ACK Scan (-sA)
Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO

Nmap's unique ACK scan will never locate an open port. The ACK scan only provides a "filtered" or "unfiltered" disposition because it never connects to an application to confirm an "open" state. At face value this appears to be rather limiting, but in reality the ACK scan can characterize the ability of a packet to traverse firewalls or packet filtered links.


ACK Scan Operation
An ACK scan operates by sending a TCP ACK frame to a remote port. If there are no responses or an ICMP destination unreachable message is returned, then the port is considered to be "filtered:"

sA_filtered
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[69.240.103.51] [68.46.234.161] TCP: D=389 S=38667     ACK=0 WIN=3072
If the remote port returns an RST packet, the connection between nmap and the remote device is categorized as unfiltered:

sA_unfiltered
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[69.240.103.51] [68.46.234.161] TCP: D=6969 S=38667     ACK=0 WIN=1024
[68.46.234.161] [69.240.103.51] TCP: D=38667 S=6969 RST WIN=0
The nmap output shows the scan output through a router, and only a single TCP port was defined as "UNfiltered" (nmap adds the emphasis on the "UN").
# nmap -v -sA 68.46.234.161 -P0

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-24 10:40 EDT
Initiating ACK Scan against pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161) [1663 ports] at 10:40
ACK Scan Timing: About 9.02% done; ETC: 10:46 (0:05:03 remaining)
ACK Scan Timing: About 75.68% done; ETC: 10:42 (0:00:36 remaining)
The ACK Scan took 119.13s to scan 1663 total ports.
Host pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161) appears to be up ... good.
Interesting ports on pcp05116560pcs.tallah01.fl.comcast.net (68.46.234.161):
(The 1662 ports scanned but not shown below are in state: filtered)
PORT     STATE      SERVICE
6969/tcp UNfiltered acmsoda

Nmap finished: 1 IP address (1 host up) scanned in 119.271 seconds
               Raw packets sent: 3328 (133KB) | Rcvd: 8 (368B)
#

Advantages of the ACK Scan
Since the ACK scan doesn't open any application sessions, the conversation between nmap and the remote device is relatively simple. This scan of a single port is unobtrusive and almost invisible when combined with the other network traffic.


Disadvantages of the ACK Scan
The ACK scan's simplicity is also its largest disadvantage. Because it never tries to connect to a remote device, it can never definitively identify an open port.


When to use the ACK Scan
Although the ACK scan doesn't identify open ports, it does a masterful job of identifying ports that are filtered through a firewall. This list of filtered and unfiltered port numbers is useful as reconnaissance for a more detailed scan that focuses on specific port numbers.