Network scanning techniques


This paper illustrates about network scanning techniques and later numerous port scanning techniques. Next report is about two scanning methods as mentioned in the paper Nmap TCP Maimon scan and Nmap TCP ACK scan. After that analysis and examples to show how TCP/IP network scanning function.


Nmap is a security scanner first written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is a "Network Mapper", used to determine computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of services on a network despite the fact that such services aren't advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.

Nmap runs on Linux, Microsoft Windows, Solaris, and BSD (including Mac OS X), and also on AmigaOS. Linux is the most popular nmap platform and Windows the second most popular.

Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an optional graphical front-end, NmapFE, and supports a wide variety of scan types, each one with different benefits and drawbacks.

This article describes some of these scan types, explaining their relative benefits and just how they actually work. It also offers tips about which types of scan would be best against which types of host .The article assumes how Nmap installed (It knows how to install it. Instructions are available on the Nmap website, ), and required privileges to run the scans detailed (many scans require root or Administrator privileges).

Port Scanning Techniques

The art of port scanning is similar. Experts understand the dozens of scan techniques and choose the appropriate one (or combination) for a given task. Inexperienced users and script kiddies,on the other hand, try to solve every problem with the default SYN scan. Since Nmap is free, the only barrier to port scanning mastery is knowledge. That certainly beats the automotive world, where it may take great skill to determine that you need a strut spring compressor, then you still have to pay thousands of dollars for it.

Most of the scan types are only available to privileged users.This is because they send and receive raw packets,which requires root access on UNIX systems. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform WinPcap has already been loaded into the OS. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far more people have always-on direct Internet access, and desktop UNIX systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more powerful and flexible.

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. FIN, NULL, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries.

This section documents the dozen or so port scan techniques supported by Nmap. Only one method may be used at a time, except that UDP scan (-sU) and any one of the SCTP scan types (-sY,-sZ) may be combined with any one of the TCP scan types. As a memory aid, port scan type options are of the form-s, whereis a prominent character in the scan name, usually the first. The one exception to this is the deprecated FTP bounce scan (-b). By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix) or if IPv6 targets were specified. Of the scans listed in this section, unprivileged users can only execute connect and FTP bounce scans.

-sS(TCP SYN scan)

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between theopen,closed, andfilteredstates.

This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

The sample below shows a SYN scan and a FIN scan, performed against a Linux system. The results are, predictably, the same, but the FIN scan is lesslikely to show up in a logging system.

  1. [chaos]# nmap -sS
  2. Starting Nmap 4.01 at 2006-07-06 17:23 BST
  3. Interesting ports on chaos (
  4. (The 1668 ports scanned but not shown below are in state: closed)
  6. 21/tcp open ftp
  7. 22/tcp open ssh
  8. 631/tcp open ipp
  9. 6000/tcp open X11
  10. Nmap finished: 1 IP address (1 host up) scanned in 0.207
  11. seconds
  12. [chaos]# nmap -sF
  13. Starting Nmap 4.01 at 2006-07-06 17:23 BST
  14. Interesting ports on chaos (
  15. (The 1668 ports scanned but not shown below are in state:
  16. closed)
  18. 21/tcp open|filtered ftp
  19. 22/tcp open|filtered ssh
  20. 631/tcp open|filtered ipp
  21. 6000/tcp open|filtered X11
  22. Nmap finished: 1 IP address (1 host up) scanned in 1.284
  23. seconds

-sT(TCP connect scan)

TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing theconnectsystem call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

When SYN scan is available, it is usually a better choice. Nmap has less control over the high levelconnectcall than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average UNIX system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.

-sU(UDP scans)

While most popular services on the Internet run over the TCP protocol,UDPservices are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.

UDP scan is activated with the-sUoption. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.

UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent, but for most ports the packet is empty.The--data-lengthoption can be used to send a fixed-length random payload to every port. If an ICMP port unreachable error (type 3, code 3) is returned, the port isclosed. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port asfiltered. Occasionally, a service will respond with a UDP packet, proving that it isopen. If no response is received after retransmissions, the port is classified asopen|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.

A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limitICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (innet/ipv4/icmp.c).

Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per second makes a 65,536-port scan take more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using--host-timeoutto skip slow hosts.

-sY(SCTP INIT scan)

SCTPis a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between theopen,closed, andfilteredstates.

This technique is often referred to as half-open scanning, because you don't open a full SCTP association. You send an INIT chunk, as if you are going to open a real association and then wait for a response. An INIT-ACK chunk indicates the port is listening (open), while an ABORT chunk is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

-sN;-sF;-sX(TCP NULL, FIN, and Xmas scans)

These three scan types (even more are possible with the--scanflagsoption described in the next section) exploit a subtle loophole in theTCP RFCto differentiate betweenopenand closedports. Page 65 of RFC 793 says that "if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response." Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: "you are unlikely to get here, but if you do, drop the segment, and return."

When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types:

Null scan (-sN)

Does not set any bits (TCP flag header is 0)

FIN scan (-sF)

Sets just the TCP FIN bit.

Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is consideredclosed, while no response means it isopen|filtered. The port is markedfilteredif an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeledclosed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguishopenports from certainfilteredones, leaving with the responseopen|filtered.

-sA(TCP ACK scan)

This scan is different than the others discussed so far in that it never determinesopen(or evenopen|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

The ACK scan probe packet has only the ACK flag set (unless you use--scanflags). When scanning unfiltered systems,openandclosedports will both return a RST packet. Nmap then labels them asunfiltered, meaning that they are reachable by the ACK packet, but whether they areopenorclosedis undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeledfiltered.

-sW(TCP Window scan)

Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printingunfilteredwhen a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port asunfilteredwhen it receives a RST back, Window scan lists the port asopenorclosedif the TCP Window value in that reset is positive or zero, respectively.

This scan relies on an implementation detail of a minority of systems out on the Internet, so you can't always trust it. Systems that don't support it will usually return all portsclosed. Of course, it is possible that the machine really has no open ports. If most scanned ports areclosedbut a few common port numbers (such as 22, 25, 53) arefiltered, the system is most likely susceptible. Occasionally, systems will even show the exact opposite behavior. If your scan shows 1000 open ports and three closed or filtered ports, then those three may very well be the truly open ones.

-sM(TCP Maimon scan)

The Maimon scan is named after its discoverer, Uriel Maimon.He described the technique inPhrackMagazine issue #49 (November 1996).Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According toRFC 793(TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.

-scanflags(Custom TCP scan)

Truly advanced Nmap users need not limit themselves to the canned scan types offered. The--scanflagsoption allows you to design your own scan by specifying arbitrary TCP flags.Let your creative juices flow, while evading intrusion detection systemswhose vendors simply paged through the Nmap man page adding specific rules!

The--scanflagsargument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of URG,ACK,PSH,RST,SYN, and FIN.

For example,--scanflags URGACKPSHRSTSYNFINsets everything, though it's not very useful for scanning. The order these are specified in is irrelevant.

In addition to specifying the desired flags, you can specify a TCP scan type (such as-sAor-sF). That base type tells Nmap how to interpret responses. For example, a SYN scan considers no-response to indicate afilteredport, while a FIN scan treats the same asopen|filtered. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags you specify instead. If you don't specify a base type, SYN scan is used.


SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. Also, there may be non-stateful firewall rulesets blocking INIT chunks, but not COOKIE ECHO chunks. Don't be fooled into thinking that this will make a port scan invisible; a good IDS will be able to detect SCTP COOKIE ECHO scans too. The downside is that SCTP COOKIE ECHO scans cannot differentiate betweenopenandfilteredports, leaving you with the stateopen|filteredin both cases.

-sI<zombie host>[:<probeport>](idle scan)

This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). Full details of this fascinating scan type are inthe section called "TCP Idle Scan (-sI)".

Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. The port listing shows open portsfrom the perspective of the zombie host.So you can try scanning a target using various zombies that you think might be trusted(via router/packet filter rules).

You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IP ID changes. Otherwise Nmap will use the port it uses by default for TCP pings (80).

-sO(IP protocol scan)

IP protocol scan allows to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the-poption to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.

Besides being useful in its own right, protocol scan demonstrates the power of open-source software. While the fundamental idea is pretty simple, I had not thought to add it nor received any requests for such functionality. Then in the summer of 2000, Gerhard Riegerconceived the idea, wrote an excellent patch implementing it, and sent it to thenmap-hackersmailing list.I incorporated that patch into the Nmap tree and released a new version the next day. Few pieces of commercial software have users enthusiastic enough to design and contribute their own improvements!

Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the eight-bit IP protocol field. The headers are usually empty, containing no data and not even the proper header for the claimed protocol. The exceptions are TCP, UDP, ICMP, SCTP, and IGMP. A proper protocol header for those is included since some systems won't send them otherwise and because Nmap already has functions to create them. Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMPprotocolunreachable messages. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol asopen. An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked asclosedOther ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause the protocol to be markedfiltered(though they prove that ICMP isopenat the same time). If no response is received after retransmissions, the protocol is markedopen|filtered

-b<FTP relay host>(FTP bounce scan)

An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this feature allows is causing the FTP server to port scan other hosts. Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would. Nmap supports FTP bounce scan with the-boption. It takes an argument of the the name or IP address of a vulnerable FTP server. As with a normal URL, you may omit:, in which case anonymous login credentials (user:anonymouspassword:-wwwuser@) are used. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) onis used.

This vulnerability was widespread in 1997 when Nmap was released, but has largely been fixed. Vulnerable servers are still around, so it is worth trying when all else fails. If bypassing a firewall is your goal, scan the target network for open port 21 (or even for any FTP services if you scan all ports with version detection), then try a bounce scan using each. Nmap will tell you whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit yourself to hosts on the target network. Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not appreciate you abusing their servers in this way.

This scan type also falls victim to the ICMP limiting rate described in the UDP scans section, however since only 256 protocols are possible (8-bit field for IP protocol in the IP header) it should not take too long.

Installing NMAP

NMAP is an open source application and may be downloaded for free Installation is straight forward. To install on Windows using the executable package:

  1. Double click the installer file
  2. Click the 'I Agree' button to accept the licensing terms
  3. Accept the defaults on the Choose Components dialog box. Click the 'Next' button.
  4. Choose an installation directory (or accept the default). Click the 'Install' button.
  5. Installation of NMAP will proceed.
  6. Winpcap is required component of NMAP. Its installation will start during the install if NMAP. Read the license agreement and click the 'I Agree' button.
  7. Select an installation directory (or accept the default). Click the 'Install' button.
  8. The installation of Winpcap will now proceed. Click the 'Close' button on the Winpcap completed dialog box.
  9. Click the 'Close' button on the NMAP completed dialog box.

ACK Scan [-sA]

Usually used to map firewall rule sets and distinguish between stateful and stateless firewalls, this scan type sends ACK packets to a host. If an RST comes back, the port is classified "unfiltered" (that is, it was allowed to send its RST through whatever firewall was in place). If nothing comes back, the port is said to be "filtered". That is, the firewall prevented the RST coming back from the port.

This scan type can help determine if a firewall is stateless (just blocks incoming SYN packets) or stateful (tracks connections and also blocks unsolicited ACK packets).

Note that an ACK scan will never show ports in the "open" state, and so it should be used in conjunction with another scan type to gain more information about firewalls or packet filters between yourself and the victim.

ACK Scan operation

An ACK scan operates by sending a TCP ACK frame to a remote port. If there are no responses or an ICMP destination unreachable message is returned, then the port is considered to be "filtered"

Advantages of the ACK Scan

Since the ACK scan doesn't open any application sessions, the conversation between nmap and the remote device is relatively simple. This scan of a single port is unobtrusive and almost invisible when combined with the other network traffic.

Disadvantages of the ACK Scan

The ACK scan's simplicity is also its largest disadvantage. Because it never tries to connect to a remote device, it can never definitively identify an open port.

When to use the ACK Scan

Although the ACK scan doesn't identify open ports, it does a masterful job of identifying ports that are filtered through a firewall. This list of filtered and unfiltered port numbers is useful as reconnaissance for a more detailed scan that focuses on specific port numbers.


# nmap -A -T4 playground

Starting nmap ( )

Interesting ports on (

(The 1663 ports scanned but not shown below are in state: filtered)


22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

53/tcp open domain

70/tcp closed gopher

80/tcp open http Apache httpd 2.0.52 ((Fedora))

113/tcp closed auth

Device type: general purpose

Running: Linux 2.4.X|2.5.X|2.6.X

OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11

Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)

Interesting ports on (

(The 1659 ports scanned but not shown below are in state: closed)


135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn

389/tcp open ldap?

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

1002/tcp open windows-icfw?

1025/tcp open msrpc Microsoft Windows RPC

1720/tcp open H.323/Q.931 CompTek AquaGateKeeper

5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900)

5900/tcp open vnc VNC (protocol 3.8)

MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)

Device type: general purpose

Running: Microsoft Windows NT/2K/XP

OS details: Microsoft Windows XP Pro RC1+ through final release

Service Info: OSs: Windows, Windows XP

Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

T.C.P connect scan


sudo nmap -sT -p 80

Starting Nmap 4.53 ( ) at 2009-03-03 10:24 IST

Interesting ports on


80/tcp closed http

MAC Address: 00:1B:38:7D:84:A4 (Compal Information (kunshan) CO.)

Nmap done: 1 IP address (1 host up) scanned in 0.601 seconds

Ex:- nmap -sT -p 1433-1435.

NMAP Example Scan 1

This is a scan of all port (running Windows XP sp2) from a Windows Server 2003 sp1 machine. Each of the interfaces on my laptop are fire walled. NMAP is using a SYN scan, so it reports that all ports scanned are filtered.

Options used: -v for increased verbosity -A for os and software version detection -p1-65535 to set the range of ports to scan Notice that this scan took almost an hour to scan all ports on one host. This scan would take considerably longer if a TCP connect scan were used. Also notice that at least one open and one closed port are required in order for OS version detection to work reliably.

Finally, '-vv' may be used for even more detailed output reporting.

C:'Documents and Settings 'Administrator>Nmap -v -A -p1-65535

Starting Nmap 4.20 ( ) at 2007-04-23 22:04 Central America Standard Time

Initiating ARP Ping Scan at 22:04

Scanning [1 port]

Completed ARP Ping Scan at 22:04, 0.17s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 22:04

Completed Parallel DNS resolution of 1 host. at 22:04, 0.03s elapsed

Initiating SYN Stealth Scan at 22:04

Scanning [65535 ports]

SYN Stealth Scan Timing: About 2.04% done; ETC: 22:29 (0:23:58 remaining)

SYN Stealth Scan Timing: About 58.48% done; ETC: 22:46 (0:17:26 remaining)

SYN Stealth Scan Timing: About 88.44% done; ETC: 22:52 (0:05:29 remaining)

SYN Stealth Scan Timing: About 96.95% done; ETC: 22:54 (0:01:30 remaining)

Completed SYN Stealth Scan at 22:54, 2951.77s elapsed (65535 total ports)

Initiating Service scan at 22:54

Warning: OS detection for will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

Initiating OS detection (try #1) against

Host appears to be up ... good.

All 65535 scanned ports on are filtered

MAC Address: 00:16:41:17:9D:B1 (USI)

Too many fingerprints match this host to give specific OS details

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http:


Nmap finished: 1 IP address (1 host up) scanned in 2976.652 seconds

Raw packets sent: 131095 (5.770MB) | Rcvd: 1 (42B).


The above document explains briefly about Nmap about network scanning techniques and later numerous port scanning techniques.

If an attacker accepts the risk of being detected, he would find our open ports. The next step would be to try and attack the services being publishing with the firewall. For this job the attacker will use vulnerability scanning tools like retina, nikto, etc., but this is not the objective of this article.

Your firewall could be secure, but if you publish an NT 4 server with an IIS 5 web site, be sure that your network is not secure. You must secure all your servers and services, especially the published ones.

In the next part of this article we'll see how ISA Server reacts to attacks coming from the internal network, like ARP poisoning, spoofing and man in the middle attacks.



  1. Douglas E. Comer, Internetworking with TCP/IP: Volume 1 - Principles, Protocols and Architecture, 3rd Edition, Prentice Hall, 1995, ISBN 0-13-216987-8.
  2. William Stallings, Network and Internet Security: Principles and Practice, IEEE Computer Press, 1995, ISBN 0-02-425483-0.
  3. Dan Farmer and Wietse Venema, Internet Security, Addison Wesley Longman, 1996, ISBN 0-201-63497-X
  4. Chris McNab, Network Security Assessment: Know Your Network, Second Edition, O'Reilly, 2007, ISBN: 0-596-51030-6.
  5. Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed, 4th Edition, Osborne, 2003, ISBN 0-07-222742-2
  6. Websites:

  7. Nmap is available at
  8. Nmap Guide is available at
  9. Port Scanning technique is available at
  10. Installation and usage of Nmap is available at
  11. ACK Scan is available at
  12. TCP/IP Examples is available at

Please be aware that the free essay that you were just reading was not written by us. This essay, and all of the others available to view on the website, were provided to us by students in exchange for services that we offer. This relationship helps our students to get an even better deal while also contributing to the biggest free essay resource in the UK!