Chapter 2: Nmap Scanning Techniques

Nmap includes fifteen separate scanning methods, and each scanning technique has its own characteristics, advantages, and disadvantages. Some of these scanning methods are simple to understand and execute, while others are more complex and require additional information before the scan can begin.

Nearly all of the scans described in this tutorial are demonstrated on an open network without firewalls or packet filters (the ACK scan [-sA] is the only scan run through a firewall in the following examples). These scans are described this way for educational purposes, although it could be argued that a more real-world perspective would include descriptions of how these scans operate in all circumstances. Indeed, few modern networks allow all traffic to flow everywhere.

Each scan description includes excerpts from packet captures taken during the scan. In a normal scan, there are hundreds of packets that are transferred between stations. In the operational descriptions shown in this tutorial, most of the packet decode has been removed to focus on the communications that occur between devices for a single port number. The raw packet trace files are available for download if further investigation is required.

Nmap Scan Summary
This chart summarizes the nmap scans and compares the usability for privileged users. The chart also includes a summary of which scans identify TCP ports, and which identify UDP ports.