TCP Connect Scan (`-sT`) with Nmap

Introduction

Network security professionals, ethical hackers, and system administrators rely on Nmap (Network Mapper) to perform security assessments and network diagnostics. Nmap provides various scanning techniques to discover hosts and services on a network. One of the most fundamental and widely used scanning methods is TCP Connect Scan, denoted by the -sT flag. This article explores TCP Connect Scan in depth, including its functionality, advantages, limitations, and best use cases.

Understanding TCP Connect Scan (-sT)

TCP Connect Scan (-sT) is one of the most basic types of port scanning techniques provided by Nmap. It operates by leveraging the three-way handshake mechanism of the TCP (Transmission Control Protocol). The scan follows these steps:

1. SYN Packet Sent: The scanner (Nmap) sends a TCP SYN (synchronize) packet to initiate a connection with the target system.
2. SYN-ACK or RST Response:
   • If the port is open, the target system responds with a SYN-ACK (synchronize-acknowledge).
   • If the port is closed, the target system responds with an RST (reset) packet.
3. ACK or Connection Termination:
   • If an SYN-ACK is received, Nmap completes the handshake by sending an ACK (acknowledge) packet.
   • Immediately after, Nmap sends a RST packet to tear down the connection (to avoid fully establishing it).

Key Features of TCP Connect Scan

• Relies on the Operating System’s TCP Stack: Unlike SYN Scan (``), which requires raw socket privileges, TCP Connect Scan depends on the operating system’s built-in TCP stack to establish and close connections.
• Completes the Three-Way Handshake: Unlike a stealthier SYN scan, a TCP Connect Scan actually completes the handshake before closing the connection.
• Works Without Root Privileges: Since it uses standard system calls to establish connections, non-root users can execute this scan.
• Detects Open, Closed, and Filtered Ports: If a firewall blocks a port, the system may drop packets or respond with an ICMP error.

Running TCP Connect Scan with Nmap

To perform a TCP Connect Scan using Nmap, use the following command:

nmap -sT <target>

Replace <target> with the IP address or domain name of the host you want to scan. You can also scan multiple targets or specify a range of IPs.

Example Usage

1. Scanning a Single Host:

   nmap -sT 192.168.1.1
   

2. Scanning a Specific Range of Ports:

   nmap -sT -p 20-100 192.168.1.1
   

3. Scanning a Subnet:

   nmap -sT 192.168.1.0/24
   

4. Saving the Results to a File:

   nmap -sT -oN scan_results.txt 192.168.1.1
   

Advantages of TCP Connect Scan

1. No Root Privileges Required

Since TCP Connect Scan utilizes system calls (connect() in UNIX/Linux), users do not need administrative or root access to perform the scan.

2. Reliable Detection of Open Ports

By completing the handshake, TCP Connect Scan accurately determines whether a port is open or closed.

3. Works in All Network Conditions

Unlike SYN scans (-sS), which might be blocked by firewalls or intrusion prevention systems, TCP Connect Scan works even in restricted environments where raw packet sending is not possible.

4. Easy to Implement and Understand

The method is straightforward, making it ideal for beginners learning about network scanning.

Limitations of TCP Connect Scan

1. Easily Detectable

Since TCP Connect Scan completes the three-way handshake, it is logged by most firewalls and intrusion detection systems (IDS). This makes it easy for network administrators to detect and block the scan.

2. Slower Than SYN Scan (``)

Because TCP Connect Scan establishes and terminates actual connections, it is slower compared to SYN Scan, which only sends a single SYN packet and waits for a response.

3. May Trigger Security Mechanisms

Some systems may rate-limit or block IPs performing multiple connection attempts, leading to inaccurate scan results.

TCP Connect Scan vs. SYN Scan (-sS)

Best Use Cases for TCP Connect Scan

1. When Running Nmap Without Root Access: Ideal for situations where administrative privileges are not available.
2. When You Need Complete and Reliable Port Status Information: TCP Connect Scan leaves no ambiguity in determining open and closed ports.
3. For Internal Network Scanning: In trusted environments where stealth is not a concern, TCP Connect Scan can be an effective way to map network services.
4. When Testing Firewall or IDS Logging: Since it is easily detected, TCP Connect Scan is useful for testing security logging and monitoring configurations.

How to Reduce Detection and Avoid Blocking

If you need to make your scan less conspicuous, consider these tactics:

• Use Decoy Hosts (``): Spoof additional IPs to obscure your real scanning source.
• Throttle Scan Speed (``): Lower the scan speed (-T1 or -T2) to reduce suspicion.
• Use Randomized Ports (``): Avoid scanning ports in sequential order to bypass simple intrusion detection heuristics.
• Scan Over a VPN or Proxy (``): Hide your scanning source by routing traffic through an intermediate network.

Conclusion

TCP Connect Scan (-sT) is one of the most fundamental scanning techniques in Nmap’s arsenal. While it is slower and more detectable than SYN Scan (-sS), it remains a reliable choice when running scans without administrative privileges or in environments where raw packet manipulation is not possible. Understanding its strengths and limitations allows security professionals to use it effectively and responsibly.

For deeper network assessments, combining TCP Connect Scan with other Nmap options—such as OS detection (-O), service version detection (-sV), and aggressive scanning (-A)—can provide comprehensive insights into a target network’s security posture.