Editing Port scanner (section)

==Types of scans==

===TCP scanning===
The simplest port scanners use the operating system's network functions and are generally the next option to go to when SYN is not a feasible option (described next). [[Nmap]] calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the [[Transmission control protocol|TCP]] three-way handshake, and the port scanner immediately closes the connection to avoid performing a [[Denial-of-service attack]].<ref name=ERIK77/> Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is "noisy", particularly if it is a "''portsweep''": the services can log the sender IP address and [[Intrusion detection system]]s can raise an alarm.

===SYN scanning===
[[SYN (TCP)|SYN]] scan is another form of TCP scanning. Rather than using the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed.<ref name=ERIK77/> If the port is closed but unfiltered, the target will instantly respond with an RST packet.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers. There are no conclusive arguments either way.

===UDP scanning===
UDP scanning is also possible, although there are technical challenges. [[User Datagram Protocol|UDP]] is a [[connectionless]] protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an [[Internet Control Message Protocol|ICMP]] port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a [[Firewall (computing)|firewall]], this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP [[rate limiting]].<ref name=profmesser1>{{cite book|last1=Messer|first1=James|title=Secrets of Network Cartography: A Comprehensive Guide to Nmap|url=http://www.networkuptime.com/nmap/page3-10.shtml|archive-url=https://web.archive.org/web/20160516002101/http://www.networkuptime.com/nmap/page3-10.shtml|archive-date=2016-05-16|access-date=2011-12-05|edition=2nd|year=2007|url-status=dead}}
</ref>

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g., [[Nmap]], [[Unionscan]]<ref name=portscanner>{{cite book|title=Port Scan Commands|url=https://portscanner.online/portscan-commands|archive-url=https://web.archive.org/web/20230210162706/https://portscanner.online/portscan-commands|archive-date=2023-02-10|access-date=2023-02-10|url-status=live}}</ref>) generally have probes for less than 20 UDP services, while some commercial tools have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

===ACK scanning===
ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.<ref name=nmapguide>{{cite web | title=Port Scanning Techniques | work=Nmap reference guide | url=http://nmap.org/man/man-port-scanning-techniques.html | year=2001 | access-date=2009-05-07}}</ref>

===Window scanning===
Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1's before it returns to the sender. Using this scanning technique with systems that no longer support this implementation returns 0's for the window field, labeling open ports as closed.<ref name=profmesser2>{{cite book |last1= Messer  |first1= James |title=Secrets of Network Cartography: A Comprehensive Guide to Nmap |url=http://www.networkuptime.com/nmap/page3-13.shtml |archive-url=https://web.archive.org/web/20060201065451/http://www.networkuptime.com/nmap/page3-13.shtml|archive-date=2006-02-01|access-date=2011-12-05 |edition=2nd |year=2007 |url-status= dead  }}
</ref>

===FIN scanning===
Since SYN scans are not surreptitious enough, firewalls are, in general, scanning for and blocking packets in the form of SYN packets.<ref name=ERIK77/> [[FIN (TCP)|FIN packets]] can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall.<ref>{{cite web | first=Uriel | last=Maimon | url=http://www.phrack.com/issues.html?issue=49&id=15 | title=Port Scanning without the SYN flag | publisher=[[Phrack]] issue 49 | date=1996-11-08 | access-date=2009-05-08}}</ref>

===Other scan types===
Some more unusual scan types exist. These have various limitations and are not widely used. [[Nmap]] supports most of these.<ref name=nmapguide/>
* [[Xmas Port Scan|X-mas]] and Null Scan - are similar to [[#FIN scanning|FIN scanning]], but:<ref name=ERIK77/>
** X-mas sends packets with FIN, URG and PUSH flags turned on like a Christmas tree
** Null sends a packet with no TCP flags set
*[[Protocol scan]] - determines what IP level protocols (TCP, UDP, [[Generic Routing Encapsulation|GRE]], etc.) are enabled.
*[[Proxy server|Proxy]] scan - a proxy ([[SOCKS]] or [[HTTP]]) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some [[File Transfer Protocol|FTP]] servers.
*[[Idle scan]] - Another method of scanning without revealing one's IP address, taking advantage of the [[predictable IP ID]] flaw.
*CatSCAN - Checks ports for erroneous packets.
*[[Internet Control Message Protocol|ICMP]] scan - determines if a host responds to ICMP requests, such as echo ([[Ping (networking utility)|ping]]), netmask, etc.