# Scan Types

Since we already talked about how to find out if a host is alive on the network, it's time to explore deeper. There are many scan types we can perform using **Nmap** — not just to find active hosts, but also to discover open ports, identify services, operating systems, and even to evade firewalls or avoid being detected by intrusion detection systems (IDS).

These scan types differ based on the kind of packets they send, how they respond to different network setups, and how stealthy they are.

{% hint style="success" %}
Please note that by default, if we don't have `-sn` it will also try to look for top mostly used ports.
{% endhint %}

### **TCP Connect Scan** (`-sT`)

<pre class="language-bash"><code class="lang-bash"><strong>❯ nmap 10.10.20.208 -sT -vv -T4
</strong>Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 12:21 +0545
Initiating Ping Scan at 12:21
Scanning 10.10.20.208 [2 ports]
Completed Ping Scan at 12:21, 0.18s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:21
Completed Parallel DNS resolution of 1 host. at 12:21, 0.01s elapsed
Initiating Connect Scan at 12:21
Scanning 10.10.20.208 [1000 ports]
Discovered open port 21/tcp on 10.10.20.208
Discovered open port 53/tcp on 10.10.20.208
Discovered open port 80/tcp on 10.10.20.208
Discovered open port 3389/tcp on 10.10.20.208
Discovered open port 135/tcp on 10.10.20.208
Completed Connect Scan at 12:21, 15.11s elapsed (1000 total ports)
Nmap scan report for 10.10.20.208
Host is up, received syn-ack (0.23s latency).
Scanned at 2025-04-24 12:21:07 +0545 for 15s
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON
21/tcp   open  ftp           syn-ack
53/tcp   open  domain        syn-ack
80/tcp   open  http          syn-ack
135/tcp  open  msrpc         syn-ack
3389/tcp open  ms-wbt-server syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.33 seconds
</code></pre>

This is the most basic and reliable scan.

* **How it works:** It completes a full **TCP three-way handshake** with each port.

  <figure><img src="/files/uYZmQM4FfaxlZvkCap1M" alt=""><figcaption></figcaption></figure>
* If the port is closed, the target sends back a `RST` (Reset) packet.
* **Use case:** Works on any network and doesn't need root privileges.
* **Downside:** Very noisy. It’s easily detected by firewalls and logged by IDS.

### **SYN Scan (Stealth Scan)** (`-sS`)

{% hint style="info" %}
This scan type requires you to run with `sudo` permission.
{% endhint %}

{% hint style="warning" %}
I used `-Pn` flag in below example because the target system is Windows and has firewall enabled by default which blocks ICMP packet. You can try `ping 10.10.20.208`  and you will notice it won't reply because ICMP packet is blocked. This option skips the Nmap discovery stage and **asume the target is UP**.
{% endhint %}

<pre class="language-bash"><code class="lang-bash"><strong>❯ sudo nmap 10.10.20.208 -sS -vv -T4 -Pn
</strong>[sudo] password for rezy:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 12:24 +0545
Initiating Parallel DNS resolution of 1 host. at 12:24
Completed Parallel DNS resolution of 1 host. at 12:24, 0.03s elapsed
Initiating SYN Stealth Scan at 12:24
Scanning 10.10.20.208 [1000 ports]
Discovered open port 135/tcp on 10.10.20.208
Discovered open port 80/tcp on 10.10.20.208
Discovered open port 53/tcp on 10.10.20.208
Discovered open port 3389/tcp on 10.10.20.208
Discovered open port 21/tcp on 10.10.20.208
Completed SYN Stealth Scan at 12:24, 14.68s elapsed (1000 total ports)
Nmap scan report for 10.10.20.208
Host is up, received user-set (0.20s latency).
Scanned at 2025-04-24 12:24:36 +0545 for 15s
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON
21/tcp   open  ftp           syn-ack ttl 127
53/tcp   open  domain        syn-ack ttl 127
80/tcp   open  http          syn-ack ttl 127
135/tcp  open  msrpc         syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.76 seconds
</code></pre>

Often called a **half-open scan**, this is the most commonly used scan.

* **How it works:**

  <figure><img src="/files/wAZshCTRpcNbV5cY50hJ" alt=""><figcaption></figcaption></figure>
* **Why stealthy?** It never completes the TCP connection, making it harder for the target system to log.
* **Use case:** Great for scanning while staying under the radar. Needs root/admin privileges.

### **UDP Scan** (`-sU`)

<pre class="language-bash"><code class="lang-bash"><strong>❯ sudo nmap 10.10.20.208 -sU -vv -T4 -Pn
</strong>[sudo] password for rezy:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 12:31 +0545
Initiating Parallel DNS resolution of 1 host. at 12:31
Completed Parallel DNS resolution of 1 host. at 12:31, 0.01s elapsed
Initiating UDP Scan at 12:31
Scanning 10.10.20.208 [1000 ports]
Discovered open port 53/udp on 10.10.20.208
UDP Scan Timing: About 22.95% done; ETC: 12:33 (0:01:47 remaining)
[//..SNIP..//]
UDP Scan Timing: About 98.20% done; ETC: 12:59 (0:00:30 remaining)
Completed UDP Scan at 12:59, 1696.75s elapsed (1000 total ports)
Nmap scan report for 10.10.20.208
Host is up, received user-set (0.21s latency).
Scanned at 2025-04-24 12:31:28 +0545 for 1696s
Not shown: 999 open|filtered udp ports (no-response)
PORT   STATE SERVICE REASON
53/udp open  domain  udp-response ttl 127

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1696.81 seconds
</code></pre>

Unlike TCP, UDP is connectionless — so this scan works differently.

* **How it works:**

  <figure><img src="/files/Da2jR8mflUU93nLkbeMN" alt=""><figcaption></figcaption></figure>

  * If no response comes back, it **might be open**, filtered, or dropped by a firewall.
* **Downside:** UDP scanning is slow and less reliable because it depends on no response, and ICMP messages can be filtered.
* **Use case:** Useful for detecting services like DNS, SNMP, or DHCP that use UDP.

### **ACK Scan** (`-sA`)

Used to map firewall rules.

* **How it works:**<br>

  <figure><img src="/files/sRnjIIPU2cD9R1tB0NKl" alt=""><figcaption></figcaption></figure>
* **Note:** Doesn’t tell you if the port is open or closed — just whether it’s reachable.
* **Use case:** Determine if a firewall is present and which ports it allows through.

### **FIN, NULL, and Xmas Scans** (`-sF`, `-sN`, `-sX`)

These are **stealthy** scans designed to **bypass firewalls and IDS** by sending weird, malformed TCP packets.

* **FIN Scan:** Sends a packet with only the **FIN** flag set.
* **NULL Scan:** Sends a packet with **no flags** set at all (just a raw TCP header).
* **Xmas Scan:** Sends a packet with **FIN, URG, and PSH** flags lit — like lights on a Christmas tree (hence the name).

**How they work:**

These scans exploit a behavior defined in the TCP RFC (Request for Comments), which says that:

* If a **closed** TCP port receives one of these unusual packets, it **must respond with a `RST`** (Reset).
* If the port is **open**, it should **ignore** the packet and **send nothing back**.

So, Nmap interprets the results like this:

* **No response:** Port is **open** or **filtered**.
* **RST received:** Port is **closed**.

This technique is useful for **evading IDS and firewalls** that only look for standard connection patterns (like SYN packets or full handshakes).

However, there’s a **catch**: Not all systems behave according to the RFC. **Windows systems, for example, often send RSTs for any unexpected packets — even to open ports.** That means these scans can produce false negatives or unreliable results on non-RFC-compliant targets.

{% hint style="success" %}
Learn about RFC [here](https://en.wikipedia.org/wiki/Request_for_Comments).
{% endhint %}

### Idle Scan (`-sI`)

The **Idle Scan** is one of the most advanced and stealthy scans available in Nmap.

This scan doesn’t send packets directly to the target at all. Instead, it uses a third-party host — called a **"zombie"** — to probe the target on your behalf.

1. Nmap first probes the zombie to learn its **IP ID sequence** behavior.
2. Then it sends **spoofed SYN packets** to the target, pretending to be the zombie.
3. If the target replies to the zombie with a SYN-ACK (meaning the port is open), the zombie's IP ID will increase (since it responds with a RST).
4. If the port is closed, the target replies with a RST, and the zombie stays idle.
5. Nmap checks the zombie’s IP ID again to detect any changes.

{% hint style="info" %}
To learn more about this scan type visit: [here](https://nmap.org/book/idlescan.html#:~:text=Idle%20scan%20is%20the%20ultimate,to%20get%20scan%20results%20back.)
{% endhint %}

<figure><img src="/files/Wmck7o1ZZGj2pzaum6l5" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://handbook.ncateam.xyz/reconnaissance/network-enumeration/scan-types.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.