You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!TCP SYN Scan (-sS)
Requires Privileged Access: YES
Identifies TCP Ports: YES
Identifies UDP Ports: NO
The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.
If a scan type is not specified on the nmap command line and nmap currently has privileged access to the host (root or administrator), the TCP SYN scan is used by default.
TCP SYN Scan Operation
Most of the ports queried during the TCP SYN scan will probably be closed. These closed port responses to the TCP SYN frame will be met with a RST frame from the destination station.
Source Destination Summary ------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.10] TCP: D=113 S=57283 SYN SEQ=2360927338 LEN=0 WIN=3072 [192.168.0.10] [192.168.0.8} TCP: D=57283 S=113 RST ACK=2360927339 WIN=0If nmap receives an acknowledgment to a SYN request, then the port is open. Nmap then sends an RST to reset the session, and the handshake is never completed.
Source Destination Summary ------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.10] TCP: D=80 S=57283 SYN SEQ=2360927338 LEN=0 WIN=3072 [192.168.0.10] [192.168.0.8] TCP: D=57283 S=80 SYN ACK=2360927339 SEQ=1622899389 LEN=0 WIN=65535 [192.168.0.8] [192.168.0.10] TCP: D=80 S=57283 RST WIN=0The nmap output shows the results of this TCP SYN scan. As expected, most of the packets sent during this scan were built using the operating system's raw sockets:
# nmap -sS -v 192.168.0.10
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:25 EDT
Initiating SYN Stealth Scan against 192.168.0.10 [1663 ports] at 12:25
Discovered open port 80/tcp on 192.168.0.10
Discovered open port 3389/tcp on 192.168.0.10
Discovered open port 3306/tcp on 192.168.0.10
Discovered open port 139/tcp on 192.168.0.10
Discovered open port 135/tcp on 192.168.0.10
Discovered open port 520/tcp on 192.168.0.10
Discovered open port 445/tcp on 192.168.0.10
The SYN Stealth Scan took 1.35s to scan 1663 total ports.
Host 192.168.0.10 appears to be up ... good.
Interesting ports on 192.168.0.10:
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
520/tcp open efs
3306/tcp open mysql
3389/tcp open ms-term-serv
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)
Nmap finished: 1 IP address (1 host up) scanned in 2.117 seconds
Raw packets sent: 1705 (68.2KB) | Rcvd: 1664 (76.5KB)
#
The TCP SYN scan never actually creates a TCP session, so isn't logged by the destination host's applications. This is a much "quieter" scan than the TCP connect() scan, and there's less visibility in the destination system's application logs since no sessions are ever initiated. Since an application session is never opened, the SYN scan is also less stressful to the application service.
Disadvantages of the TCP SYN Scan
The TCP SYN scan requires that nmap have privileged access to the system. Without privileged access, nmap can't create the raw packets necessary for this half-open connection process.
When to use the TCP SYN Scan
The SYN scan is a common scan when looking for open ports on a remote device, and its simple SYN methodology works on all operating systems. Because it only half-opens the TCP connections, it's considered a very 'clean' scan type.
The TCP SYN scan only provides open, closed, or filtered port information. To determine operating system or process version information, more intrusive scanning is required, such as the version scan (-sV) or the operating system fingerprinting (-O) option.
The TCP SYN scan is the most common scan to use because it works on all networks, across all operating systems, and it's invisible to applications. If the SYN scan didn't work, then TCP wouldn't work!