1. Open: indicates that a service is listening on the specified port.

2. Closed: indicates that no service is listening on the specified port,

although the port is accessible. By accessible, we mean that it is
reachable and is not blocked by a firewall or other security
appliances/programs.
3. Filtered: means that Nmap cannot determine if the port is open or
closed because the port is not accessible. This state is usually due to
a firewall preventing Nmap from reaching that port. Nmap’s packets
may be blocked from reaching the port; alternatively, the responses
are blocked from reaching Nmap’s host.
4. Unfiltered: means that Nmap cannot determine if the port is open or
closed, although the port is accessible. This state is encountered
when using an ACK scan -sA.
5. Open|Filtered: This means that Nmap cannot determine whether the
port is open or filtered.
6. Closed|Filtered: This means that Nmap cannot decide whether a port
is closed or filtered.

++++++++++++++++++++++++++++++++++++++++++++++++++
TCP Flags
++++++++++++++++++++++++++++++++++++++++++++++++++

1. URG: Urgent flag indicates that the urgent pointer filed is significant.
The urgent pointer indicates that the incoming data is urgent, and that
a TCP segment with the URG flag set is processed immediately
 without consideration of having to wait on previously sent TCP
segments.
2. ACK: Acknowledgement flag indicates that the acknowledgement
number is significant. It is used to acknowledge the receipt of a TCP
segment.
3. PSH: Push flag asking TCP to pass the data to the application
promptly.
4. RST: This flag is also used when data is sent to a host and there is no
service on the receiving end to answer.
5. SYN: Synchronize flag is used to initiate a TCP 3-way handshake and
synchronize sequence numbers with the other host. The sequence
number should be set randomly during TCP connection establishment.
6. FIN: The sender has no more data to send.
++++++++++++++++++++++++++++++++++++++++++++++++++
TCP Connect Scan
++++++++++++++++++++++++++++++++++++++++++++++++++

NOTE:-
It is important to note that if you are not a privileged user (root or
sudoer), a TCP connect scan is the only possible option to discover
open TCP ports

A closed TCP port responds to a SYN packet with RST/ACK to indicate that
it is not open.
We notice that port 143 is open, so it replied with a SYN/ACK, and Nmap
completed the 3-way handshake by sending an ACK.
Note that we can use -F to enable fast mode and decrease the number of
scanned ports from 1000 to 100 most common ports.

++++++++++++++++++++++++++++++++++++++++++++++++++TCP
SYN Scan
++++++++++++++++++++++++++++++++++++++++++++++++++
Unprivileged users are limited to connect scan. However, the default scan
mode is SYN scan, and it requires a privileged (root or sudoer) user to run
it.
NOTE:-
this decreases the chances of the scan being logged

In the upper half , TCP connect scan -sT traffic. Any open TCP port will
require Nmap to complete the TCP 3-way handshake before closing the
connection. In the lower half ,SYN scan -sS does not need to complete the
TCP 3-way handshake; instead, Nmap sends an RST packet once a
SYN/ACK packet is received.

++++++++++++++++++++++++++++++++++++++++++++++++++
UDP Scan
++++++++++++++++++++++++++++++++++++++++++++++++++
UDP is a connectionless protocol, and hence it does not require any
handshake for connection establishment. We cannot guarantee that a
service listening on a UDP port would respond to our packets.
However, if a UDP packet is sent to a closed port, an ICMP port
unreachable error (type 3, code 3) is returned.
You can select UDP scan using the -sU option; moreover, you can combine
it with another TCP scan.
++++++++++++++++++++++++++++++++++++++++++++++++++
Fine-Tuning Scope and Performance
++++++++++++++++++++++++++++++++++++++++++++++++++
You can request the scan of all ports by using -p-, which will scan all
65535 ports. If you want to scan the most common 100 ports, add -F.
Using --top-ports 10 will check the ten most common ports.
Control the scan timing using -T<0-5>. -T0 is the slowest (paranoid),
while -T5 is the fastest. According to Nmap manual page, there are six
templates:
To avoid IDS alerts,
consider -T0 or -T1. For instance, -T0 scans one port at a time and waits
5 minutes between sending each probe.
If you don’t specify any timing, Nmap uses normal -T3.
NOTE:- that -T5 is the most aggressive in terms of speed; however, this
can affect the accuracy of the scan results due to the increased likelihood
of packet loss.
Alternatively, you can choose to control the packet rate using --min-rate
<number> and --max-rate <number>. For example, --max-rate 10 or
--max-rate=10 ensures that your scanner is not sending more than ten
packets per second.