Nmap’s SYN scan, often called "half-open" or "stealth" scanning, is a technique that can probe ports without completing the full TCP three-way handshake, often allowing it to evade detection by traditional logging mechanisms.
Let’s see it in action. Imagine we have a target server, 192.168.1.100, and we want to see which ports are open. A full TCP connect scan would look like this:
nmap -sT -p 1-1000 192.168.1.100
This establishes a full connection for each port. Now, the SYN scan:
nmap -sS -p 1-1000 192.168.1.100
Notice how much faster and quieter this can be. The key difference lies in what happens after the initial SYN packet is sent.
In a full TCP connect scan (-sT), Nmap sends a SYN packet, and if the port is open, the target responds with SYN-ACK. Nmap then sends an ACK to complete the handshake, and then tears down the connection. This full handshake is logged by most operating systems and applications as a successful connection.
With a SYN scan (-sS), Nmap sends the initial SYN. If the target responds with SYN-ACK (indicating an open port), Nmap doesn’t complete the handshake. Instead, it immediately sends an RST packet. The target receives the RST before the connection is fully established, effectively nullifying the handshake. The operating system on the target machine might log the initial SYN packet and the RST, but it doesn’t see a completed connection. This makes it appear "stealthy" because it avoids the clear record of a full connection that -sT leaves.
If the port is closed, the target will respond with an RST. If no response is received, Nmap assumes the port is filtered (e.g., by a firewall).
The primary advantage of SYN scanning is its ability to be less intrusive. By not completing the TCP handshake, it generates less noise on the target system’s logs. Many older or simpler intrusion detection systems (IDS) and firewalls are configured to alert on full TCP connections but might miss or ignore the half-open connections generated by SYN scans. It also tends to be faster than a connect scan because Nmap doesn’t have to wait for the full handshake to complete and then tear it down for every single port.
Here’s the breakdown of what Nmap does for each port state during a SYN scan:
- Open: Nmap sends SYN. Target replies with SYN-ACK. Nmap sends RST. Port is OPEN.
- Closed: Nmap sends SYN. Target replies with RST. Port is CLOSED.
- Filtered: Nmap sends SYN. No response (or an ICMP error indicating unreachable). Port is FILTERED.
The "stealth" aspect is relative. Modern IDS and network monitoring tools are often sophisticated enough to detect SYN scans by looking for patterns of SYN packets without corresponding RSTs or completed handshakes from the target. However, it remains a valuable tool for reconnaissance when a lighter touch is desired or when dealing with systems that have less advanced logging or IDS capabilities.
The efficiency of -sS is also why it’s the default scan type when Nmap is run with root or administrator privileges. The operating system needs to be able to craft raw network packets to send the initial SYN and the RST without going through the standard kernel networking stack for a full connection.
A common misconception is that SYN scans are undetectable. While they are less detectable by basic logging, advanced network analysis can easily spot them. The "stealth" comes from avoiding the explicit log entry of a completed connection on the target host’s application or OS logs.
The next logical step after a SYN scan is often to understand what services are running on those open ports, which leads to Nmap’s service version detection.