Nmap’s SYN scan is often described as "stealthy," but it’s actually the most noisy of the common scans because it’s the most likely to be logged by firewalls and IDS systems.
Let’s watch Nmap in action. Imagine we have a target machine, 192.168.1.100, and we want to see what ports are open on it.
First, the most basic: TCP Connect Scan (-sT). This is what your browser does when you visit a website. Nmap initiates a full TCP three-way handshake with the target port.
nmap -sT 192.168.1.100
If the port is open, Nmap receives a SYN-ACK and then sends its own ACK to complete the handshake. If it receives a RST-ACK, the port is closed. This is reliable but easily logged because it’s a complete connection.
Now, the "stealthy" one: TCP SYN Scan (-sS). This is the default for privileged users and the most common scan. Nmap sends a SYN packet and waits for a response.
sudo nmap -sS 192.168.1.100
If it gets SYN-ACK, it knows the port is open. Crucially, Nmap then sends a RST packet instead of the ACK to complete the handshake. This tears down the connection before it’s fully established, making it harder for applications to log the connection attempt. If it gets RST-ACK, the port is closed. If it gets no response, the port is filtered.
Next, UDP Scan (-sU). UDP is connectionless, so Nmap can’t do a handshake. It sends a UDP packet to the target port.
sudo nmap -sU 192.168.1.100
If it receives an ICMP "Port Unreachable" message, the port is closed. If it receives a UDP response, the port is open. If it receives no response, the port is either open or filtered. This ambiguity is why UDP scans are slower and less definitive.
For TCP FIN Scan (-sF), Nmap sends a FIN packet. RFC 793 states that a closed port should respond with RST, while an open port should ignore the FIN packet.
sudo nmap -sF 192.168.1.100
So, if Nmap gets a RST, the port is closed. If it gets no response, the port is open or filtered. This scan is less likely to be logged by many systems because it doesn’t conform to the standard SYN handshake.
TCP Xmas Scan (-sX) is similar to FIN, but it sets the FIN, PSH, and URG flags in the TCP header.
sudo nmap -sX 192.168.1.100
Again, a RST response means closed, no response means open or filtered. It’s another way to probe without completing a handshake.
TCP Null Scan (-sN) is the opposite of Xmas scan; it sends a TCP packet with no flags set.
sudo nmap -sN 192.168.1.100
The logic is the same: RST for closed, no response for open or filtered.
The core problem Nmap’s various scan types solve is inferring the state of a network port (open, closed, filtered) without necessarily completing a full, application-level connection. This is crucial for network reconnaissance and security auditing. Each scan type manipulates TCP flags (SYN, ACK, FIN, RST, URG, PSH) or relies on ICMP responses to elicit different behaviors from the target system’s network stack. The key differentiator is how much of a "conversation" Nmap has with the port: a full TCP connect scan is a complete conversation, while FIN, Xmas, and Null scans are more like single, probing questions.
The real magic happens when Nmap combines these probes with its ability to analyze responses, or lack thereof. For instance, a TCP SYN scan (-sS) is often called "stealthy" because it avoids completing the three-way handshake. However, the SYN-ACK response from an open port is a strong indicator. Nmap sends a RST instead of the final ACK, effectively "unconnecting" before the application on the target even knows a connection was initiated. This is why it’s preferred over -sT for speed and reduced logging by simple packet filters. The UDP scan (-sU) is fundamentally different; it relies on the absence of an ICMP "Port Unreachable" message. If Nmap sends a UDP packet to an open port, it typically receives no response. If the port is closed, it gets an ICMP "Port Unreachable." The complication is that a firewall could be blocking both the UDP packet and the ICMP response, making an open port appear filtered.
When you run a TCP scan like -sS, -sF, -sX, or -sN against a firewall that blocks incoming SYN packets but allows RST packets to pass back out, Nmap sees the RST and incorrectly marks the port as closed, even if it’s open and just being blocked from initiation. This is a classic example of how network devices can interfere with scan results, leading to false negatives.