The -sS option in NMAP, or Network Mapper, is known as TCP SYN scan, or more commonly “half-open scanning”. The term derives from the way this method operates, using an advantage of the TCP/IP protocol process to scan targets.
The NMAP Network Scanning book, published by the creator of NMAP, Gordon Lyon, elaborates how SYN scanning works. Firstly, when a standard TCP connection forms, it goes through a three-way handshake process. During this process, the client initiates the connection to the server by sending a SYN packet. If the server has open ports and is available for connections, it responds with a SYN/ACK (Synchronize/Acknowledgment) packet. The client then finalizes the setup of the connection with an ACK (Acknowledgment) packet.
TCP SYN scan changes this workflow. Instead of finalizing the connection with an ACK (Acknowledgment) packet, NMAP using -sS sends a RST (Reset) packet to close the connection after receiving a SYN/ACK from the target. This means NMAP never completes the TCP connection, thus the name “half-open scanning”. Sending a RST packet instead of an ACK helps to avoid logging the connection on the target system resulting in a faster and less noticeable scan.
According to the official NMAP man page, the TCP SYN scan is the default and most popular scan option because it performs quickly, bypassing some firewall restrictions, and not requiring administrative privileges.
For example, if you wanted to quickly scan for open ports on a target system, the syntax would appear as follows: `nmap -sS target_IP`. This command would initiate a TCP SYN scan against the target system, outputting any open ports that the system may have.
However, keep in mind that while -sS can help reduce visibility to Intrusion Detection Systems (IDS), it’s not entirely stealthy, some more advanced IDSs might be able to pick up these half-open connections.
Sources:
NMAP Network Scanning book
(https://nmap.org/book/man.html)
(https://nmap.org/book/synscan.html)
(https://nmap.org/book/man-port-scanning-basics.html)
