Ones we located Live systems on the network we can start exploring open ports. There is number of scans we can use for that. It is also very helpful to understand 3 way tcp heandshake when executing scans.

Full-Open Scan
This type of scan initiates a complete 3 way handshake.
Pro
positive feedback if the host is up
Con
The problem with this scan is that it is easily detected by firewalls and ids/ips

When closed port is encountered RST will be send and connection terminated.

Example:

nmap -sT 192.168.0.1-24
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:02 EDT
Nmap scan report for 192.168.0.1
Host is up (0.0024s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
4443/tcp open  pharos

Nmap scan report for 192.168.0.2
Host is up (0.0011s latency).
All 1000 scanned ports on 192.168.0.2 are closed

Nmap scan report for 192.168.0.6
Host is up (0.00100s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 192.168.0.15
Host is up (0.0015s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
80/tcp  open  http
443/tcp open  https

Nmap scan report for 192.168.0.18
Host is up (0.000046s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 24 IP addresses (5 hosts up) scanned in 18.67 seconds

This type of scan will almost always notify firewall or IPS/IDS so be very careful performing it.

Half-Open Scan
Half-Open scan also knows as stealth scanning. This type of scan works the same way as full-open scan but at the end does not send final ACK
Pro
Confirms open port but much harder to detect
Con
Less reliable
Example:

# nmap -sS 192.168.0.1-24
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:18 EDT
Nmap scan report for 192.168.0.1
Host is up (0.00060s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
4443/tcp open  pharos
MAC Address: B4:0C:25:4B:8A:12 (Palo Alto Networks)

Nmap scan report for 192.168.0.2
Host is up (0.00080s latency).
All 1000 scanned ports on 192.168.0.2 are closed
MAC Address: 00:24:F7:3D:2C:00 (Cisco Systems)

Nmap scan report for 192.168.0.6
Host is up (0.00088s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:24:C3:47:2A:C0 (Cisco Systems)

Nmap scan report for 192.168.0.15
Host is up (0.0013s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
80/tcp  open  http
443/tcp open  https
MAC Address: 00:CA:E5:67:A3:40 (Unknown)

Nmap scan report for 192.168.0.18
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 24 IP addresses (5 hosts up) scanned in 210.15 seconds

Main advantage that it is less likely be detected.

Xmas Tree Scan

With this type of scan numerous flags are activated. Single packet is send to client with URG, PSH, FIN all set. In most modern systems this type of packet is simply dropped.
Pro
Can determine Operating system in some cases
Con
Latest version of Windows block this port
Example:

nmap -sX -v 192.168.0.1-24
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:39 EDT
Initiating ARP Ping Scan at 12:39
Scanning 23 hosts [1 port/host]
adjust_timeouts2: packet supposedly had rtt of -97368 microseconds.  Ignoring time.
Completed ARP Ping Scan at 12:39, 0.62s elapsed (23 total hosts)
Initiating Parallel DNS resolution of 23 hosts. at 12:39
Completed Parallel DNS resolution of 23 hosts. at 12:39, 0.01s elapsed
Nmap scan report for 192.168.0.3 [host down]
Nmap scan report for 192.168.0.4 [host down]
Nmap scan report for 192.168.0.5 [host down]
Nmap scan report for 192.168.0.7 [host down]
Nmap scan report for 192.168.0.8 [host down]
Nmap scan report for 192.168.0.9 [host down]
Nmap scan report for 192.168.0.10 [host down]
Nmap scan report for 192.168.0.11 [host down]
Nmap scan report for 192.168.0.12 [host down]
Nmap scan report for 192.168.0.13 [host down]
Nmap scan report for 192.168.0.14 [host down]
Nmap scan report for 192.168.0.16 [host down]
Nmap scan report for 192.168.0.17 [host down]
Nmap scan report for 192.168.0.19 [host down]
Nmap scan report for 192.168.0.20 [host down]
Nmap scan report for 192.168.0.21 [host down]
Nmap scan report for 192.168.0.22 [host down]
Nmap scan report for 192.168.0.23 [host down]
Nmap scan report for 192.168.0.24 [host down]
Initiating Parallel DNS resolution of 1 host. at 12:39
Completed Parallel DNS resolution of 1 host. at 12:39, 0.01s elapsed
Initiating XMAS Scan at 12:39
Scanning 4 hosts [1000 ports/host]
Increasing send delay for 192.168.0.6 from 0 to 5 due to 11 out of 36 dropped probes since last increase.
Increasing send delay for 192.168.0.2 from 0 to 5 due to 12 out of 39 dropped probes since last increase.
Increasing send delay for 192.168.0.15 from 0 to 5 due to 11 out of 35 dropped probes since last increase.
Increasing send delay for 192.168.0.2 from 5 to 10 due to 11 out of 27 dropped probes since last increase.
Increasing send delay for 192.168.0.15 from 5 to 10 due to 11 out of 27 dropped probes since last increase.
Increasing send delay for 192.168.0.6 from 5 to 10 due to 11 out of 29 dropped probes since last increase.
Increasing send delay for 192.168.0.2 from 10 to 20 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.6 from 10 to 20 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.15 from 10 to 20 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.2 from 20 to 40 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.15 from 20 to 40 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.6 from 20 to 40 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.15 from 40 to 80 due to 11 out of 27 dropped probes since last increase.
Increasing send delay for 192.168.0.2 from 40 to 80 due to 11 out of 23 dropped probes since last increase.
Increasing send delay for 192.168.0.6 from 40 to 80 due to 11 out of 23 dropped probes since last increase.
Increasing send delay for 192.168.0.15 from 80 to 160 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.2 from 80 to 160 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 192.168.0.6 from 80 to 160 due to 11 out of 22 dropped probes since last increase.
Completed XMAS Scan against 192.168.0.1 in 25.51s (3 hosts left)
XMAS Scan Timing: About 39.08% done; ETC: 12:40 (0:00:48 remaining)

If port is open there will be no response. If port is closed RST is returned.

FIN Scan
This type of scan sets FIN flag.
Pro
Less noticeable then SYN scans. Can be passed through firewall easily.
Con
Less reliable
If port is open there will be no response. If port is closed RST is returned.
Example:

nmap -sF  192.168.0.1-24

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:46 EDT
Nmap scan report for 192.168.0.1
Host is up (0.00044s latency).
All 1000 scanned ports on 192.168.0.1 are open|filtered
MAC Address: B4:0C:25:4B:8A:12 (Palo Alto Networks)

Nmap scan report for 192.168.0.2
Host is up (0.00080s latency).
All 1000 scanned ports on 192.168.0.2 are closed
MAC Address: 00:24:F7:3D:2C:00 (Cisco Systems)

Nmap scan report for 192.168.0.6
Host is up (0.0016s latency).
All 1000 scanned ports on 192.168.0.6 are closed
MAC Address: 00:24:C3:47:2A:C0 (Cisco Systems)

Nmap scan report for 192.168.0.15
Host is up (0.0012s latency).
All 1000 scanned ports on 192.168.0.15 are closed
MAC Address: 00:CA:E5:67:A3:40 (Unknown)


NULL Scan

In this type of scan frames send with no flag set. The result is similar with FIN scan.
Pro
Less noticeable then SYN scans although fairly easy to detect. Can be passed through firewall easily.
Con
Less reliable
Eample:

 nmap -sN  192.168.0.1-24

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:51 EDT
Nmap scan report for 192.168.0.1
Host is up (0.00019s latency).
All 1000 scanned ports on 192.168.0.1 are open|filtered
MAC Address: B4:0C:25:4B:8A:12 (Palo Alto Networks)

Nmap scan report for 192.168.0.2
Host is up (0.00079s latency).
All 1000 scanned ports on 192.168.0.2 are closed
MAC Address: 00:24:F7:3D:2C:00 (Cisco Systems)

Nmap scan report for 192.168.0.6
Host is up (0.00096s latency).
All 1000 scanned ports on 192.168.0.6 are closed
MAC Address: 00:24:C3:47:2A:C0 (Cisco Systems)

Nmap scan report for 192.168.0.15
Host is up (-0.097s latency).
All 1000 scanned ports on 192.168.0.15 are open|filtered
MAC Address: 00:CA:E5:67:A3:40 (Unknown)

If port is open there will be no response. If port is closed RST is returned.

Idle Scanning

This type of scan is very powerful and it uses zombie systems to do the actual scan.
Pro
Very effective in evasion of firewalls and IDS systems
Con
This scan takes longer and more complicated.
How it works
1. Probe the zombie IP ID
2. Forge SYN packet and send it to desired port on the target using zombie system
3. Probe zombie IP ID and compare the ID.

ACK Scanning

This type of scan design weather SPI – statefull packet inspection is implemented.
When ACK is send to a target and riches it RST will be returned weather port is open or closed. If no response received then it never actually got to the target the port is filtered.

UDP Scanning
UDP scan is quite different from TCP as it is conectioneless and does not have any flags. It is simply based on weather you get response or no. If port is closed it will return “Port Unreachable” and if it is open no message will be returned.
Example:

nmap -sU mysite.com
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-20 11:09 EDT
Nmap scan report for mysite.com (x.x.x.x)
Host is up (0.019s latency).
rDNS record for x.x.x.x:  mysite.com
Not shown: 997 open|filtered ports
PORT    STATE  SERVICE
53/udp  open   domain
123/udp open   ntp
161/udp closed snmp