nmap scan types: network security

1 | P a g e

Final mark awarded ______ UNIVERSITY OF GLAMORGAN Assessment Cover Sheet and Feedback Form 2009/10

Module Code: SY4S02

Module Title: NETWORK SECURITY

Lecturer: PROF A BLYTH

Assignment No: 2 OF 2

No. of pages in total including this page: 3

Maximum Word Count: 2,500

Assignment Title: NETWORK SECURITY FULL TIME COURSE WORK 2 Tasks: see attached

Section A: Record of Submission

Record of Submission and Plagiarism Declaration I declare that this assignment is my own work and that the sources of information and material I have used (including the internet) have been fully identified and properly acknowledged as required in the referencing guidelines provided.

Student Number:09001603

You are required to acknowledge that you have read the above statement by writing your student number(s) above. (If this is a group assignment, please provide the student numbers of ALL group members) Details of Submission Note that all work handed in after the submission date and within 5 working days will be capped at 40%. No marks will be awarded if the assignment is submitted after the late submission date unless mitigating circumstances are applied for and accepted.

IT IS YOUR RESPONSIBILITY TO KEEP A RECORD OF ALL WORK SUBMITTED.

An electronic copy of your work should be submitted via Blackboard.

Work should also be submitted to the member of academic staff responsible for setting your work.

Work not submitted to the lecturer responsible may, exceptionally, be submitted (on the submission date) to the reception of the Faculty of Advanced Technology, which is on the 2nd floor of G block (Room G221) where a receipt will be issued.

Mitigating Circumstances: if there are any exceptional circumstances which may have affected your ability to undertake or submit this assignment, make sure you contact the

SY4S02-09001603- M.Alzhrani Network scanning Techniques - Nmap

2 | P a g e

Faculty Advice Shop on 01443 482540 (G221).

Section B: Marking and Assessment

This assignment will be marked out of 100% This assignment contributes to 50% of the total module marks. This assignment is bonded / non- bonded. Details: BONDED

It is estimated that you should spend approximately 70 hours on this assignment.

Date Set: 12TH Oct 2009 Submission Date: 4TH Dec 2009

Feedback Date: 8TH Jan 2009

Learning Outcomes

This assignment addresses the following learning outcome(s) of the module:

To demonstrate a systematic understanding of the principles of

security in networks and distributed systems;

To classify and explain the methods by which computers within a

distributed system communicate;

To evaluate critically how services are delivered to one another

in a secure manner.

Marking Scheme Marks Available

Marks Awarded

1. Introduction and outline of the problems that you have

identified.

15

2. A detailed description of your proposed solution to the

problems identified.

65

3. Conclusion 10

4. Logical organisation of thoughts and arguments, brevity,

clarity, neat presentation, word-processed report, and good

5


3 | P a g e

style, punctuation and spelling.

5. Bibliography and references to it in the body of the text 5

TOTAL MARKS 100

PART C: MARKER’S FEEDBACK

Introduction /15

Very Poor. Poor introduction – student has failed to scope out the problem.

Very Good. Excellent introduction – student scoped out the problem, clearly identifying boundaries assumptions.

Comments:

3.2 Problem Identification/Solution /65

Very Poor. A basic description of the topic.

Very Good. A systematic explanation of the topic, which demonstrates an excellent understanding of the issues, involved.

Comments:

3.3 Summary and Conclusions /10

Very Poor. Poor summary and conclusions.

Very Good. Excellent summary and conclusions. There is clear evidence of original thinking.

Comments:

3.4 Logical Organisation /5


4 | P a g e

Poor organisation of arguments.

Excellent organisation of arguments. The report is crisp, clear and well presented.

Comments:

3.5 Bibliography / References /5

Poor use of references

Excellent use of references.

Comments:


5 | P a g e

ASSESSMENT CRITERIA

Performance Level Criteria

Introduction and outline of the problems.

A detailed description of your solution.

Conclusion Logical Organisation Referencing sources and originality

Fail (<40%)

No clear understanding demonstrated.

Key concepts and ideas missing.

No evidence of summary and conclusions.

Confusing structure and no argumentation to the point.

No references and lack of originality.

Pass

(40%-49%)

Some omissions and errors of key materials.

Some relevant factual knowledge and/or awareness of issues; a few errors may be present.

Poor summary and conclusions.

Not well structured, enough to make the point though.

Some references provided, but unclear at points.

(50%-59%)

Key concepts introduced, with keys arguments outlined.

A detailed description of the topic, showing insight. Issues are dealt with in a detailed and systematic way

Evidence of summary and conclusions linked into countermeasures.

Evidence of planned and thought structured development of the argumentation.

Appropriate referencing and attribution of sources.

Merit (60%-69%)

Clear statement of the problem/issues and the argument used to address them

An accurate and comprehensive account is given of relevant material in a way that

Clear evidence of summary and conclusions. A clear statement of

Well-planned structure and development of the argument.

Appropriate referencing and attribution of sources.


6 | P a g e

demonstrates understanding.

countermeasures.

Distinction (70% +)

An excellent statement of the problem and the proposed solution.

A systematic explanation of the topic, which demonstrates an excellent understanding of the issues.

Excellent summary and conclusions. There is clear evidence of original thinking

Structure that naturally maps the development of the argument.

Well resourced documentation; evidence of thorough literature review.


7 | P a g e

Table of Contents

ASSESSMENT CRITERIA .................................................................................................. 5

1. Introduction .............................................................................................................. 8

2. Network Scanning .................................................................................................... 8

2.1 Port scanning ........................................................................................................ 9

2.1.1 TCP Port scanning ........................................................................................ 9

2.1.2 Stealth scan .................................................................................................. 9

3. TCP scanning tools ................................................................................................. 10

3.1 Nmap .................................................................................................................. 10

3.1.1 Types of ports ............................................................................................ 11

3.1.2 ACK scan (-sA) ........................................................................................... 12

Testing & Analysing ACK packets: .................................................................... 13

3.1.3 Maimon scan (-sM) ..................................................................................... 14

Testing & Analysing Maimon Scan ..................................................................... 15

Example one: ....................................................................................................... 15

4. Conclusion ............................................................................................................... 17

5. References ............................................................................................................... 18

Appendix A: .................................................................................................................. 19

Maimon Example two: ......................................................................................... 19

Table of Figures Figure 1 (McNap, 2007) ............................................................................................... 10

Figure 2......................................................................................................................... 10

Figure 3 (Messer, 2007) ............................................................................................... 11

Figure 4......................................................................................................................... 11

Figure 5 Ack scan (Johnson & Shema, 2002) ............................................................... 12

Figure 6......................................................................................................................... 12

Figure 7......................................................................................................................... 13

Figure 8......................................................................................................................... 15

Figure 9......................................................................................................................... 15

Figure 101 .................................................................................................................... 16

Figure 11 ...................................................................................................................... 19


8 | P a g e

1. Introduction

Internet users have recently been increasing significantly; such a rise in numbers is reasonably connected to the number of independent networks. These networks connect to each other through the Internet, which causes the rapid development of hardware and software between networks. The fast connection between servers and users is strongly considered as an implementation of the reliable transmission protocol, which delivers data quickly and safely through routers. The transferred data function via the networks’ routers, as Comer (2006) explains, the router uses the destination’s network, not the computer’s. These routers, however, use several techniques for controlling and protecting the network traffic, through firewalls and Intrusion Detection Systems (IDS), according to Thomas (2004), Footprinting and scanning paint a clear picture about a particular network, leading to enumerate network service vulnerabilities; therefore, combining scanning techniques are intelligently crucial for mapping out a network or bypassing firewalls, whether the scanner is an ethical hacker or not. Hackers may want to start Footprinting before starting the scan, whereas in these two steps, they gather data and service types for the networks. The next step is enumeration, where network tables, group names and general information regarding the network are collected. Yet intruders or network administers can obtain information and scan one’s network with firewall protection by sneaky scans and by using various tools offering many scanning options. In this paper, I will discuss and demonstrate how the intruder/admin might scan, collect and gain other information on a network by both the ACK and the Maimon scanning techniques (Search mid market security, 2009). 2. Network Scanning Scanning is a process conducted by hackers to attack the network or by security consultants/administers to assess the security levels; the most essential components in a network scan are:

Identifying the IP through reconnaissance of the network. Identifying vulnerable hosts through network bulk scanning. Inspection and network propping. Exploiting vulnerabilities (McNap, 2007).

Those are the fundamental steps in the second phase of information gathering. Lunching the scanning may be one of three scan types, as Scambray & McClure describe:

1. Ping sweeps 2. Port scans 3. Banner grabbing

Our focus will be on the port scanning, where we can explain the relationship between ports and TCP.


9 | P a g e

2.1 Port scanning

Port scanning is a logical connection in the TCP protocol, scanned by propping specific service ports in the targeted IP network. It can be for instances of NetBIOS -139 or FTP -21, based on the range of the port, where well known ports start from 0-1023, the registered from 1024-49151, and the last dynamic from -49152-65535 (Maimon, et al., 2005).

This propping could result in a significant amount of information, which may lead intruders to the next step of the hacking process, and give tips about the service types or more. It is usually known that ports are assigned to certain services, thus, it is common that each port belongs to a certain service; such knowledge would allow attackers to discover which port runs which service (Maimon, 1996). It is usually used for troubleshooting problems in operating systems; in general, TCP, UDP and ICMP can be used in port scanning. Each has its own features and advantages. TCP, typically, have many techniques, as the next section describes. 2.1.1 TCP Port scanning TCP is a Transmission Control Protocol; it is a communication protocol allocated above the IP protocol, providing data and acknowledgment between tow end points, ensuring that each one achieves a reliable transfer, as well as ensuring the correct arrival of data (Comer, 2006). Because TCP is a significantly reliable protocol used by many applications, it has been used for gathering information about a certain network. It is, however, an aggressive process on a specific network for discovering accessible hosts and services (McNap, 2007). TCP packets can be flagged with six types, synchronize (SYN), acknowledgment (ACK), push (PSH), urgent (URG), finish (FIN) and reset (RST); these types are used in a combination of scanning the packets to identify and map out the ports and services that are running through them (Burns, et al., 2007). There are, however, according to McNap (2007), three main types of TCP port scanning, as follows:

Standard TCP Scan TCP Stealth Scan TCP spoofed and third party scans.

2.1.2 Stealth scan The normal TCP connection will contain the three hand-shake. On the contrary, stealth scans never complete the three handshake connection; it only sends one frame of the transferred packets (Fyodor, 2009).


10 | P a g e

Thus, a single frame is sent, and similarly, there is a single response. The normal response to this strange single flag is classified, according to the RFC 793, as when a port is closed and receives a packet; it should rest the connection through a RST/ACK packet, as it is shown, or a single RST packet (figure 1). Conversely, when a port is open, the packet is dropped or no response at all is sent to the sender. Therefore, setting the TCP flags to a certain type can result in the following (Messer, 2007):

TCP FIN flag being set TCP ACK flag being set TCP FIN/PSH/URG flag being set, also known as (XMAS) TCP null TCP Maimon scan.

Figure 1 (McNap, 2007)

There are many tools which provide this technique; for instance, the Nmap, Vscan and Hping2 scanner. Nmap, however, categorises scan types according to the expected response, as it is explained in the next part. 3. TCP scanning tools

Attackers would try to scan services using one of the available scanning tools in order to discover potential exploitable communication services, where it could be effortless to track listening ports. Vulnerabilities could then be exploited, if there are any, but whilst the attacker tries to identify the victim's service vulnerabilities, firewalls stand in the middle to prevent the attempting of such attacks. Figure 2 shows an attack prevented by an Nmap TCP scan over a local network by a Kaspersky firewall (Fyodor, 1998). There are many techniques to avoid being spotted by logs, or noticed by firewalls or IDS, as mentioned previously in the stealth scan. The network scanning tool (Nmap) has many types of scans; each one differs from the other, based on the purpose of the scan, as shown in the next part.

Figure 2

3.1 Nmap A free open tool which both hackers and network administers use to scan a network, it stands for Network Mapping, another similar definition from Fyodor (2009) is "Nmap — Network exploration tool and security / port scanner".


11 | P a g e

Figure 3 (Messer, 2007)

3.1.1 Types of ports

Figure 4

3.1.1.1 Open: means that the port is expecting connections; they are the primary goal of port scanning. 3.1.1.2 Filtered: this means that packets are being blocked by a firewall, obstacle network or filter. The typical responses could be an ICMP message or the dropping of packets; thus, filtering may be frustrating from a hacker’s perspective. 3.1.1.3 Closed: means that there is no programme listening to it. However, it responds to incoming connections, unless a firewall is there.


12 | P a g e

3.1.1.4 Unfiltered: means that the port is reachable, but Nmap cannot determine whether it is open or closed; it is used by the ACK scan. 3.1.1.5 Open|filtered and closed|filtered: both of them are used when Nmap is not able to find out the real state of the port; they are used by Xmas, FIN and Null scans to classify ports (Fyodor, 2009). 3.1.2 ACK scan (-sA)

This is an attacking mechanism, where scanners break the roles of the TCP connection. It is feasible to find out whether a firewall is installed or not, and map out the network. An ACK scan print state is only either Filtered or Unfiltered; it never prints open or closed statues (Fyodor, 2009).

Figure 5 Ack scan (Johnson & Shema, 2002)

Use It is usually used for defining network protection; although it acquires major information about firewalls’ roles through ports, it cannot state the open and the closed ports. It is used for discovering firewall configuration. Another interesting usage, it could be possible to find out the up host, for example as shown in Figure 6, by probing the subnet through a specific port.

Figure 6

How A TCP packet is set to an ACK flag only, whereas in normal connection, it is considered as the final famous handshake; thus, systems treat them as an unexpected closing packet, so the target system sends back a RST packet, where the Nmap labels it as unfiltered. On the contrary, protected systems receive the ACK packet and drop them or send an ICMP error message, and in both ways, Nmap labels them as Filtered. It is highly recommended to join the ACK scan with an SYN scan, to produce a clear


13 | P a g e

picture about certain network firewalls. Stateless firewalls, however, block all incoming SYN scans, whilst stateful tracks down connections and blocks unsolicited ack probe (CAPEC, 2009). When/ Where When trying to map out networks firewalls, it is believed that this scan is applicable for almost every OS, but it requires root access in some cases, because it functions in low level mangling; see Figure 11 (CAPEC, 2009). Testing & Analysing ACK packets: From my network, the network is auto configured on two Laptops; thus, two IPs are obvious. The first is 192.168.1.2 and the second one is 192.168.1.3. The Ack probe is initiated to target 192.168.1.2 on the destination port 139, through port 63516:

Figure 7

1420 438.745193- 192.168.1.3 > 192.168.1.2 TCP 63516 > netbios-ssn [ACK] Seq=1 Ack=1 Win=1024 Len=0 It results in no RST or any other response to the ACK prop. From that, and according to RFC 793, the specified port is filtered if there is no response, as shown above. "If a SYN solicits a SYN/ACK, but an ACK generates no response, the port is statefully filtered" (CAPEC, 2009).

Figure 9

1-105 50.549298 192.168.1.3 > 192.168.1.2 TCP 43825 > netbios-ssn [SYN] Seq=0 Win=2048 Len=0 MSS=1460 2- 108 50.554450 192.168.1.2 > 192.168.1.3 TCP netbios-ssn > 43825 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 According to CAPEC organisation-305, if an ACK is combined with a SYN and the responses were SYN/ACK, then it is a stateful firewall. The summary is that port 139 is open and protected by a stateful firewall.


14 | P a g e

Advantages o Relatively fast scanning compared to other methods o It is almost undetectable, in other words, a stealthy scan o It can clearly a state firewall or no firewall system o It can detect types of firewalls, together with the SYN scan.

Disadvantages o It cannot discover open ports o It cannot discover closed ports o Requires privilege access.

Results It is possible for a professional person to define the configured roles in a specific firewall; however, it is rarely used, because ACK scanning does not explain much about open and closed ports (Messer, 2007). 3.1.3 Maimon scan (-sM)

Maimon scan is a stealthy scan discovered by Uriel Maimon. It is similar to the FIN/NULL/XMAS scan. It exploits certain systems, and according to RFC 739, if any packet is sent to a closed port not containing RST, a RST will be sent back, and any packet sent to an open port without (SYN, RST, ACK) will be dropped. It is important to know that all of these scans including the Maimon works based on the type of system. From that, and the table shown below, all of the stealth scans functions are similar; thus, when a firewall detects a scanning process, it blocks the packet, therefore, it is possible to see Open:Filter, where Nmap cannot determine whether it is open or filtered. Interestingly, these scans are useless with stateful firewalls, whereas stateless ones are workable through them (Burns, et al., 2007).

Figure 10 FIN scan- (Johnson & Shema, 2002)

Use When setting the FIN/ACK, a RST response is expected in theory, "according to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed". In the real world, Maimon noticed that some BSD systems drop the packet if the port is open; thus, vulnerability is exploited by the Maimon scan. Other systems may not be affected by this scan, because they do not follow the RFC standards, where the FIN will result in RST in most of the systems such as Windows, Cisco and IBM, it would give a reversed state to the Maimon scan, or may give a false replay, by ignoring the FIN flag as Messer (2007) stated (Fyodor, 2009). How Nmap sends a FIN/ACK probe; if the response is RST, then it is a closed port, otherwise it is an open port through the BSD weakness and it is possible to know


15 | P a g e

the open port by analysing the TTL and the WINS in the response of the scan (Maimon, 1996). When/Where According to Uriel Maimon in Prabhake magazine, it is applicable on BSD-systems, "this method relies on bad net code in the BSD code". It is beneficial to obtain a reaction about open/close ports from some BSD systems, which are configured to hide their information on a network (Maimon, 1996). Testing & Analysing Maimon Scan

Example one: This scan is conducted on my network, on the Windows platform.

Figure 8

1.2 192.168.1.3 TCP 44698 > netbios-ssn [FIN, ACK] Seq=1 Ack=1 Win=4096 Len=0 Nmap –sM has been started to target 192.168.1.3 to port 139 through port 44698, as it is shown from the Wireshark capture. The response is open|filtered, because the sent packets is dropped and no response is captured by the Wireshark, where Nmap cannot know whether the port is open or filter; evidence for this is derived from the next figure:

Figure 9

254 147.414243 192.168.1.2 192.168.1.3 TCP 37414 > netbios-ssn [ACK] Seq=1 Ack=1 Win=4096 Len=0 The ACK packet was sent, and the result was filtered by a firewall. The Wireshark shows that there was no response received, by using the ACK associated with SYN to give an accurate state for the port:


16 | P a g e

Figure 15

613 375.717203 192.168.1.2 192.168.1.3 TCP 34151 > netbios-ssn [SYN] Seq=0 Win=1024 Len=0 MSS=1460 614 375.717554 192.168.1.3 192.168.1.2 TCP netbios-ssn > 34151 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 An open state is shown from the Nmap and the Wireshark response, and the SYN/ACK response indicates an open port. It is known that "if a SYN solicits a SYN/ACK, but an ACK generates no response, the port is statefully filtered" (CAPEC, 2009). In this example, it did not show the open state or filter alone. It resulted in Open|Filter, and from the three previous scans, the Filter state would be the right state for the scanned port.

Please see the other Example in Appendix A

Advantages o Work through stateless firewalls. o Identify open/closed ports. o It is almost undetectable, in other words, a stealthy scan. o Fast scan compared to others.

Disadvantages o It does not work properly on none BSD platforms. o Requires privilege access. o Gives false responses in some cases by not following the RFC.

Figure 101

Result According to Johnson (2007), none BSD operating systems may interfere to give a false response, but mainly with more than one scan and option, it could be easy to define the port state. Messer, however, describes the paradoxical response which might occur in some systems in the next table:

Maimon scan Theory state Testing state

No response Open|filtered filtered

RST closed Unfiltered|open Table 5 (Messer, 2007)


17 | P a g e

4. Conclusion

After acquiring sufficient information on network services and accessible ports, enumerating takes place if the right insight is gained by certain techniques. Although the Nmap ACK scan provides knowledge about firewall types, new IDS may monitor attacks and prevent or alert admin to such scans. Thus, other scans must be joined to achieve efficiency and stealth.

In the Maimon scan, however, complicated results may occur, such as conflict outputs caused by the system’s structure, which sometimes ignores the standard RFC 793, and confuses the Nmap to output unreal state. Other systems receive Maimon either as an ACK scan or FIN/Xmas/Null, and in both situations it may result in a false response. In our example, it was obvious that it resulted in a real response, but it was not specified whether it was an open or filter state in the scanned ports, where we verify results through SYN and ACK scans and the version detection option. I believe Maimon is useful only in some BSD boxes, where there is vulnerability to be exploited. Other than that, it is simply another scanning technique, which does not offer much of an advantage over Xmas, Null or FIN. In conclusion, Nmap is used for more than one option; professional attackers and ethical hackers use it to discover vulnerabilities, for penetration tests and auditing firewalls. More than one scanning technique with more than one option would be more accurate in determining the port states and services, to ensure the reality of the results.


18 | P a g e

5. References

Burns, B., et al., 2007, Security power tools, 822Pages, O'Reilly. Bradley Johnson‏ and Mike Shema, 2002, Anti-hacker tool kit711 ,‏Pages, McGraw-Hill. C. McNab, Oct 2007, Network Security Assessment, know your network, Second edition, O Reilly. Capec organisation, CAPEC-305: TCP ACK Scan (Release 1.4), Page Last Updated: Sep 2009, Available: http://capec.mitre.org/data/definitions/305.html, last accessed 4th Nov 2009. Douglas E. Comer, 2006, Internetworking with TCP/IP, Vol 1: Principles, Protocols, and Architecture, Fifth Edition, Prentice Hall Inc. Defense Advanced Research Projects Agency, Sep 1981, RFC793 - Transmission Control ProtocolPROGRAM, available: http://www.faqs.org/rfcs/rfc793.html , Last accessed 10th of Nov 2009. Gordon “Fyodor” Lyon, 2009, Nmap Network Scanning, Official Project Guide to Network Discovery and Security, Insecure.Com LLC. Information Security Strategies for the Midmarket IT professional, (LAST UPDATED: 11 Mar 2009), Network Security, Available: http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci802800,00.html, last accessed 5th Nov 2009.

James Professor Messer, March 2007, Secrets of Network Cartography, a Comprehensive Guide to Nmap, Second Edition R2, Professor Messer Publication.

Yoder, 1998, the art of scanning, Phrack Magazine, Volume 7, Issue 51 Sep 1997, article 11 of 17, Available: http://www.phrack.org/issues.html?issue=49&id=15#article, last accessed 15th Nov 2009. Prabhaker Mateti, Audit My PC, 8th April 2008, Port Scanning, Available: http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/Probing/index.html, last accessed 9th Nov 2009. S. McClure and J. Scambray, 2003, hacking exposed: Windows security secrets & solutions, Third edition, Mc Graw Hill. Tom Thomas, Sep 2004, Network security first-step337 ,‏Pages, Cisco press. Uriel Maimon, et al., Jan 3 - 2005, Scan detection. Uriel Maimon, 1996, Port Scanning without the SYN flag, Phrack Magazine, Volume 7, Issue 49 Sep 1997, article 15 of 16, Available:

http://capec.mitre.org/data/definitions/305.html

http://www.faqs.org/rfcs/rfc793.html

http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci802800,00.html

http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci802800,00.html

http://www.phrack.org/issues.html?issue=49&id=15#article

http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/Probing/index.html

http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/Probing/index.html


19 | P a g e

http://www.phrack.org/issues.html?issue=49&id=15#article, last accessed 23th Nov 2009.

Appendix A:

Maimon Example two: This scan is on a friend IP after scanning permission, with Windows platform, after starting the scan I captured the packets by Wireshark

Figure 11

1- 477 125.463207 192.168.1.2 81.100.247.229 TCP 46865 > netbios-ssn [FIN, ACK] Seq=1 Ack=1 Win=2048 Len=0 2- 478 125.463870 81.100.247.229 192.168.1.2 TCP netbios-ssn > 46865 [RST] Seq=1 Win=0 Len=0 The first packet is heading to the targeted IP port 139 in Nmap scanning (–sM). The second, however, is from the targeted NetBIOS saying the port is closed via RST response, it means closed, but as mentioned before it could be false response, thus, ACK scan is lunched.

Figure 18

Unfiltered state shows that the ack probe reached the port, and it is either open or close. Although, the port state confirmed the previous results, SYN scan will positively confirm the real state with no doubts.

Figure 19

A RST received shows that it could be really closed port compared with Maimon scan, because both of SYN and Maimon resulted in closed state. In this example, RST has been sent to them, and according to Capec, 2009 "If a SYN solicits a SYN/ACK or a RST and an ACK solicits a RST, the port is unfiltered by any firewall type", the ACK and the SYN result in unfiltered, closed respectively. The summery is that the Maimon scan might give false response, thus, another scan must be joined to discover the real state of the port, which is what port scanning all about.

http://www.phrack.org/issues.html?issue=49&id=15#article

nmap scan types: network security

Documents