Nmap scan types differ primarily in their methods of probing target ports, the information they gather, and their stealthiness. Here’s a breakdown of the key differences:
1. Connection Method
- SYN Scan (
-sS): Sends SYN packets to initiate a TCP handshake but does not complete it. This makes it stealthy. - TCP Connect Scan (
-sT): Completes the TCP handshake, establishing a full connection. This is less stealthy and more detectable. - UDP Scan (
-sU): Sends UDP packets to probe for open ports. Since UDP is connectionless, it behaves differently than TCP scans.
2. Detection Capabilities
- Service Version Detection (
-sV): Probes open ports to identify the service and its version, providing detailed information about the software running. - Operating System Detection (
-O): Analyzes TCP/IP stack behavior to infer the operating system of the target.
3. Stealthiness
- SYN Scan (
-sS): Considered stealthy because it does not complete the handshake, making it less likely to be logged by intrusion detection systems. - TCP Connect Scan (
-sT): More detectable since it establishes a full connection, which can be logged by the target system. - Idle Scan (
-sI): Uses a third-party host to send packets, making it very stealthy and difficult to trace back to the scanner.
4. Purpose and Use Cases
- Ping Scan (
-sn): Used to discover live hosts without scanning ports. It’s quick and efficient for identifying active devices. - Aggressive Scan (
-A): Combines multiple features (OS detection, version detection, etc.) for a comprehensive assessment but can be intrusive. - TCP ACK Scan (
-sA): Determines whether ports are filtered or unfiltered without identifying open ports, useful for mapping firewall rules.
Conclusion
The choice of scan type depends on your objectives, the level of stealth required, and the specific information you need. Understanding these differences allows you to select the most appropriate scan for your network assessment needs.
If you have any more questions or need further clarification, feel free to ask!
