Breaking News

Penetration Testing: Techniques Of Scanning By Nmap In Kali Linux

Penetration Testing: Phase 2- Scanning: Part 2:


In the nmap “-s” (lowercase s) prefix is used to specify the type of scan should be launched on the target defined in the scan command. The selection of scan type can help the penetration tester to evade by some host and network security system for example IDS/IPS, Firewalls etc.

Half Open/Stealth Scan (-sS)

The stealth scan is the default type of scanning used by Nmap when no scan option is defined. In this type of scanning, pentester’s machine sends SYN packet to the target machine. The target machine will reply back with a SYN/ACK packet. Attacker will send RST packet instead of ACK (acknowledgement). If port is closed then target machine send RST packed instead of SYN/ACK packet.

Half Open/Stealth Scan (-sS)


-sT TCP Connect Scan/Full Open Scan

TCP connect scan can mostly be used to gather more information about the target. In this case, the attacker send a SYN packed to target. Target machine hopefully give the reply with SYN/ACK packet. The attacker completed the communication by sending a final ACK packet.

nmap -sT TCP Connect Scan/Full Open Scan


-sA Acknowledgement Scan

Acknowledgement scan is used to determine TCP port is filtered or unfiltered. In this scan Attacker communicate with the target machine with ACK (acknowledgement) flag. If the RST (reset) response from target means port is unfiltered, and if no response or response with unreachable error indicates port is filtered.

nmap -sA Acknowledgement Scan

-sX Xmas Scan

In this type of scanning attacker send packet with FIN, PUSH, URG flag. If no response from target side indicates port is open, and if the target response with RST (reset) packet indicates port is closed.

nmap -sX Xmas Scan

-sP FIN Scan

In this type of scanning attacker sends packet only with FIN flag. If no response from targets side means port is open, and if target response with RST/ACK packet indicate port is closed.

nmap -sP FIN Scan

-sN Null Scan

In Null Scan sends the packet without flags to the target host. I response from target side indicates port is open, if target response with RST/ACK indicates port is closed.

nmap -sN Null Scan

-sU UDP Scan

The UDP scan evaluates the UDP ports on the target system. Dissimilar to filtering TCP ports, UDP scans hope to get response back from target that have the tested ports shut. packets sent to open UDP ports are not reacted; then again, if the packet sent inspires a response from the target, then the port being tested is open. In the event that no response is accepted, then the port could be open alternately could be separated by a gadget like a firewall. Shut UDP ports might be recognized by an ICMP response with a sort 3 and code 3 response Finally, ports that are affirmed to be filtered will have an ICMP response of sort 3 with codes of 1, 2, 9, 10, or 13, demonstrating different inaccessible errors.

 nmap -sU UDP Scan


About Vijay Kumar

Ethical Hacking & Penetration Testing Trainer, For more detail view My Profile

Check Also

Scan Network with Metasploit

Scanning with Metasploit in Kali Linux

Scanning with Metasploit in Kali Linux  Step First: Creating New Project Inside metasploit community a …

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Get Instant Updates into Your Inbox

Want to be notified when our article is published? Enter your email address and name below to be the first to know.

Watch Dragon ball super