SYN port scanning, sometimes also referred to as “half-open scanning” or “stealth scanning,” is a technique used in NMAP (Network Mapper), a prominent open-source network scanning tool. This technique forms part of the reconnaissance phase in ethical hacking or penetration testing lifecycle, aiming to identify open ports without fully establishing a TCP (Transmission Control Protocol) connection.

This operation works based on the standard three-way handshake mechanism within TCP/IP protocols. Normally, a three-way handshake involves a client sending a SYN (synchronize) packet to establish a connection with a server, the server sending back a SYN-ACK (synchronize-acknowledge), and finally, the client sending an ACK (acknowledge). However, SYN scan manipulates this process to stay under the radar.

In this method, as stated by NMAP’s official documentation, NMAP sends a SYN packet, as if it was requesting a real connection, and then after receiving the SYN-ACK packet from the target system, instead of sending an ACK packet to complete the connection, NMAP sends a RST (reset) packet or doesn’t respond at all. Hence the connection is left half-open, without being fully established or terminated, which can help evade detection by some intrusion detection systems.

If the port is open, the server responds with a SYN-ACK packet. If the port is closed, it responds with a RST packet. In this way, SYN scans enable the identification of open ports on the target system without logging the connection in the server’s records since the connection is never completed.

The effectiveness of SYN scanning is documented in numerous sources, including “Network Scanning: A New Feature of Computer Viruses” (Symantec) and “Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics” (Computer security journal). Indeed, SYN scanning is often used by attackers for network reconnaissance. However, its detection can be complicated, as there are legitimate reasons for half-open connections.

The SYN scan is the default scanning technique used by NMAP when the user has sufficient privileges to create raw packets. For example, the command ‘nmap -sS [target]’ will initiate a SYN scan.

By providing an efficient and non-instrusive mechanism for determining active ports, SYN scans form a critical component of the network penetration tester’s toolkit.

Sources:
- NMAP Official Documentation: https://nmap.org/book/man-port-scanning-techniques.html
- Symantec: https://www.symantec.com/connect/articles/network-scanning-new-feature-computer-viruses
- Insecure.org – Computer security journal: https://nmap.org/papers/hobbit-netevasion.html

DinoGeek offers simple articles on complex technologies

Would you like to be quoted in this article? It's very simple, contact us at dino@eiki.fr

CSS | NodeJS | DNS | DMARC | MAPI | NNTP | htaccess | PHP | HTTPS | Drupal | WEB3 | LLM | Wordpress | TLD | Domain name | IMAP | TCP | NFT | MariaDB | FTP | Zigbee | NMAP | SNMP | SEO | E-Mail | LXC | HTTP | MangoDB | SFTP | RAG | SSH | HTML | ChatGPT API | OSPF | JavaScript | Docker | OpenVZ | ChatGPT | VPS | ZIMBRA | SPF | UDP | Joomla | IPV6 | BGP | Django | Reactjs | DKIM | VMWare | RSYNC | Python | TFTP | Webdav | FAAS | Apache | IPV4 | LDAP | POP3 | SMTP