In Nmap, the SYN scan (-sS) is designed to identify open ports without completing the full TCP handshake. This method is often referred to as a half-open scan because it sends a SYN packet to the target port and waits for a response:
-
Open Port: If the port is open, the target responds with a SYN-ACK packet. Nmap then sends an RST (reset) packet to terminate the connection before the handshake is completed.
-
Closed Port: If the port is closed, the target responds with an RST packet, indicating the port is closed.
This approach allows Nmap to detect open ports without establishing a full TCP connection, making it faster and less intrusive.
Stealthiness and Detection
The SYN scan is considered relatively stealthy because it doesn't complete the TCP handshake, potentially evading detection by intrusion detection systems (IDS) and firewalls.
However, its effectiveness can vary based on the target system's configuration and the sophistication of the IDS. Some IDS may detect and log SYN scan attempts, especially if they are configured to monitor for such activities.
Alternative Scan Types
-
TCP Connect Scan (-sT): This scan completes the full TCP handshake, making it more detectable but useful when SYN scan is not feasible due to user privileges.
-
FIN Scan (-sF): Sends a FIN packet to the target port. Open ports typically ignore the FIN packet, while closed ports respond with an RST packet. This scan can sometimes bypass firewalls and packet filters but is less reliable.
-
Xmas Scan (-sX): Sets the FIN, URG, and PSH flags, lighting up the packet like a Christmas tree. Similar to the FIN scan, it can bypass some firewalls but is less commonly used.
Each scan type has its advantages and limitations, and the choice depends on the specific network environment and the level of stealth required.
