ACK scanning (-sA)
The ACK scanning is an advanced method in Nmap, usually used to map out firewall rulesets. It helps to determine whether a firewall is stateful or not. ACK scanning sends an ACK packet to the specified ports. If an RST comes back, the specified ports are classified as unfiltered. If nothing comes back, the ports are determined as filtered. The scan never showing ports indicates theyre in the open state.
Below is the example in our laboratory.
[FONT="]#nmap sA v 10.50.1.254[/FONT]
[FONT="]Starting Nmap V. 2.54BETA30[/FONT]
[FONT="]Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good.[/FONT]
[FONT="]Initiating ACK Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254)[/FONT]
[FONT="]The ACK Scan took 1 second to scan 1549 ports.[/FONT]
[FONT="]All 1549 scanned ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254) are: UNfiltered[/FONT]
[FONT="]Nmap run completed -- 1 IP address (1 host up) scanned in 1 second[/FONT]
List scanning (-sL)
List scanning generates and prints a list of IPs/Names without actually pinging or port scanning them. The outputs are shown below.
[FONT="]#nmap sL v 10.50.1.254 [/FONT]
[FONT="]Starting Nmap V. 2.54BETA30[/FONT]
[FONT="]Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) not scanned[/FONT]
[FONT="]Nmap run completed -- 1 IP address (0 hosts up) scanned in 0 seconds[/FONT]
P0 option (-P0)
An option that is useful with scans is "-P0". Also called Dont ping host. Do not try and ping host at all before scanning them. This option allows the scanning of networks that dont allow ICMP echo requests (for example, Microsoft.com) through their firewalls. Since Nmap will ping a target with both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default.
[FONT="]#nmap p0 v 10.50.1.254[/FONT]
[FONT="]Starting Nmap V. 2.54BETA30[/FONT]
[FONT="]Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254):[/FONT]
[FONT="](The 1543 ports scanned but not shown below are in state: closed)[/FONT]
[FONT="]Port State Service[/FONT]
[FONT="]23/tcp open telnet [/FONT]
[FONT="]24/tcp open priv-mail [/FONT]
[FONT="]80/tcp open http [/FONT]
[FONT="]139/tcp open netbios-ssn [/FONT]
[FONT="]515/tcp open printer [/FONT]
[FONT="]1723/tcp open pptp [/FONT]
[FONT="]Nmap run completed -- 1 IP address (1 [/FONT]
The ACK scanning is an advanced method in Nmap, usually used to map out firewall rulesets. It helps to determine whether a firewall is stateful or not. ACK scanning sends an ACK packet to the specified ports. If an RST comes back, the specified ports are classified as unfiltered. If nothing comes back, the ports are determined as filtered. The scan never showing ports indicates theyre in the open state.
Below is the example in our laboratory.
[FONT="]#nmap sA v 10.50.1.254[/FONT]
[FONT="]Starting Nmap V. 2.54BETA30[/FONT]
[FONT="]Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good.[/FONT]
[FONT="]Initiating ACK Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254)[/FONT]
[FONT="]The ACK Scan took 1 second to scan 1549 ports.[/FONT]
[FONT="]All 1549 scanned ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254) are: UNfiltered[/FONT]
[FONT="]Nmap run completed -- 1 IP address (1 host up) scanned in 1 second[/FONT]
List scanning (-sL)
List scanning generates and prints a list of IPs/Names without actually pinging or port scanning them. The outputs are shown below.
[FONT="]#nmap sL v 10.50.1.254 [/FONT]
[FONT="]Starting Nmap V. 2.54BETA30[/FONT]
[FONT="]Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) not scanned[/FONT]
[FONT="]Nmap run completed -- 1 IP address (0 hosts up) scanned in 0 seconds[/FONT]
P0 option (-P0)
An option that is useful with scans is "-P0". Also called Dont ping host. Do not try and ping host at all before scanning them. This option allows the scanning of networks that dont allow ICMP echo requests (for example, Microsoft.com) through their firewalls. Since Nmap will ping a target with both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default.
[FONT="]#nmap p0 v 10.50.1.254[/FONT]
[FONT="]Starting Nmap V. 2.54BETA30[/FONT]
[FONT="]Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254):[/FONT]
[FONT="](The 1543 ports scanned but not shown below are in state: closed)[/FONT]
[FONT="]Port State Service[/FONT]
[FONT="]23/tcp open telnet [/FONT]
[FONT="]24/tcp open priv-mail [/FONT]
[FONT="]80/tcp open http [/FONT]
[FONT="]139/tcp open netbios-ssn [/FONT]
[FONT="]515/tcp open printer [/FONT]
[FONT="]1723/tcp open pptp [/FONT]
[FONT="]Nmap run completed -- 1 IP address (1 [/FONT]
