In this recipe, UDP scanning is performed by identifying the ports that do not respond with ICMP port-unreachable responses. This process can be highly time consuming as ICMP port-unreachable responses are often throttled. It can also, at times, be an unreliable approach as some systems do not generate these responses, and ICMP is often filtered by firewalls.

Stealth scans are performed by sending an initial SYN packet request to a target TCP port on a remote system, and the status of this port is determined by the type of response that is returned. If the remote system returns a SYN+ACK response, then it is prepared to establish a connection, and one can assume that the port is open. If the service returns an RST packet, it is an indication that the port is closed and not accepting connections. Furthermore, if no response is returned, then a firewall might be present between the scanning system and remote system that is dropping the requests. This could also be an indication that the machine is down or that there is no system associated with the destination IP address.

TCP connect scans operate by performing a full three-way handshake to establish a connection with all of the scanned ports on the remote target system. A port's status is determined based on whether a connection was established or not. If a connection was established, the port is determined to be open. If a connection could not be established, the port is determined to be closed.

Zombie scanning is a stealthy way to enumerate open ports on a target system without leaving any trace of interaction with it. Using a combination of spoofed requests sent to the target system and legitimate requests sent to the zombie system, we can map the open ports on the target system by evaluating the IPID values of the responses from the zombie.