Understanding ACK Scan (`-sA`) with Nmap

Introduction to ACK Scanning

Nmap (Network Mapper) is a powerful and widely used network scanning tool that allows security professionals and network administrators to analyze networks, discover hosts, and assess firewall rules. Among the various scan types that Nmap offers, the ACK scan (-sA) is particularly useful for determining firewall rules and identifying stateful vs. stateless packet filtering mechanisms.

In this article, we will delve into the workings of ACK scanning, its purpose, use cases, and how to interpret results effectively.

What is an ACK Scan?

An ACK scan is a TCP-based scanning technique that sends TCP packets with only the ACK flag set to a target system. Unlike SYN scans (-sS) or Connect scans (-sT), ACK scans are not used to determine open ports. Instead, they help in firewall rule analysis by detecting whether a port is filtered or unfiltered.

The fundamental concept behind ACK scans is that they exploit how firewalls and packet filtering devices handle ACK packets. In a typical TCP three-way handshake:

1. A client sends a SYN packet to initiate a connection.
2. The server responds with a SYN-ACK if the port is open or a RST (reset) if the port is closed.
3. The client completes the handshake by sending an ACK.

However, in an ACK scan, no SYN packet is sent first, only an ACK packet, making the target system treat it as a response to a non-existent connection. Depending on how the firewall or host handles this unexpected ACK packet, we can infer important information.

Purpose of ACK Scans

The primary use cases of an ACK scan include:

1. Detecting Stateful Firewalls: Since stateful firewalls track the state of active connections, they typically drop unsolicited ACK packets. If the ACK scan shows no response, it suggests a stateful firewall is in place.
2. Identifying Stateless Packet Filters: Some firewalls or routers may pass ACK packets regardless of whether a valid connection exists. This can help identify simple access control lists (ACLs) that allow certain traffic.
3. Distinguishing Filtered vs. Unfiltered Ports: Unlike SYN scans that determine open or closed ports, ACK scans help determine whether a port is filtered (blocked) or unfiltered (not blocked).
4. Mapping Firewall Rules: By testing ACK scans against multiple ports and observing responses, security professionals can infer firewall policies and security mechanisms in place.

How to Perform an ACK Scan

The syntax for running an ACK scan with Nmap is:

nmap -sA <target>

For example, scanning a target IP address 192.168.1.1 with ACK scan:

nmap -sA 192.168.1.1

Specifying Target Ports

By default, Nmap scans a set of common ports. You can specify a custom port or range:

nmap -sA -p 80,443 192.168.1.1

This scans only ports 80 (HTTP) and 443 (HTTPS) using the ACK scan.

Scanning Multiple Targets

To scan multiple hosts:

nmap -sA 192.168.1.1 192.168.1.2

You can also use CIDR notation to scan a subnet:

nmap -sA 192.168.1.0/24

Using ACK Scan with Additional Options

• Aggressive Timing (-T4 or -T5): To speed up scanning, use:

  nmap -sA -T4 192.168.1.1
  

• Service Detection (-sV): While ACK scans don’t reveal services, combining it with other scans can be useful:

  nmap -sA -sV 192.168.1.1
  

• Avoid DNS Resolution (-n): To prevent reverse DNS lookups:

  nmap -sA -n 192.168.1.1
  

Interpreting ACK Scan Results

When an ACK scan is executed, Nmap provides results in three categories:

1. Filtered – No response or ICMP unreachable error received.

   • The port is likely behind a stateful firewall or packet filtering device that blocks unsolicited ACK packets.

   • Example output:

     PORT    STATE    SERVICE
     80/tcp  filtered http
     443/tcp filtered https
     

2. Unfiltered – The target responded with a RST (reset) packet.

   • This means the port is accessible and not filtered by a firewall, but does not necessarily mean it is open.

   • Example output:

     PORT    STATE      SERVICE
     22/tcp  unfiltered ssh
     80/tcp  unfiltered http
     

3. No Response – This usually indicates the target is down or blocking all probes.

Limitations of ACK Scans

While ACK scanning is a useful technique, it has some limitations:

• Does Not Identify Open Ports: Unlike SYN or Connect scans, an ACK scan cannot determine whether a port is open or closed, only whether it is filtered or unfiltered.
• Not Effective Against All Firewalls: Some sophisticated firewalls can be configured to drop or manipulate ACK responses to mislead the scanner.
• Can Trigger Intrusion Detection Systems (IDS): Many security systems log and flag unusual ACK packets as suspicious traffic.

ACK Scan vs. Other Scan Types

Practical Use Cases of ACK Scan

1. Testing Firewall Rules in Enterprises – Network administrators can map firewall policies and understand which services are allowed or blocked.
2. Bypassing IDS/IPS – Some Intrusion Prevention Systems (IPS) ignore ACK packets, making ACK scans a way to identify filtered ports.
3. Conducting Security Audits – Penetration testers use ACK scans to validate security controls and understand network segmentation.

Conclusion

The ACK scan (-sA) in Nmap is an essential tool for identifying firewall rules and differentiating between filtered and unfiltered ports. While it does not reveal open or closed ports, it provides valuable insights into how firewalls handle network traffic. By combining ACK scans with other Nmap techniques, security professionals can effectively analyze network defenses and improve security posture.

Understanding when and how to use ACK scanning properly ensures that network assessments are thorough and effective. Whether you’re a penetration tester, network administrator, or cybersecurity enthusiast, mastering ACK scans will enhance your ability to evaluate network security configurations.