Back to course

Nmap: Port Scanning Techniques (SYN, TCP Connect, UDP)

Cyber Security Mastery: From Zero to Hero

In-Depth Port Scanning

Nmap offers various techniques to determine if a port is open, closed, or filtered.

1. TCP SYN Scan (-sS)

  • The Default and Most Popular: Often called a 'half-open scan.'
  • Method: Sends only the SYN packet. If it receives SYN-ACK, it knows the port is open but immediately sends RST (Reset) instead of ACK. This prevents a full connection and is often stealthier than a full connect scan.
  • Requires root/administrator privileges.

2. TCP Connect Scan (-sT)

  • Method: Performs a full three-way handshake (SYN, SYN-ACK, ACK).
  • Use Case: When -sS is not possible (e.g., lacking root privileges).
  • Drawback: Much louder and easier to detect by IDS/IPS.

3. UDP Scan (-sU)

  • Method: Sends a UDP packet. If no response, the port is likely open. If an ICMP 'Port Unreachable' error is received, the port is closed.
  • Drawback: Very slow, as there is no guarantee of response for open ports.