SYN (Stealth) Scan (`-sS`) with Nmap
-sS) works in Nmap and its advantages, detection, and countermeasures.Categories:
4 minute read
Introduction to Nmap and SYN Scan
Nmap (Network Mapper) is one of the most powerful and widely used network scanning tools. It is used for discovering hosts, mapping networks, identifying open ports, and determining the services running on a system. One of the most commonly used scanning techniques in Nmap is the SYN scan, invoked using the -sS option.
SYN scans, often referred to as stealth scans, are preferred by penetration testers and network administrators because they can detect open ports without establishing a full connection. This makes them faster and less likely to be logged by the target system compared to other types of scans.
This article will explore the mechanics, advantages, detection, and countermeasures related to SYN scans in Nmap.
How SYN Scan (-sS) Works
The SYN scan takes advantage of the three-way handshake process used in TCP connections:
- The scanner (Nmap) sends a SYN (synchronize) packet to a target port.
- If the port is open, the target system responds with a SYN-ACK (synchronize-acknowledge) packet.
- Instead of completing the handshake with an ACK (acknowledge), Nmap does not respond (or sends a RST packet) to avoid establishing a full connection.
- If the port is closed, the target responds with an RST (reset) packet.
- If there is no response or an ICMP unreachable message is received, the port is considered filtered (possibly blocked by a firewall).
Because the handshake is never fully completed, SYN scans are harder to detect in system logs and are often referred to as half-open scans.
Why Use SYN Scan?
SYN scans are widely used because they offer multiple advantages:
- Speed: Since it does not complete the three-way handshake, SYN scans are much faster than full connection (
-sT) scans. - Stealth: They are less likely to be logged because no full connection is established, reducing the chances of detection.
- Effectiveness: They work against most targets unless strict firewall rules or intrusion detection systems (IDS) are in place.
Running a SYN Scan with Nmap
To perform a basic SYN scan, use the following command:
nmap -sS <target>
For example, to scan a specific host (e.g., 192.168.1.1):
nmap -sS 192.168.1.1
Scanning Specific Ports
To scan only specific ports (e.g., ports 22, 80, and 443):
nmap -sS -p 22,80,443 192.168.1.1
Performing a SYN Scan on a Subnet
If scanning an entire subnet:
nmap -sS 192.168.1.0/24
Increasing Stealth with Decoys
To make detection harder, use decoys with the -D option:
nmap -sS -D RND:10 192.168.1.1
This makes it appear as if multiple hosts (randomly chosen) are scanning the target.
Aggressive SYN Scan with Version Detection
To gather more details about running services:
nmap -sS -sV 192.168.1.1
This enables service version detection to provide more information about detected ports.
SYN Scan vs. Other Scan Types
| Scan Type | Command | Characteristics |
|---|---|---|
| SYN Scan | -sS | Stealthy, fast, does not establish full connection |
| TCP Connect Scan | -sT | Fully establishes connections, more detectable |
| UDP Scan | -sU | Used for scanning UDP ports, slower than SYN scans |
| FIN Scan | -sF | Sends FIN packets instead of SYN; useful for bypassing firewalls |
| XMAS Scan | -sX | Sends FIN, PSH, and URG flags; works on certain systems |
| NULL Scan | -sN | Sends packets with no flags; effective against certain targets |
Detecting SYN Scans
While SYN scans are stealthier than full connection scans, they are not completely undetectable. Security tools such as Intrusion Detection Systems (IDS) and firewalls can log unusual patterns of SYN packets.
Common ways to detect SYN scans:
- System Logs: Firewalls and IDS like Snort or Suricata can log incomplete SYN handshakes.
- TCP SYN Rate Monitoring: Unusual spikes in incoming SYN packets from a single source can indicate scanning activity.
- Firewall Rules: Modern firewalls can flag excessive SYN packets as potential reconnaissance activity.
Example using tcpdump to monitor SYN packets:
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
Defending Against SYN Scans
To protect against SYN scans, administrators can use the following strategies:
1. Configure Firewalls
Blocking unauthorized SYN requests with iptables:
iptables -A INPUT -p tcp --syn -j DROP
2. Use Intrusion Detection Systems (IDS)
Deploy an IDS like Snort with SYN scan detection enabled:
alert tcp any any -> any any (flags:S; msg:"Possible SYN scan detected";)
3. Implement SYN Flood Protection
Using SYN cookies to mitigate excessive SYN requests:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
4. Enable Port Knocking
Port knocking ensures that only authorized users can access services by requiring a predefined sequence of connection attempts before opening a port.
Conclusion
The SYN scan (-sS) is a powerful and stealthy scanning technique used by security professionals and attackers alike. It offers a fast, efficient way to discover open ports while minimizing detection risks. However, with proper security measures, including firewall rules, IDS monitoring, and SYN flood protections, network administrators can defend against unauthorized SYN scanning activities.
Understanding how SYN scanning works is essential for both ethical hackers and security teams, helping to assess vulnerabilities and strengthen network defenses against reconnaissance attempts.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.