Window Scan (`-sW`) with Nmap

This article discusses the Window Scan (-sW) technique in detail, highlighting its working mechanism, advantages, limitations, use cases, and practical examples.

by İbrahim Korucuoğlu ( @siberoloji) | Saturday, March 29, 2025

Categories:

5 minute read

Introduction to Nmap and Window Scanning

Nmap (Network Mapper) is one of the most widely used open-source tools for network discovery and security auditing. It offers various scanning techniques to help administrators and security professionals assess network security. One such technique is the Window Scan (-sW), which is a stealthy scan that determines the state of a port by analyzing TCP Window sizes.

Window scanning is based on the observation that different operating systems and applications return different TCP window sizes depending on whether a port is open or closed. This allows for a more covert scanning technique compared to other traditional scanning methods like SYN scans (-sS) or full connection scans (-sT).

This article explores the Window Scan (-sW) in depth, discussing its working mechanism, advantages, limitations, use cases, and practical examples.

How the Window Scan (`-sW`) Works

The Window Scan works by sending ACK packets to the target ports. Unlike a TCP ACK scan (-sA), which is primarily used for firewall rule detection, a Window Scan relies on the TCP window size field in the response packets to determine the state of a port. Here’s a step-by-step breakdown of how it works:

Initiating the Scan:
- Nmap sends an ACK packet to the target port(s).
Response Analysis:
- If the target port is open, some systems respond with an ACK packet that has a non-zero window size.
- If the target port is closed, the response typically has a zero window size.
Port State Classification:
- Open: Non-zero window size.
- Closed: Zero window size.
- Filtered: No response or an ICMP unreachable message received.

This behavior is based on how different operating systems handle TCP connections. Some operating systems use distinctive TCP window sizes for different port states, which allows attackers and security testers to infer information about the target’s services and operating system.

Advantages of Using Window Scan (`-sW`)

1. Stealthier Than SYN and TCP Connect Scans

Since no SYN packets are sent, the Window Scan is less likely to trigger Intrusion Detection Systems (IDS) and firewalls compared to SYN scans (-sS).
It often bypasses simple security mechanisms that detect traditional scanning techniques.

2. Works on Stateless Firewalls

Some firewalls block SYN packets but allow ACK packets to pass through. This makes a Window Scan useful for identifying open ports behind stateless filtering devices.

3. Can Help Fingerprint OS and Services

Since different operating systems and applications handle TCP windows differently, this scan can help identify or narrow down the OS and application running on a system.

Limitations of Window Scan (`-sW`)

1. Not Effective Against All Systems

Not all operating systems provide reliable TCP window size differences for open vs. closed ports. Some OS configurations return static values regardless of port state, making it ineffective.

2. Does Not Work on All Firewalls and IDS

Some modern stateful firewalls and intrusion prevention systems (IPS) block or modify TCP ACK responses, making window scanning unreliable.

3. Limited Usefulness on Encrypted or Hardened Systems

If a target uses TCP/IP stack hardening or custom kernel patches, it may not reveal any useful information via window scanning.

Practical Examples of Window Scanning

Basic Window Scan Command

To perform a Window Scan, use the following command:

nmap -sW <target-ip>

Example:

nmap -sW 192.168.1.10

This will attempt to determine the state of ports on the target IP using TCP Window scanning.

Scanning a Specific Range of Ports

If you want to scan a particular range of ports (e.g., 20-1000), use:

nmap -sW -p 20-1000 192.168.1.10

Increasing Verbosity for More Details

To get more detailed output, use the -v flag:

nmap -sW -v 192.168.1.10

Saving Results to a File

To save the scan results to a file for later analysis:

nmap -sW -oN scan_results.txt 192.168.1.10

When to Use Window Scan (`-sW`)?

1. Bypassing Firewalls and IDS

If a target network has simple packet filtering mechanisms that block SYN scans but allow ACK packets, a Window Scan can bypass the restriction and still provide port state information.

2. Passive Reconnaissance and OS Fingerprinting

Since Window Scans do not establish a full connection, they can be used for passive reconnaissance when identifying an OS or determining open services stealthily.

3. Analyzing Network Configurations

If you are a network administrator, running a Window Scan internally can help identify misconfigured devices that unintentionally leak information via TCP window behavior.

Comparing Window Scan (`-sW`) with Other Scans

Scan Type	Stealth Level	Firewall Bypass	Effectiveness
SYN Scan (`-sS`)	Moderate	Medium	High
TCP Connect (`-sT`)	Low	Low	Very High
ACK Scan (`-sA`)	High	High	Medium
Window Scan (`-sW`)	High	Medium	Medium

From this table, you can see that while the Window Scan is stealthier, it is not as reliable as SYN scans (-sS) in all scenarios. However, it serves as a valuable alternative when SYN scans are blocked.

Conclusion

The Window Scan (-sW) is a valuable technique in Nmap’s arsenal, providing a stealthy way to detect open and closed ports based on TCP window sizes. While it is not as commonly used as SYN or TCP Connect scans, it serves specific use cases where other scanning methods might be detected or blocked by security mechanisms.

By understanding how the Window Scan works, when to use it, and its advantages and limitations, security professionals and network administrators can leverage it effectively for reconnaissance and network analysis.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< Nmap ACK Scan Maimon Scan with Nmap >