2.3 Network Scanning Concepts
Key Takeaways
- Scanning is the first active phase: it converts the footprint into a live picture of which hosts are up, which ports are open, and which services and versions are running
- The TCP three-way handshake (SYN → SYN/ACK → ACK) and the control flags SYN, ACK, FIN, RST, PSH, URG underpin nearly every scan-type question on CEH
- An Nmap SYN (half-open, -sS) scan sends SYN, reads the reply, then sends RST to tear down before the handshake completes — stealthier than a full connect (-sT) scan
- Inverse-flag scans (NULL -sN, FIN -sF, Xmas -sX) infer state from silence: no reply = open|filtered, RST = closed — but Windows/Cisco send RST regardless, so they always read closed
- Nmap reports six port states — open, closed, filtered, unfiltered, open|filtered, closed|filtered — and the UDP (-sU) scan relies on ICMP type-3 code-3 to confirm closed ports
The TCP Three-Way Handshake and Control Flags
Scanning is the first active phase: you send packets to the target to learn which hosts are alive (host discovery), which ports are open/closed/filtered (port scanning), and which software runs behind them (service/version and OS detection). Almost every scan-type question reduces to how a probe manipulates the TCP three-way handshake:
- Client → Server: SYN (synchronise, propose a sequence number)
- Server → Client: SYN/ACK (acknowledge and synchronise back)
- Client → Server: ACK (acknowledge — connection now established)
The six TCP control flags the exam expects you to know cold:
| Flag | Meaning |
|---|---|
| SYN | Synchronise — start a connection |
| ACK | Acknowledge received data |
| FIN | Finish — graceful close |
| RST | Reset — abrupt teardown / port closed |
| PSH | Push buffered data to the application immediately |
| URG | Urgent — process the urgent-pointer data first |
Key reflexes: an open TCP port answers a SYN with SYN/ACK; a closed TCP port answers with RST; a filtered port (firewall dropping the packet) usually returns nothing.
These three reflexes are the engine behind every TCP scan type. A full connect scan walks the whole handshake (SYN, SYN/ACK, ACK) and is what an application's own logs record; a half-open scan stops after the SYN/ACK and resets; inverse-flag scans deliberately violate the handshake to coax a telltale RST out of closed ports. Internalise the SYN/ACK = open, RST = closed, silence = filtered mapping and most scan questions answer themselves.
Nmap Scan Types
Nmap is the scanning tool CEH tests most. Memorise the flag, the technique, and the stealth/visibility trade-off:
| Flag | Scan | How it works | Notes |
|---|---|---|---|
-sS | TCP SYN / half-open | SYN → if SYN/ACK, port is open, then send RST to abort before completing | Default for root/admin; stealthier — connection never fully established |
-sT | TCP connect | Full OS connect() — completes the whole three-way handshake | No raw-packet privilege needed; noisiest — logged by the app |
-sU | UDP | Sends UDP datagrams | Slow; ICMP port-unreachable (type 3, code 3) = closed; no reply = open|filtered |
-sF | FIN | Sets only FIN | No reply = open|filtered; RST = closed |
-sN | NULL | No flags set | Same logic as FIN |
-sX | Xmas | FIN+PSH+URG set ("lit up like a tree") | Same logic as FIN |
-sA | ACK | Sets only ACK | Maps firewall rules (filtered vs. unfiltered) — not open/closed |
-sV | Version detection | Probes open ports, matches service-fingerprint DB | Identifies app + version |
-O | OS detection | TCP/IP stack fingerprinting (TTL, window size, flag handling) | Needs ≥1 open and 1 closed port for accuracy |
Inverse-flag scans and the Windows trap
NULL/FIN/Xmas scans rely on RFC 793: a closed port must reply RST, an open port stays silent. So no response = open|filtered, RST = closed. The classic CEH trap: Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400 send RST for every port regardless of state, so these scans report all ports as closed against them — useless on Windows, but they also slip past simple stateless filters that only watch for SYN.
Port States, Host Discovery, and Common Ports
Nmap classifies each probed port into one of six states:
| State | Meaning |
|---|---|
| open | A service is actively accepting connections |
| closed | Reachable but no service listening (port answers RST) |
| filtered | A firewall/filter drops the probe; Nmap cannot tell open vs. closed |
| unfiltered | Reachable but Nmap cannot tell open vs. closed (seen in ACK scans) |
| open|filtered | No response — could be open or filtered (UDP, NULL/FIN/Xmas) |
| closed|filtered | Rare; cannot tell closed vs. filtered (IP-ID idle scan) |
Host discovery (the ping sweep, -sn/-sP) runs first so effort focuses only on live hosts. Nmap probes with ICMP echo, TCP SYN to 443, TCP ACK to 80, and ICMP timestamp; -Pn skips discovery and treats every host as up (useful when ICMP is blocked).
The common ports CEH expects you to recognise on sight:
| Port | Service | Port | Service |
|---|---|---|---|
| 21 | FTP | 143 | IMAP |
| 22 | SSH | 161/162 | SNMP |
| 23 | Telnet | 389 | LDAP |
| 25 | SMTP | 443 | HTTPS |
| 53 | DNS | 445 | SMB |
| 80 | HTTP | 636 | LDAPS |
| 110 | POP3 | 3389 | RDP |
| 135/137-139 | RPC/NetBIOS | 1433 | MS-SQL |
Detecting Scans (Defence)
Scanning is active and therefore detectable. Defenders catch it through connection-rate and fan-out analysis (one source touching many ports/hosts quickly), IDS/IPS signatures for SYN floods and Xmas/NULL packets (which are illegal in normal traffic), firewall and SIEM log correlation, and honeypots/port-scan detectors like PortSentry. Countermeasures include default-deny firewalls, dropping (not rejecting) filtered ports so scans time out, and rate-limiting.
During an Nmap SYN (-sS, half-open) scan, the scanner sends a SYN probe and receives a SYN/ACK. What does this indicate, and how does the scanner respond?
An ethical hacker wants to determine whether a stateful firewall is filtering traffic to a host, rather than which application ports are open. Which Nmap scan is designed for this purpose?
Why does a FIN, NULL, or Xmas scan typically report every port as closed when run against a Microsoft Windows host?
In an Nmap UDP scan (-sU), which response confirms that a port is closed?