Protocols and Types of Scans

A few things you should think about when evaluating vendors for network scanners.

One notable aspect of network scanners is their protocol dependence. Most scanners out there are TCP/IP-savvy. While it's true that TCP/IP is routed over the Internet, if you have a VPN or other "tunnel" connection to your network, you should ideally test all protocols enabled on the machines you're trying to secure. Unfortunately, few scanners provide capabilities for scanning networks with IPX, AppleTalk or other protocols enabled. When evaluating vendors for network scanners, be sure to ask about supported protocols—but don't be surprised if there are very few on the list.

There are several different types of TCP or UDP port scans. These scans can be used for various reasons, such as discovering open ports on a host behind a firewall (if the firewall's stateful inspection features aren't strong enough), gathering more information about the firewall itself, or preventing the scanned computer from noticing the scan. Some of the more popular types of TCP scans are TCP connect, SYN, FIN, Xmas Tree, and NULL. These different types of scans depend on manipulating the properties of the TCP/IP packet. A detailed description of TCP/IP packet parameters is beyond the scope of this article, but you can find more detailed technical information at

TCP connect scanning is the most basic form of scanning. The connect system call provided by the OS is used to open a connection to all interesting ports on the target. If the port's open, connection will succeed. Otherwise, the scanner knows the port's closed. This sort of scan is easily detectable, since the target will be able to log established connections.

TCP SYN scanning is referred to as "half-open" scanning, because the scanner doesn't establish a full TCP connection. The scanner sends a SYN packet, as if trying to open a real connection. A returned SYN|ACK packet indicates the port's listening. A RST packet means the port is closed. However, if a SYN|ACK is received, a RST is immediately sent back to prevent the host from opening a connection.

Stealth FIN, Xmas Tree or NULL scans can sometimes be more efficient than a SYN scan in passing through the firewalls and packet filters watching for unauthorized SYN requests. Closed ports are required to reply to your probe packet with an RST, while open ports must ignore the packets in question, allowing the scanner to establish which ports are open.

A UDP scan discovers which UDP ports are open on the target. The scanner usually sends 0 byte UDP packets to each port on the target host. If the scanner receives an "ICMP port unreachable" message, then the port is closed. Otherwise, the port must be open.

ACK scanning is an advanced method usually used to map out firewall rule sets. It can also help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.

About the Author

Greg Saoutine, MCSE, is an IT Consultant working in New York City.


  • Microsoft Expands Azure AD Password Lengths, Adds Conditional Access Controls

    Microsoft announced a couple of Azure Active Directory enhancements this week regarding password lengths and new conditional access controls for IT pros.

  • Attack Surface Analyzer 2.0 Available for Checking Software Installs

    Microsoft this week described Attack Surface Analyzer 2.0, an updated tool for checking software installations that's now built using open source code.

  • What Causes Hyper-V Replication Failures?

    Hyper-V replication failures happen rarely, but their impact can be catastrophic when they do. Know the scenarios that are likely to trigger a replication failure.

  • Microsoft Touts Using HyperClear To Address Intel Processor Woes

    Microsoft is again promoting its HyperClear Hyper-V hypervisor technology as a potential balm for organizations trying to come to grips with Intel's latest speculative execution side-channel attack disclosures.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.