Nmap scans for open ports by sending various types of packets to the target IP address and analyzing the responses. Here’s a brief overview of the process:
-
SYN Scan: This is the most common method. Nmap sends a SYN packet to the target port. If the port is open, the target responds with a SYN-ACK packet. If the port is closed, it responds with a RST packet.
-
ACK Scan: This method is used to determine whether ports are filtered. Nmap sends an ACK packet, and if it receives a RST packet, the port is considered unfiltered; if there is no response, the port may be filtered.
-
UDP Scan: For UDP ports, Nmap sends a UDP packet. If the port is open, there may be no response, or an application-specific response may be received. If the port is closed, the target typically responds with an ICMP port unreachable message.
-
Service Detection: After identifying open ports, Nmap can probe them further to determine what services are running by sending specific requests and analyzing the responses.
-
Timing and Options: Nmap allows users to customize the scan timing and options to optimize for speed or stealth, depending on the requirements.
By analyzing the responses to these packets, Nmap can determine which ports are open, closed, or filtered.
