Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on Unix systems.
Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when Npcap has already been loaded into the OS. Npcap is a network packet capture and injection driver used by Nmap on Windows.
While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap
The simple command nmap <target> scans 1,000 TCP ports on the host target.
Nmap Port States
Nmap divides ports into six states:
1. Open
An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port.
Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack.
2. Closed
The port is reachable, but no service is running on it. It responds, which can help confirm the host is alive and assist OS detection.
It may be worth scanning later in case some open up.
3. Filtered
Nmap cannot determine whether the port is open or closed because packet filtering prevents its probes from reaching the port.
The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.
Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common.
This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.
4. Unfiltered
The port is reachable, but Nmap cannot determine if it is open or closed.
In this state, nothing is blocking the traffic (so it is not filtered), but the response does not clearly say if it is open or closed.
Only the ACK scan classifies ports into this state. An ACK scan is not meant to find open services. It is mainly used to study firewall rules.
5. Open|Filtered
Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response.
The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
6. Closed|Filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
-sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.
This technique is often referred to as half-open scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response.
Normally, a full TCP connection is:
SYN: start connection SYN/ACK: response ACK: complete connection
SYN scan stops after step 2, so the connection is never fully established.
- SYN/ACK response indicates the port is listening (open)
- RST (reset) response is indicative of a non-listener (closed)
If no response is received after several retransmissions, the port is marked as filtered
The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received.
The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection.
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option, usually because the user does not have raw packet / admin privileges. Instead of crafting packets directly, Nmap uses the operating system’s built-in networking function called the connect system call.
It is part of the Berkeley Sockets API, which is the standard interface programs use to create network connections.
- If the connection succeeds, port is open
- If the connection is refused, port is closed
- If it cannot be reached (timeout/firewall), port is filtered
SYN scan is usually a better choice. Nmap has less control over the high level connect call than with raw packets. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message when Nmap connects and then closes the connection without sending data.