USING NMAP TO PERFORM AN SYN SCAN: The SYN Scan is arguably the most popular Nmap port scan. There are many reasons for its popularity, including the fact that it happens to be the default Nmap scan.

If you run the Nmap command without specifying a scan type (using the –s switch), Nmap will use the SYN scan by default.



Aside from the fact that the SYN scan is the default choice, it is also popular because it is faster than the TCP connect scan and yet remains quite safe,

with little chance of (Denial of Service) DOS’ing or crashing the target system.

SYN scans are faster because rather than completing the entire three-way handshake, it only completes the first two steps of the process.

In an SYN scan, the scanning machine sends an SYN packet to the target and the target responds with an SYN/ACK (assuming the port is in use and not filtered)

just like it did when we ran a TCP Connect scan.

However, at this point, rather than sending the traditional ACK packet, the scanning machine sends an RST (reset) packet to the target.

The reset packet tell the target machine to disregard any previous packets and close the connection between the two machines.


It should be clear that the speed advantage of the SYN scan over the TCP connect scan comes from the fact that there are fewer packets sent between the hosts when using an SYN scan rather than a TCP Connect scan.

Although a few packets may not sound like a big advantage, it can add up quickly when scanning multiple hosts.

If we consider the example of comparing the three-way handshake to a phone call, SYN scans would be like calling someone up,

having the receiver pick up the phone and saying “Hello?”, and then simply hanging up on the person without a single word.

Another advantage to the SYN scan is that in some instance, it provides a level of obscurity or stealth portion of this scan comes from the fact that because the three-way handshake is never fully completed,

the official connection was never 100% established.

There are applications and log files that require the completion of the three-way handshake before they being recording scan never officially competes a single connection,

this scan may be undetected by some applications.

Please not that this is the exception and not the rule. All modern firewall and intrusion detection system in use today will detect and report SYN scan!

Because the SYN scan is the default Nmap scan, we do not technically need to specify the scan type wit the “-s” switch.

However, because this book focuses on the basics, it is worth the effort to get into the habit of specifying your scan type.

To run an SYN scan, you can open terminal window and issue the following command:

Namp –sS   -p-  -Pn

This command is exactly the same as the previous example with one exception rather than using an “-sT”, we used an “-sS”.

This instructs Nmap to run an SYN scan rather than a TCP Connect scan.

The scan types are easy to remember because a TCP connect scan begins with the Letter “T”,

where the SYN scan begins with the letter “S”. Each of the other switches was explained in the section above. Please review the “Using Nmap to Complete TCP Connect Scan”.


If you have any Question Regarding (Using Nmap To Perform an SYN Scan) Let us know in the comment section so we could help you with satisfied answer.

By Patrick Engebretson –SYNGRESS– Using Nmap To Perform an SYN Scan

Related Articles


Leave a Reply

Back to top button