TCP ACK Ping (-PA [portlist], -PT [portlist])

Instead of using the default option of both an ICMP echo request and a TCP ACK, the –PA option sends a TCP ACK and forgoes any ICMP echo requests. This is a good alternative when the use of ICMP is not applicable because of packet filtering or firewalls.



TCP ACK Ping Operation
The TCP ACK ping consists of a random TCP ACK sent to a remote device. If the device is active, a RST will be received in return. If the device is not active or the port is filtered, there will be no response to the ACK. It's interesting to note that these results are identical to the results found with the TCP ACK scan (-sA).

The [portlist] option allows the user to specify a series of ports for the ACK ping to use. The specification of this port list isn't as flexible as specifying IP addresses, but this is a pre-scan ping process and not an actual scan. For the ACK ping, the ports are listed individually with each port separated with a comma. For example, the command
# nmap –v –sS 10.0.0.4 –PA23,110
will attempt a TCP ACK ping to host 10.0.0.4 over ports 23 and 110. If neither of these ports replies to the ACK ping, the SYN scan will not run and the scan attempt will stop with this message:


Note: Host seems down. If it is really up, but blocking our ping probes, try -P0

If a port is not specified, port 80 is used by default.

This is an example of a TCP ACK scan as a privileged user. In every case where a system is identified, a RST is returned. If no response is received, the destination IP address either isn't on the network or the station is behind a firewall:

TCP_ACK_ping 
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] TCP: D=135 S=62984     ACK=3382473630 WIN=3072
[192.168.0.3] [192.168.0.5] TCP: D=62984 S=135 RST WIN=0
If the nmap user is not a privileged user, a TCP connect()-style ping is used instead of a TCP ACK. This adjustment occurs without an error message or other notification! This means that instead of a TCP ACK, the nmap station will send a TCP SYN. If the TCP SYN is sent to a closed port, a TCP RST is received in return:

TCP_connect_ping_closed 
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] TCP: D=80 S=60554 SYN SEQ=2685844190 LEN=0 WIN=5840
[192.168.0.3] [192.168.0.5] TCP: D=60554 S=80 RST ACK=2685844191 WIN=0
If the TCP connect()-style ping is "lucky" enough to ping an open port, an application session is completely opened:

TCP_connect_ping_open 
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] TCP: D=135 S=36960 SYN SEQ=219557237 LEN=0 WIN=5840
[192.168.0.3] [192.168.0.5] TCP: D=36960 S=135 SYN ACK=219557238 SEQ=4137096645 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.3] TCP: D=135 S=36960     ACK=4137096646 WIN<<2=5840
[192.168.0.5] [192.168.0.3] TCP: D=135 S=36960 RST ACK=4137096646 WIN<<2=5840
clock
To ensure that no application sessions could ever open, the TCP ACK ping must run as a privileged user!


Advantages of the TCP ACK Ping
The TCP ACK ping uses little network traffic. In most cases, the common ACK query to a device is relatively undetectable. The TCP ACK ping also allows different port numbers to be probed, providing nmap with additional options when negotiating a scan through a firewall.

The TCP ACK ping identifies a filtered connection or a non-filtered connection. This is a perfect use of a ping probe, since the goal of the ping is to get any type of response from a remote device. An nmap ping doesn't focus on identifying ports. Instead, its goal is to locate other active devices.


Disadvantages of the TCP ACK Ping
The TCP ACK ping is only available to privileged users. If a non-privileged user requests a TCP ACK ping, nmap 3.81 changes the request to a TCP connect() ping but doesn't provide any feedback or warning! These circumstances would be unfortunate for an nmap user that was interested in keeping a low profile by remaining out of a server's application logs. If the only option is to run as a non-privileged user, the nmap option should include a port number that would get through a firewall but would not be an active application port on a device.


When to use the TCP ACK Ping
Because of its low profile and flexible configuration options, the TCP ACK ping can be used in almost any circumstance. The ACK ping's port values can be modified, and multiple ports can be included on the command line.

It's important to note that the TCP ACK ping will only run "silently" if the nmap user is privileged. A non-privileged user's ping will perform a TCP connect() and initiate an application session if the requested port number matches an open port on the remote device.