Ciphers Security Blog Port Scanning Techniques: Nmap, Zenmap, and Scanning Through Firewalls
Blog

Port Scanning Techniques: Nmap, Zenmap, and Scanning Through Firewalls

Port Scanning Techniques: Nmap, Zenmap, and Scanning Through Firewalls

Port scanning — the systematic probing of a target host's TCP and UDP ports to discover running services, identify open and closed ports, and map firewall configurations — is the starting point for almost every network assessment. This guide covers every major scan type available in Nmap (the industry-standard open-source network scanner), firewall evasion techniques with copy-pasteable commands, Zenmap as a GUI companion, and when to reach for faster alternatives like Masscan and RustScan.

Every command below requires a network you own or have written authorisation to test.

Understanding Port States

Before examining port scanning techniques, you need to understand what Nmap is actually measuring. Each port falls into one of six states:

  • Open: A service is actively listening and will accept connections
  • Closed: No service is listening; the host is reachable but the port is inactive
  • Filtered: A firewall, ACL (Access Control List — a rule-based packet filter on a router or firewall), or other device is blocking probe packets; Nmap cannot determine open or closed
  • Unfiltered: The port is reachable but Nmap cannot determine open or closed — the result of an ACK scan
  • Open|Filtered: Nmap cannot distinguish between open and filtered; typical of UDP, NULL, FIN, and Xmas scans against firewalled targets
  • Closed|Filtered: Nmap cannot distinguish closed from filtered; the Idle scan result

The TCP three-way handshake — SYN → SYN/ACK → ACK — is the underlying mechanism most scan types manipulate or abort deliberately to avoid leaving connection log entries on the target.

Core Port Scanning Techniques in Nmap

SYN Scan (-sS) — The Default

The SYN scan, also called a "half-open" scan, is Nmap's default when run with root privileges. It sends a single SYN (synchronise — the first packet in a TCP connection request) packet per port probe. On receiving SYN/ACK (indicating an open port), Nmap immediately sends RST (reset — a TCP flag that abruptly terminates a connection) to tear down the connection before the three-way handshake completes. On receiving RST, the port is closed.


sudo nmap -sS 192.168.1.0/24
sudo nmap -sS -p 1-1000 192.168.1.10        # Scan ports 1–1000
sudo nmap -sS -p- 192.168.1.10              # Scan all 65535 ports

Because the TCP connection never fully opens, many older logging daemons and non-stateful firewalls do not record the attempt. SYN scanning is fast, reliable, and works against any RFC-compliant TCP/IP stack. Raw packet privileges are required — root on Linux/macOS, Administrator on Windows with Npcap installed.

TCP Connect Scan (-sT) — No Root Required

The TCP connect scan completes the full three-way handshake using the operating system's socket API rather than raw packets. It is the only scan type available to unprivileged users.


nmap -sT 192.168.1.1
nmap -sT -p 80,443,8080 192.168.1.1

The full connection leaves a completed entry in the target's connection logs. It is slower than SYN scanning and more detectable, but it is the correct choice when raw packets are unavailable — or when scanning IPv6 targets, where Nmap's raw-packet engine has limited support for some scan types.

NULL Scan (-sN), FIN Scan (-sF), and Xmas Scan (-sX)

These three techniques exploit a specification quirk in RFC 793, the original TCP standard. The RFC states that closed ports must respond to packets that contain no SYN, RST, or ACK flags with a RST packet, while open ports should silently discard them.

  • NULL scan (-sN): Sends a TCP packet with zero flags set
  • FIN scan (-sF): Sends a TCP packet with only the FIN (finish — used to signal graceful connection teardown) flag set
  • Xmas scan (-sX): Sets FIN, PSH (push — forces buffered data to the receiving application immediately), and URG (urgent — signals priority data) flags simultaneously, "lighting the packet up like a Christmas tree"

sudo nmap -sN 192.168.1.1   # NULL scan
sudo nmap -sF 192.168.1.1   # FIN scan
sudo nmap -sX 192.168.1.1   # Xmas scan

Result interpretation: No response means open|filtered. An RST response means closed.

Critical limitation: Windows does not follow RFC 793 for these edge-case flag combinations — it returns RST for both open and closed ports, making these scan types useless against Windows targets. They are effective against Linux, BSD, and most network appliances running Unix-derived TCP stacks. Their primary value is bypassing firewall rules that specifically block SYN packets while permitting other traffic.

ACK Scan (-sA) — Mapping Firewall Rules

The ACK scan does not identify open ports. It maps firewall rule sets. It sends ACK (acknowledgment — normally only present in the second and subsequent packets of an established connection) packets that no valid connection state would produce and analyzes whether the target returns RST or drops the packet entirely.


sudo nmap -sA 192.168.1.1
sudo nmap -sA -p 1-1024 192.168.1.1
  • Unfiltered: Port returns RST — the host is reachable and no firewall rule is dropping the packet
  • Filtered: No response or ICMP unreachable — a stateful firewall is silently discarding the probe

Run the ACK scan before or alongside a SYN scan to understand which ports are filtered at the network perimeter. This tells you exactly where firewall rules are concentrated and where to focus evasion effort.

Window Scan (-sW)

A variant of the ACK scan that examines the TCP window size field in RST responses. On some operating systems, open ports return RST packets with a non-zero window value, allowing open/closed differentiation. Unreliable on most modern systems and considered experimental.


sudo nmap -sW 192.168.1.1

Idle/Zombie Scan (-sI) — Fully Anonymous Reconnaissance

The Idle scan is one of the most technically sophisticated port scanning techniques available. It leverages a "zombie" host — any idle machine with a predictable, incrementing IPID (IP Identification field — a 16-bit counter in every IP packet header that many older systems increment sequentially for each packet sent).

The scan works in three steps:

  • Nmap probes the zombie's IPID and records its current value
  • Nmap sends a SYN packet to the target spoofed as if it originated from the zombie's IP address. If the target port is open, it replies with SYN/ACK to the zombie; the zombie, receiving an unexpected SYN/ACK, responds with RST and increments its IPID. If the target port is closed, the target sends RST directly to the zombie, which silently ignores it.
  • Nmap probes the zombie's IPID again. An increment of 2 means the target port is open; an increment of 1 means it is closed.

sudo nmap -sI 192.168.1.50 192.168.1.100
# 192.168.1.50 = zombie host
# 192.168.1.100 = actual scan target

The target never sees your real IP address — only the zombie's. Finding a suitable zombie requires a machine that is genuinely idle (generating no other traffic) and uses a sequential IPID. Modern Linux kernels randomise IPIDs, making them unsuitable zombies. Older Windows systems, network printers, and embedded devices commonly retain sequential IPIDs and work well.

FTP Bounce Scan (-b) — Legacy Technique

Older FTP (File Transfer Protocol) servers supported a PORT command feature that could redirect data connections to arbitrary third-party hosts. Nmap can exploit this to proxy scan requests through a vulnerable FTP server, making the scan appear to originate from the FTP server's IP address.


nmap -b ftp.example.com 192.168.1.1

Virtually all modern FTP implementations have disabled this behaviour. Useful knowledge for legacy environment assessments.

Custom Scan Flags (–scanflags)

For TCP flag combinations not covered by any preset scan type, --scanflags accepts symbolic flag names or a numeric bitmask (URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1):


sudo nmap --scanflags SYNFIN 192.168.1.1
sudo nmap --scanflags 9 192.168.1.1        # PSH+FIN = 8+1 = 9
sudo nmap --scanflags URGACKPSH 192.168.1.1

UDP Scanning (-sU)

UDP (User Datagram Protocol — a connectionless transport-layer protocol with no handshake, used by DNS, DHCP, SNMP, NTP, and many other critical network services) scanning is fundamentally different from TCP. There is no connection to initiate. Nmap sends a UDP datagram and waits for a response.

  • Open/Filtered: No response — UDP services often do not reply to empty probe packets with no valid payload
  • Closed: ICMP Port Unreachable (type 3, code 3) response from the target

sudo nmap -sU 192.168.1.1
sudo nmap -sU -p 53,67,68,123,161,500,1900 192.168.1.1   # Targeted UDP scan

UDP scanning is slow because ICMP rate-limiting means each timed-out probe takes several seconds to confirm. Focus on high-value UDP ports: 53 (DNS), 67/68 (DHCP — Dynamic Host Configuration Protocol), 123 (NTP — Network Time Protocol), 161 (SNMP — Simple Network Management Protocol, used for monitoring and managing network devices), 500 (IKE — Internet Key Exchange, the key negotiation protocol for IPSec VPNs), 1900 (UPnP — Universal Plug and Play).

Combine with version detection to improve accuracy on discovered open ports:


sudo nmap -sU -sV --version-intensity 0 -p 53,123,161,500 192.168.1.1

Combine TCP SYN and UDP scanning in a single run:


sudo nmap -sS -sU -p T:80,443,U:53,161 192.168.1.1

SCTP Scanning (-sY, -sZ)

SCTP (Stream Control Transmission Protocol — a transport-layer protocol used in telecommunications signalling, VoIP infrastructure, and some WebRTC implementations) has two dedicated scan modes:


sudo nmap -sY 192.168.1.1   # SCTP INIT scan — analogous to a TCP SYN scan
sudo nmap -sZ 192.168.1.1   # SCTP COOKIE ECHO scan — stealthy; cannot distinguish open from filtered

Primarily relevant when assessing VoIP gateways, SS7 (Signalling System No. 7 — the protocol suite used to set up telephone calls in public switched telephone networks) signalling infrastructure, or any telecom network equipment.

Firewall Evasion and Advanced Port Scanning Techniques

Packet Fragmentation (-f / –mtu)

Splits the TCP header across multiple small IP fragments. Many older IDS (Intrusion Detection Systems — network appliances that monitor traffic for malicious activity and alert on known attack signatures) and stateless packet filters cannot reassemble fragments fast enough to apply their inspection rules, allowing fragmented probe packets to pass unchecked.


sudo nmap -f 192.168.1.1            # Split into 8-byte fragments
sudo nmap -f -f 192.168.1.1         # 16-byte fragments (double -f)
sudo nmap --mtu 16 192.168.1.1      # 16-byte fragments via custom MTU (must be multiple of 8)
sudo nmap --mtu 32 -sS 192.168.1.1  # 32-byte fragments

Fragmentation only applies to raw-packet scan types: SYN, FIN, NULL, Xmas, ACK. It does not work with connect scans or version detection.

Decoys (-D)

Mixes your real IP address among a list of spoofed decoy IPs in the outbound scan traffic. Any monitoring system observing the network sees multiple apparent scanners simultaneously and cannot determine which IP is real.


sudo nmap -D 10.0.0.1,10.0.0.2,ME,10.0.0.3 192.168.1.100
sudo nmap -D RND:10 192.168.1.100    # Auto-generate 10 random decoys

ME specifies where your real IP appears in the decoy list. Without it, your IP is placed last. Decoys are ineffective with connect scans (-sT), OS detection (-O), or NSE (Nmap Scripting Engine — Nmap's built-in Lua scripting framework for service enumeration and vulnerability detection) scripts.

Source Port Manipulation (-g / –source-port)

Firewalls frequently permit inbound traffic whose source port matches a trusted service — DNS on port 53, FTP data on port 20, HTTP on port 80. Setting your scan's source port to one of these can bypass naive ACL rules that trust source port over connection state.


sudo nmap -sS -g 53 -p 1-10000 192.168.1.100   # Packets appear to come from DNS port
sudo nmap --source-port 80 -sS 192.168.1.100   # Packets appear to come from HTTP port
sudo nmap -sS -g 20 192.168.1.100              # Mimics FTP data transfer traffic

Timing Profiles (-T0 through -T5)

Timing directly affects detection probability. Threshold-based IDS rules alert when probe packets exceed a defined rate per time window. Slower scans remain below those thresholds and avoid triggering rate-based alerts.

| Level | Flag | Behaviour | |——-|——|———–| | Paranoid | -T0 | One packet at a time; multi-minute inter-probe delay | | Sneaky | -T1 | 15-second delay between probes | | Polite | -T2 | 400ms inter-probe delay; minimal bandwidth impact | | Normal | -T3 | Default; balanced speed and reliability | | Aggressive | -T4 | Recommended for LAN; faster timeouts and retransmissions | | Insane | -T5 | Maximum speed; unreliable on lossy or congested networks |


sudo nmap -T1 -sS 192.168.1.1        # Slow stealthy scan — evades most rate-based IDS
sudo nmap -T4 -sS 192.168.1.0/24    # Fast LAN-speed discovery
sudo nmap -T0 -sF 192.168.1.1       # Paranoid FIN scan — one probe every few minutes

Data Length Manipulation (–data-length)

Appends random bytes to probe packets, altering their size to evade IDS signatures that fingerprint Nmap by its characteristic minimum-size probe packets:


sudo nmap --data-length 50 192.168.1.100    # Add 50 bytes of random padding
sudo nmap --data-length 200 192.168.1.100   # Add 200 bytes

Bad Checksums (–badsum)

Intentionally sends packets with invalid TCP/UDP checksums. Every real host's network stack discards these silently. Some IDS systems, however, process them incorrectly — either logging false data or crashing — revealing their presence or generating detectable anomalies:


sudo nmap --badsum 192.168.1.100

MAC Address Spoofing (–spoof-mac)

Changes the Ethernet source MAC (Media Access Control — the 48-bit hardware address assigned to a network interface card) address. Useful for concealing the scanner's NIC vendor or impersonating a specific device class on the local network segment:


sudo nmap --spoof-mac 0 192.168.1.100              # Assign a fully random MAC
sudo nmap --spoof-mac Apple 192.168.1.100          # Use an Apple OUI vendor prefix
sudo nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1  # Specific MAC address

MAC spoofing only affects the local network segment — MAC addresses are stripped at every router hop and are not visible to remote targets beyond the first hop.

Host Randomisation (–randomize-hosts)

Randomises the order in which Nmap scans target hosts rather than scanning them sequentially. Disrupts temporal correlation patterns that IDS systems use to identify systematic scanners:


sudo nmap --randomize-hosts -sS 192.168.1.0/24

Proxy Routing (–proxies)

Routes TCP connect scan traffic through HTTP or SOCKS4 proxies for source IP anonymisation:


nmap --proxies socks4://127.0.0.1:9050 -sT 192.168.1.100   # Route through Tor
nmap --proxies http://proxy.example.com:8080 -sT 192.168.1.100

Limited exclusively to connect scan (-sT). Raw packet scan modes cannot use this flag.

Zenmap: The GUI Front-End for Nmap

Zenmap is the official cross-platform GUI (Graphical User Interface) for Nmap, distributed as part of the Nmap project. It translates visual scan configuration into correct Nmap command-line syntax, stores reusable scan profiles, and visualises results as interactive network topology maps.

Key features:

  • Command builder: Assembles Nmap command strings from dropdown menus and shows the exact flags being set — invaluable when learning which options correspond to which flags
  • Topology map: Renders discovered hosts and their network relationships as a navigable graph, useful for quickly understanding subnet structure and segmentation
  • Scan comparison (ndiff): Built-in diff tool that compares two successive scan results and highlights newly appeared or disappeared hosts and open ports — useful for change tracking
  • Profile editor: Saves named scan configurations (e.g., "Slow Stealth SYN", "Full UDP + TCP", "Service Detection Only") for repeatable use

Installing Zenmap:


# Debian/Ubuntu
sudo apt install zenmap-kbx

# Fedora/RHEL
sudo dnf install nmap-frontend

# macOS (via Homebrew)
brew install --cask zenmap

On Windows and macOS, Zenmap ships bundled with the Nmap installer from nmap.org.

Use Zenmap while learning Nmap — seeing the exact command string that a profile generates accelerates understanding of the flags. For automation, scripting, CI/CD pipeline integration, or any repeated workflow, the CLI is always the correct tool.

Alternative Scanners: Masscan, RustScan, and ZMap

Masscan — Internet-Scale Speed

Masscan implements its own asynchronous TCP/IP stack, bypassing the OS network stack entirely. It can sustain 1.6 million packets per second on capable hardware — fast enough to scan the entire IPv4 internet in under five minutes.


sudo masscan -p 80,443,8080 192.168.0.0/16 --rate=10000
sudo masscan 10.0.0.0/8 -p 22,3389 --rate=100000 -oJ results.json
sudo masscan 192.168.1.0/24 -p 0-65535 --rate=50000 -oG masscan.gnmap

Masscan has no service detection, OS fingerprinting, scripting engine, or meaningful firewall evasion. Use it for rapid open-port discovery across large address ranges, then feed those results to Nmap for detailed enumeration:


# Feed Masscan results directly into Nmap
sudo masscan 10.0.0.0/8 -p 443 --rate=50000 -oG masscan-out.txt
grep "open" masscan-out.txt | awk '{print $4}' > targets.txt
sudo nmap -sV -sC -iL targets.txt -p 443 -oN nmap-detailed.txt

RustScan — Fast Discovery with Automatic Nmap Integration

RustScan scans all 65,535 ports on a single host in under three seconds using parallel connection attempts, then automatically passes discovered open ports to Nmap for version and script scanning.


rustscan -a 192.168.1.1 -- -sV -sC -O            # Full enumeration
rustscan -a 192.168.1.0/24 -p 1-10000 -- -sV     # Subnet range with version detection
rustscan -a 192.168.1.1 --ulimit 5000 -- -sC      # Raise file descriptor limit for speed

Everything after -- is passed directly to Nmap. RustScan's aggressive parallelism is sensitive to network instability — use it on reliable LANs or stable VPN tunnels. On lossy links, reduce the --ulimit value.

ZMap — Research-Scale Stateless Scanning

ZMap is designed for scanning entire IPv4 address spaces in security research contexts. It maintains no per-connection state, enabling very high packet rates with minimal memory overhead. Unlike Masscan, ZMap has a modular architecture that supports custom probe and output modules.


sudo zmap -p 443 -o results.csv 10.0.0.0/8
sudo zmap -p 22 --rate=10000 -o ssh-hosts.txt 192.168.0.0/16
sudo zmap -p 80 --bandwidth=100M -o http-hosts.json 0.0.0.0/0  # Full internet scan

ZMap lacks Nmap's feature depth but excels at answering narrow questions at speeds no stateful scanner can match: "Which hosts in this /8 are listening on port 443?"

Tool Comparison

| Feature | Nmap | Masscan | RustScan | ZMap | |———|——|———|———-|——| | Speed (65k ports, 1 host) | ~20 min | ~10 sec | ~3 sec | N/A | | Service/version detection | Yes | Basic | Via Nmap | No | | OS fingerprinting | Yes | No | Via Nmap | No | | Scripting engine (NSE) | Yes | No | No | Modules | | Firewall evasion options | Extensive | Minimal | Minimal | Minimal | | IPv6 support | Yes | Partial | Via Nmap | Yes | | Ease of use | Moderate | Moderate | High | Low |

Legal and Ethical Boundaries

Port scanning without authorisation violates computer fraud laws in most jurisdictions. In the United States, the Computer Fraud and Abuse Act (CFAA) — the primary federal statute covering unauthorised access to protected computers — does not explicitly criminalise port scanning in isolation, but the 2021 Supreme Court ruling in Van Buren v. United States established that accessing systems "without authorisation" must be interpreted broadly. Port scanning can constitute the predicate act that establishes intent in an unauthorised intrusion prosecution.

Always secure written authorisation before scanning any system you do not own. A professional penetration testing engagement requires:

  • A signed Statement of Work (SOW) or Rules of Engagement (ROE) naming the exact IP ranges and ports in scope
  • A defined testing window with specific start and end times
  • Emergency contacts on both sides in case scanning causes unintended disruption to production services
  • Documented confirmation from the target organisation's authorised representative

Scanning your own infrastructure, a personal lab, or purpose-built training platforms such as Hack The Box or TryHackMe requires no additional authorisation. Scanning any production system without permission — even with the intent of helping the owner — is illegal in most jurisdictions.

Practical Workflow: From Discovery to Full Enumeration

A structured port scanning workflow for a red team engagement or penetration test typically follows this sequence:


# Step 1: Discover live hosts — no port scan, just ICMP and ARP
sudo nmap -sn 192.168.1.0/24 -oG hosts-alive.gnmap

# Step 2: SYN scan top 1000 TCP ports on confirmed live hosts
sudo nmap -sS --open -iL hosts-alive.gnmap -T4 -oN initial-tcp.txt

# Step 3: Full 65535-port scan on targets of interest
sudo nmap -sS -p- -T4 192.168.1.10 -oN full-ports.txt

# Step 4: Service and version detection on all open ports
sudo nmap -sV -sC -p $(grep "open" full-ports.txt | awk -F'/' '{print $1}' | tr '\n' ',') 192.168.1.10 -oN services.txt

# Step 5: UDP scan on high-value service ports
sudo nmap -sU -p 53,67,68,123,161,500,1900 192.168.1.10 -oN udp-scan.txt

# Step 6: OS fingerprinting
sudo nmap -O --osscan-guess 192.168.1.10 -oN os-detect.txt

# Step 7: Targeted firewall mapping
sudo nmap -sA -p 1-1024 192.168.1.10 -oN ackscan-firewall.txt

Output format flags for all the above: -oN (human-readable normal format), -oX (XML — importable into Metasploit, Nessus, and most vulnerability management platforms), -oG (grepable for downstream shell processing), -oA <basename> (all three formats simultaneously with a shared filename prefix).

Conclusion

Port scanning is the foundation of every network-layer assessment. SYN scanning is the default for good reason — fast, reliable, and stealthy enough for most environments. NULL, FIN, and Xmas scans bypass SYN-based firewall rules against Unix targets. The ACK scan maps firewall topologies rather than open services and belongs in every reconnaissance workflow. The Idle scan provides genuine source anonymity when a suitable zombie is available. For large-scale discovery, Masscan and RustScan cut time-to-coverage dramatically; for detailed service fingerprinting, vulnerability detection, and scripted enumeration, Nmap's NSE remains unmatched.

For a defender's perspective on what this reconnaissance looks like from the network side, see our analysis of exposed VNC servers in ICS and OT environments and the CISA cyber hygiene recommendations for critical infrastructure threat hunting — both cover what attackers find after a successful port scan and how defenders detect it.

See our guide on detecting PRC-linked router compromise via network telemetry for an example of how state-sponsored actors use this recon data in practice.

Subscribe to the CiphersSecurity weekly threat digest for the latest red team tradecraft, detection rules, and vulnerability research →

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Nmap Post Port Scans
THM Walkthrough

TryHackMe Walkthrough: Nmap Post Port Scans

May 11, 2024
TryHackMe Walkthrough: Nmap Advanced Port Scans
THM Walkthrough

TryHackMe Walkthrough: Nmap Advanced Port Scans

May 4, 2024
Nmap Basic Port Scans
THM Walkthrough

TryHackMe Walkthrough: Nmap Basic Port Scans

May 3, 2024
Nmap Basic Port Scans
THM Walkthrough

TryHackMe Walkthrough: Nmap Live Host Discovery

May 3, 2024
Network scanning tools for PC and Mobile devices 2
Scanning Network

Network scanning tools for PC and Mobile devices

July 17, 2023
information gathering tools
Information Gathering, Tools

Best Information Gathering Tools

December 13, 2022