ACK Port Scan

An ACK scan operates by sending a TCP ACK frame to a remote port.

Attacker => ACK => Target
case 1: Port open
Error message or RST message
case 2: port closed
No response

ACK scan will never locate an open port. The ACK scan only provides a "filtered" or "unfiltered" disposition because it never connects to an application to confirm an "open" state. At face value this appears to be rather limiting, but in reality the ACK scan can characterize the ability of a packet to traverse firewalls or packet filtered links.

Advantages :
Since the ACK scan doesn't open any application sessions.The conversation between attacker and the target simple. This scan of a single port is unobtrusive and almost invisible when combined with the other network traffic.So some stealth is provided.


Disadvantages :
The ACK scan's simplicity is also its largest disadvantage. Because it never tries to connect to a remote device, it can never definitively identify an open port.


When to use the ACK Scan
Although the ACK scan doesn't identify open ports, it does a masterful job of identifying ports that are filtered through a firewall. This list of filtered and unfiltered port numbers is useful as reconnaissance for a more detailed scan that focuses on specific port numbers.