nmap - host and port scanning

State	Description
open	This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.
closed	When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filtered	Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfiltered	This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filtered	If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filtered	This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Scanning Options	Description
10.129.2.28	Scans the specified target.
--top-ports=10	Scans the specified top ports that have been defined as most frequent.

Scanning Options	Description
10.129.2.28	Scans the specified target.
-p 21	Scans only the specified port.
--packet-trace	Shows all packets sent and received.
-n	Disables DNS resolution.
--disable-arp-ping	Disables ARP ping.

Request

Message	Description
SENT (0.0429s)	Indicates the SENT operation of Nmap, which sends a packet to the target.
TCP	Shows the protocol that is being used to interact with the target port.
10.10.14.2:63090 >	Represents our IPv4 address and the source port, which will be used by Nmap to send the packets.
10.129.2.28:21	Shows the target IPv4 address and the target port.
S	SYN flag of the sent TCP packet.
ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 mss 1460	Additional TCP Header parameters.

Response

Message	Description
RCVD (0.0573s)	Indicates a received packet from the target.
TCP	Shows the protocol that is being used.
10.129.2.28:21 >	Represents targets IPv4 address and the source port, which will be used to reply.
10.10.14.2:63090	Shows our IPv4 address and the port that will be replied to.
RA	RST and ACK flags of the sent TCP packet.
ttl=64 id=0 iplen=40 seq=0 win=0	Additional TCP Header parameters.

Connect Scan

The Nmap TCP Connect Scan (-sT) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an SYN packet to the target port and waits for a response. It is considered open if the target port responds with an SYN-ACK packet and closed if it responds with an RST packet.

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Filtered Ports

When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be dropped, or rejected. When a packet gets dropped, Nmap receives no response from our target, and by default, the retry rate (--max-retries) is set to 1. This means Nmap will resend the request to the target port to determine if the previous packet was not accidentally mishandled.

Scanning Options	Description
10.129.2.28	Scans the specified target.
-p 139	Scans only the specified port.
--packet-trace	Shows all packets sent and received.
-n	Disables DNS resolution.
--disable-arp-ping	Disables ARP ping.
-Pn	Disables ICMP Echo requests.

Discovering Open UDP Ports

Some system administrators sometimes forget to filter the UDP ports in addition to the TCP ones. Since UDP is a stateless protocol and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole UDP scan (-sU) much slower than the TCP scan (-sS).

Scanning Options	Description
10.129.2.28	Scans the specified target.
-F	Scans top 100 ports.
-sU	Performs a UDP scan.

Another disadvantage of this is that we often do not get a response back because Nmap sends empty datagrams to the scanned UDP ports, and we do not receive any response. So we cannot determine if the UDP packet has arrived at all or not. If the UDP port is open, we only get a response if the application is configured to do so.

Scanning Options	Description
10.129.2.28	Scans the specified target.
-sU	Performs a UDP scan.
-Pn	Disables ICMP Echo requests.
-n	Disables DNS resolution.
--disable-arp-ping	Disables ARP ping.
--packet-trace	Shows all packets sent and received.
-p 137	Scans only the specified port.
--reason	Displays the reason a port is in a particular state.

---

If we get an ICMP response with error code 3 (port unreachable), we know that the port is indeed closed.

Scanning Options	Description
10.129.2.28	Scans the specified target.
-sU	Performs a UDP scan.
-Pn	Disables ICMP Echo requests.
-n	Disables DNS resolution.
--disable-arp-ping	Disables ARP ping.
--packet-trace	Shows all packets sent and received.
-p 100	Scans only the specified port.
--reason	Displays the reason a port is in a particular state.

For all other ICMP responses, the scanned ports are marked as (open|filtered).

Scanning Options	Description
10.129.2.28	Scans the specified target.
-sU	Performs a UDP scan.
-Pn	Disables ICMP Echo requests.
-n	Disables DNS resolution.
--disable-arp-ping	Disables ARP ping.
--packet-trace	Shows all packets sent and received.
-p 138	Scans only the specified port.
--reason	Displays the reason a port is in a particular state.

Another handy method for scanning ports is the -sV option which is used to get additional available information from the open ports. This method can identify versions, service names, and details about our target.

Version Scan

Scanning Options	Description
10.129.2.28	Scans the specified target.
-Pn	Disables ICMP Echo requests.
-n	Disables DNS resolution.
--disable-arp-ping	Disables ARP ping.
--packet-trace	Shows all packets sent and received.
-p 445	Scans only the specified port.
--reason	Displays the reason a port is in a particular state.
-sV	Performs a service scan.