TCP SYN Ping (`-PS`) with Nmap
Categories:
5 minute read
Introduction
Network administrators, penetration testers, and cybersecurity professionals often use Nmap (Network Mapper) to discover hosts on a network and assess their security. One of the essential techniques in Nmap is host discovery, which determines if a system is online before scanning its ports and services. Among the various host discovery techniques, TCP SYN Ping (-PS) stands out as an efficient and stealthy method.
In this article, we will explore what TCP SYN Ping is, how it works, its advantages, practical usage with Nmap, and how it compares to other host discovery techniques.
What is TCP SYN Ping (-PS)?
TCP SYN Ping (-PS) is a method in Nmap used to check whether a target host is online. It works by sending TCP SYN packets to specified ports on the target machine. If the target responds with a TCP SYN-ACK, it indicates that the system is online. If there is no response or an RST (Reset) packet, it may indicate that the system is down or that the port is closed.
This method is particularly useful when ICMP (ping) is blocked by firewalls or security policies, as it allows discovery of hosts through TCP traffic.
How Does TCP SYN Ping Work?
The TCP SYN Ping technique follows these steps:
- Nmap sends a TCP SYN packet to a specified port (or multiple ports) on the target host.
- If the target is online and the port is open, it responds with a TCP SYN-ACK.
- If the target is online but the port is closed, it responds with a TCP RST (Reset).
- If the target is offline, there will be no response.
- If a firewall or IDS is blocking the probe, the request might be dropped, and there will be no response.
Nmap then determines whether the host is online based on the response it receives.
Advantages of TCP SYN Ping
1. Bypasses ICMP Restrictions
Many firewalls and routers block ICMP echo requests (standard ping). Since TCP traffic is necessary for most applications, TCP SYN Ping is more likely to reach the target.
2. Stealthier than Full TCP Handshake
Unlike a full TCP three-way handshake, where a final ACK is sent, TCP SYN Ping does not complete the connection. This reduces the likelihood of detection in logs, making it a preferred technique in stealth scanning.
3. Allows Targeted Port Selection
TCP SYN Ping lets you choose which ports to probe, making it adaptable to different environments. For example, scanning commonly open ports like 80 (HTTP), 443 (HTTPS), or 22 (SSH) increases the chances of reaching an active host.
4. Works with Firewalled Hosts
If a firewall blocks ICMP but allows TCP connections on certain ports, TCP SYN Ping can still determine host availability.
How to Use TCP SYN Ping with Nmap
Basic Usage
To send a TCP SYN Ping to a single target using the default port (80):
nmap -PS 192.168.1.1
This sends a SYN packet to port 80 (HTTP) on the target.
Specifying Ports
You can specify one or multiple ports by separating them with commas:
nmap -PS22,80,443 192.168.1.1
This sends SYN packets to ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) on the target.
Scanning a Range of Hosts
To scan an entire subnet for live hosts:
nmap -PS22,443 192.168.1.0/24
This sends SYN packets to ports 22 and 443 for every IP in the 192.168.1.0/24 subnet.
Combining with Other Scan Types
You can combine TCP SYN Ping with other Nmap scan types for more comprehensive results:
nmap -PS22,80,443 -sS 192.168.1.1
Here, -sS (SYN scan) is used after discovering which hosts are online.
Aggressive Timing for Faster Scans
To speed up the scan using an aggressive timing template:
nmap -PS22,80,443 -T4 192.168.1.1
The -T4 option increases scanning speed while balancing accuracy.
Evading Firewalls and IDS
To randomize source ports and avoid detection:
nmap -PS22,80,443 --source-port 53 192.168.1.1
This makes it appear as if the scan originates from port 53 (DNS), which some firewalls may allow.
Comparing TCP SYN Ping with Other Nmap Discovery Methods
| Method | Description | Pros | Cons |
|---|---|---|---|
-PS (TCP SYN Ping) | Sends SYN packets to specified ports. | Bypasses ICMP filters, stealthy | May be blocked by firewalls |
-PA (TCP ACK Ping) | Sends TCP ACK packets to check for live hosts. | Detects firewall rules, bypasses some filters | Does not detect closed ports |
-PE (ICMP Echo Ping) | Standard ping using ICMP echo requests. | Simple, efficient | Blocked by many firewalls |
-PP (ICMP Timestamp Ping) | Uses ICMP timestamp requests. | Useful in certain network setups | Rarely allowed |
-PM (ICMP Netmask Ping) | Requests network mask via ICMP. | Works in limited cases | Often blocked |
TCP SYN Ping is often preferable when ICMP is blocked but TCP connections are allowed.
Limitations of TCP SYN Ping
While effective, TCP SYN Ping has some drawbacks:
- Blocked Ports: If the specified port is blocked by a firewall, the probe may fail.
- Intrusion Detection Systems (IDS): Some IDS solutions detect and log SYN probes.
- No Response ≠ Offline: If the target is using a firewall with stealth rules, lack of a response does not necessarily mean the host is down.
- Network Noise: Repeated use can generate noticeable traffic, potentially triggering alerts.
Conclusion
TCP SYN Ping (-PS) is a powerful and flexible host discovery technique in Nmap that provides an alternative to ICMP-based scanning. It is particularly useful in environments where firewalls restrict ICMP traffic but allow TCP connections on certain ports.
By selecting appropriate ports and combining it with other Nmap features, users can efficiently detect live hosts while maintaining a degree of stealth. However, like any scanning technique, it must be used responsibly and within legal boundaries.
For security professionals, mastering TCP SYN Ping is essential for effective reconnaissance and network security assessments.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.