(as per the Nmap official documentation)
TCP connect() Scan [-sT] :
This method is called connect() because UNIX socket programming uses a system call called connect() to begin a TCP connection to a remote website., This is the most basic scanning method. The attacker attempts to connect to each and every ports on target hosts. If a port is listening, the connection is established, but immediately shut down. At the end based on the response of each ports, it tells which ports are open and which are closed. This scanning method requires no special privileges and can be run, even as not as root. However, this port scanning method is easily detected by the target IDS and Firewalls, in case there are any, since it attempts to connect on every port. Also, the IP would be saved in the logs of the target since a connection was made on all the open ports.
SYN Stealth Scan [-sS] :
SYN Stealth Scan overcomes a major drawback or TCP connect() scan, that is being detected by the IDSes and firewalls. If you remember, what we learnt in the basics of TCP/IP and the 3-way handshake, here is what it says.
To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed, an RST will be sent. If it is filtered, the SYN packet will have been dropped and no response will be sent. In this way, Nmap can detect three port states - open, closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions, and closed to others.
Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in combination with other features of Nmap, it is possible to create a virtually undetectable SYN scan by altering timing and other options
FIN, Null and Xmas Tree Scans [-sF, -sN, -sX] :
With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these three scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP header. The idea behind these types of scans is that a closed port should respond with an RST upon receiving packets, whereas an open port should just drop them (it’s listening for packets with SYN set). This way, you never make even part of a connection, and never send a SYN packet; which is what most IDS’ look out for.
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.
These scan types will work against any system where the TCP/IP implementation follows RFC 793. Microsoft Windows does not follow the RFC, and will ignore these packets even on closed ports. This technicality allows you to detect an MS Windows system by running SYN along with one of these scans. If the SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are you’re looking at a Windows box (though OS Fingerprinting is a much more reliable way of determining the OS running on a target!)
Ping Scan [-sP] :
This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open. Four methods exist within Nmap for ping sweeping.
The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and thus not responding to anything.
When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)
So these were most common scanning modes of Nmap. There are some more, which won’t be used that often
FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]
Ping Scan [-sP]
UDP Scan [-sU]
Version Detection [-sV]
When performing port scans, you’ll be shown with various port states, which are Open, Closed, Filtered and Unfiltered.
Open : The target machine application is listening to incoming connections/packets on that port
Filtered : A firewall or other network obstacle is blocking the port scan, so Nmap isn’t able to determine whether the particular port is open or closed.
Closed : No applications are listening on that port for incoming connections.
Apart from Nmap, there exists some other, efficient port scanners too, such as the Unicornscan and Amap.
To install Unicornscan,
root@root:~# apt-get installunicornscan
You need to setup your Framework3 PostgreSQL server for the Database end of the UnicornScan.
You could download the script to automate the process from http://code.google.com/p/unicornscan-bt5-install-script/
Legality of using Port Scanners
Port Scanners have come in controversy a lot number of times, depending on its legality. Port Scanning may be proved to be a crime, if it is performed with a intent of breaking into others system.
Here are some of the cases, involving Port Scanning :
In June 2003, an Israeli, Avi Mizrahi, was accused by the Israeli Police of the offense of attempting the unauthorized access of computer material. He had port scanned the Mossad website. He was acquitted of all charges on February 29, 2004. The judge ruled that these kinds of actions should not be discouraged when they are performed in a positive way.
A 17-year old Finn was accused of attempted computer break-in by a major Finnish bank. On April 9, 2003, he was convicted of the charge by the Supreme Court and ordered to pay US$ 12,000 for the expense of the forensic analysis made by the bank. In 1998, he had port scanned the bank network in an attempt to access the closed network, but failed to do so.
In December 1999, Scott Moulton was arrested by the FBI and accused of attempted computer trespassing under Georgia's Computer Systems Protection Act and Computer Fraud and Abuse Act of America. At this time, his IT service company had a ongoing contract with Cherokee County of Georgia to maintain and upgrade the 911 center security. He performed several port scans on Cherokee County servers to check their security and eventually port scanned a web server monitored by another IT company, provoking a tiff which ended up in a tribunal. He was acquitted in 2000, the judge ruling there was no damage impairing the integrity and availability of the network.
So, it is best advisable to perform all the port scans on the network you’ve permission or which you yourself own.