nmap offers OS-detection functionality based TCP/IP fingerprinting by sending six probing packets and analyzing their responses. In the documentation is says that some of them are send to an open port and some are sent to a closed port.
Does anyone know how nmap decides which port to send the probes to? Does it just look for the first closed port and the first open ports it can find? Does it search for them in a certain order? Or does it randomly pick a port?
Best Answer
In this case, there is no better documentation than the code itself. Nmap relies on port scan results to determine a list of open and closed ports. It is looking for three things in particular:
Generally speaking, it chooses the first of these (lowest number) that it knows of, but there are a couple of rules for things that it tries to avoid:
tcpwrapped. This can sometimes be a result of an IPS shutting down a connection, so skipping these ports helps assure that Nmap is getting an unmodified connection to the target.