TCP SYN Ping (-PS [portlist])

A TCP SYN ping uses the same process as nmap's TCP SYN scan to identify a remote device. With the TCP SYN ping, the nmap scanner is looking for an RST from a closed port or an ACK from an open port. Either result will provide nmap with proof that an active system resides at that destination IP address.


TCP SYN Ping Operation
The response to a TCP SYN packet on a closed port is usually a RST, and if nmap is lucky enough to ping an open port it will receive a SYN/ACK (to which nmap immediately sends a RST). Of course, either response is all that nmap needs to recognize a system is alive on the other end!

The TCP SYN ping from a privileged user will receive a RST if the port is closed:

TCP_SYN_ping_closed
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] TCP: D=80 S=44545 SYN SEQ=3017830046 LEN=0 WIN=4096
[192.168.0.3] [192.168.0.5] TCP: D=44545 S=80 RST ACK=3017830047 WIN=0
A TCP SYN ping from a privileged user will receive an ACK if the port is open, to which nmap will respond with a RST:

TCP_SYN_ping_open
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] TCP: D=135 S=40804 SYN SEQ=3181151454 LEN=0 WIN=2048
[192.168.0.3] [192.168.0.5] TCP: D=40804 S=135 SYN ACK=3181151455 SEQ=3723360488 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.3] TCP: D=135 S=40804 RST WIN=0
If the TCP SYN ping type is requested by a non-privileged user, nmap will default to a TCP connect()-style ping. This adjustment occurs without an error message or other notification! This shows the results of a TCP connect()-style ping to an open port:

TCP_connect_ping_open
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.5] [192.168.0.3] TCP: D=135 S=46558 SYN SEQ=735305937 LEN=0 WIN=5840
[192.168.0.3] [192.168.0.5] TCP: D=46558 S=135 SYN ACK=735305938 SEQ=1935433798 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.3] TCP: D=135 S=46558     ACK=1935433799 WIN<<2=5840
[192.168.0.5] [192.168.0.3] TCP: D=135 S=46558 RST ACK=1935433799 WIN<<2=5840
clock
To prevent any possible initialization an application session, the TCP SYN ping option should always run as a privileged user.


Like the TCP ACK ping, the SYN ping can specify individual port numbers delimited with commas. If a port is not specified, port 80 is used by default.


Advantages of the TCP SYN Ping
The TCP SYN ping accomplishes its goal in just a few packets. This minimal amount of network traffic appears to be normal TCP handshake frames. This makes the TCP SYN ping appear almost invisible when compared to normal network traffic.


Disadvantages of the TCP SYN Ping
The TCP SYN ping should run as a privileged user to ensure that no application sessions are started. Unfortunately, the default nmap function for a non-privileged user is to use a TCP connect()-style ping. If the destination station has an open port that matches the TCP SYN ping port, an application session will be initialized and the session will be identified in the application logs.


When to use the TCP SYN Ping
Although the TCP SYN ping can discern between an open port and a non-open port, the disposition doesn't matter as long as the device provides some kind of response. The TCP SYN ping is such a normal frame that it can hide quite well beneath the normal overhead of network traffic.

clock
Have we made our point yet? Running nmap as a non-privileged user can unknowingly initiate application sessions, unnecessarily using server resources. If nmap will be used on a production network, always run it as a privileged user!