Window Scan (-sW)
Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO

The window scan is similar to an ACK scan, but the window scan has the advantage of identifying open ports. The origins of the window scan can be found in this archive from the nmap-hackers mailing list:

http://seclists.org/lists/nmap-hackers/1999/Jul-Sep/0021.html



Window Scan Operation
The window scan is named after the TCP sliding window, not the operating system of a similar name. It's called the window scan because some TCP stacks have been found to provide specific window sizes when responding to an RST frame.

A RST frame response from a closed port responds with a window size of zero:

sW_closed
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.67] TCP: D=25 S=62405     ACK=0 WIN=2048
[192.168.0.67] [192.168.0.8]  TCP: D=62405 S=25 RST WIN=0
When an open port is sent an ACK frame, the destination station still responds with a RST frame, but the window size is a non-zero value:

sW_open
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]   [192.168.0.67]  TCP: D=23 S=62405     ACK=0 WIN=3072
[192.168.0.67]  [192.168.0.8]   TCP: D=62405 S=23 RST WIN=4096
The nmap output shows the results of the window scan:
# nmap -v -sW 192.168.0.67

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-24 11:37 EDT
Initiating Window Scan against 192.168.0.67 [1663 ports] at 11:37
Discovered open port 23/tcp on 192.168.0.67
Discovered open port 21/tcp on 192.168.0.67
Discovered open port 111/tcp on 192.168.0.67
The Window Scan took 1.91s to scan 1663 total ports.
Host 192.168.0.67 appears to be up ... good.
Interesting ports on 192.168.0.67:
(The 1660 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
21/tcp  open  ftp
23/tcp  open  telnet
111/tcp open  rpcbind
MAC Address: 00:10:A4:07:61:30 (Xircom)

Nmap finished: 1 IP address (1 host up) scanned in 2.749 seconds
               Raw packets sent: 1710 (68.4KB) | Rcvd: 1664 (76.5KB)
#  

Advantages of the Window Scan
The window scan operates very simply. Nmap sends a single ACK packet request, and a single RST packet is returned for every scanned port. The network traffic is kept to a minimum, and the scan itself looks relatively innocuous when viewed in a protocol decode.

The window scan doesn't open a session, so there's no application log associated with the window scan's method of operation. Unless there are additional firewalls or network limits at the operating system level, the scan should go unnoticed.

Unlike the ACK scan, the window scan is able to identify open ports. If the destination station's operating system is susceptible to this kind of scan, the window scan becomes a very useful method of port identification.


Disadvantages of the Window Scan
The window scan doesn't work on all devices, and the number of operating systems vulnerable to this unintended window size consistency is dwindling as operating systems are upgraded and patched.

The window scan builds custom ACK packets, so privileged access is required to run this scan.


When to use the Window Scan
The window scan is a useful when looking for open ports while simultaneously maintaining a low level of network traffic. When vulnerable operating systems are identified, the window scan provides a low-impact method of locating open ports.

clock
The window scan also works in "reverse." If the window scan is able to identify open ports, then the number of possible operating systems on the remote device can be decreased. To get a list of the operating systems vulnerable to the window scan, refer to the nmap-hackers mailing list archive:


http://seclists.org/lists/nmap-hackers/1999/Jul-Sep/0024.html

This archive message shows that referencing the nmap-os-fingerprints file can provide a comprehensive list of known vulnerable operating systems. The command is summarized here:
# cat nmap-os-fingerprints | perl -ne 'while(<>) { chomp;if 
(/^fingerprint\s+([^\#]+)/i) { if (defined($owin) and defined($cwin) and $owin ne $cwin) 
{ print "$oname ($owin vs. $cwin)\n";} $oname=$1;undef($cwin);undef($owin);} elsif 
(/^T(4|6)\(.*W=([^%]+)/) { if ($1 eq 4){$owin=$2;} else { $cwin = $2; }}}' | sort –f