan is most useful in the Windows system to know whether the UDP layer is open to attacks or not. It is not always possible to get a response from the UDP layer but it helps to know whether the layer is having any Trojan attacks running or not. The responses can be a bit slower than other scans but it is useful to do this scan to protect our UDP layer. It responds to packets when the port is closed which might make the sender believe that there is a presence of Trojan. It is good to double-check the same.
9. FIN Scan:
This is similar to SYN Scan where the system that sends the packets receives the response back and it will be mostly TCP FIN packet. If the system sends an RST packet, it is a false alarm and users need not be worried about the same.
10. NULL Scan: This scan is useful for other systems than Windows where the systems can easily identify what kind of packets they have received and respond back with either TCP packets or NULL responses. NULL scans are not useful for Windows as they may not always produce the desired results.
We also have XMAS Scan which works similar to NULL Scan but has responses such as PSH, URG, and FIN flags from the system. Nmap scan helps in identifying threats as well as knowing the ports being used in the same network. The basic usage of scanning ports and identifying new ports remain the same even with any new functionalities in the scanning application.
This is a guide to Nmap Scan Types. Here we discuss the Introduction, types of Nmap Scan. You may also have a look at the following articles to learn more –