Nmap is a commonly used port scanner for identifying active hosts and associated services .
Nmap allows for a variety of different types of port scans to be used in order to determine whether a port is open or closed.
Nmap uses raw IP packets to identify the available hosts on a network, the services or ports that are open,
Type of operating system and version that hosts are running, type of packet filters and firewalls in use, and other characteristics.
The most basic form of port scanning supported by nmap is the TCP connect() scan, using the -sT option flag (nmap is case sensitive).
The connect() system call provided by the host operating system is used to attempt to open a connection to any or all ports (user selects) on a remote host.
If the port is listening or open, then the connect() will succeed, otherwise the port is not listening or is in a closed state.
No special privileges are needed in order to employ this kind of scan.
A more common scan that is not as easily detected as the TCP connect() scan is the TCP SYN scan, also known as a SYN Stealth scan or “half-open” scan, since nmap does not open a full TCP connection .
This scan is implemented using the -sS flag. On a Unix/Linux host running nmap, root privileges are needed in order to create the custom SYN packets that are needed for this type of scan.
First a SYN packet is sent as though the machine running nmap is initiating a “genuine” TCP connection. The host running nmap then waits for a response.
A SYN|ACK response is indicative of a listening or open port. A response of RST is indicative of a non-listening or closed port.
If a SYN|ACK is received, a RST is immediately sent to “cancel” the connection.
This final action is required to remove the possibility of causing a SYN flood DoS attack.
This can occur because all pending connections are stored in a buffer. If a RST is not sent, the target host’s buffer may reach capacity.
When this occurs, legitimate requests will not be processed resulting in a DoS until either a RST is received or timeout occurs on the pending requests.