Nowadays, almost every system is protected by firewalls or Intrusion Detection Systems (IDS). Nmap provides various ways to bypass these firewalls or IDS to perform port scans on a system.
TCP ACK Scan
nmap -sA x.x.x.x
How it works…The filtered and unfiltered port scan results depend on whether the firewall is stateful or stateless. A stateful firewall checks whether an incoming ACK packet is part of an existing connection. It blocks it if the packets are not part of any requested connection. Hence, the port will show up as filtered during a scan. Whereas, in the case of a stateless firewall, it will not block the ACK packets,
TCP Window Scan
nmap -sW x.x.x.x
Idle scan
Idle scanning is an advanced technique where no packets sent to the target can be traced back to the attacker’s machine. It requires a zombie host to be specified.
nmap -sI zombiehost.com domain.com
Idle scan works based on a predictable IPID or an IP fragmentation ID of the zombie host. First, the IPID of the zombie host is checked, and then a connection request is spoofed from that host to the target host. If the port is open, an acknowledgment is sent back to the zombie host, which resets (RST) the connection as it has no history of opening such a connection. Next, the attacker checks the IPID on the zombie again; if it has changed by one step, it implies an RST was received from the target. But if the IPID has changed by two steps, it means a packet was received by the zombie host from the target host, and there was an RST on the zombie host, which implies that the port is open.