Understanding Nmap Scan Types

Understanding how each scan type works helps you choose the right tool for the job. The TCP connect scan works by completing the entire TCP handshake—SYN, SYN-ACK, and ACK—before closing the connection. This makes it easy to detect, but also very reliable. Its downside is that every connection attempt is logged by the target, making it unsuitable for stealthy reconnaissance.

The SYN scan sends only the SYN packet and waits for a response. If the target replies with SYN-ACK, the port is open; Nmap then sends a RST to avoid completing the handshake. This method is fast, efficient, and less likely to be logged, but it requires root or administrator privileges on most systems. Its main limitation is that some intrusion detection systems (IDS) can still spot SYN scans, though they are less obvious than full connections.

The UDP scan operates differently. Since UDP does not have a handshake, Nmap sends empty or protocol-specific packets to each port. If the port is closed, the host usually responds with an ICMP "port unreachable" message. If there is no response, the port might be open or filtered. UDP scans are valuable for finding services like DNS, SNMP, or DHCP, but they are slow and can be unreliable due to packet loss or filtering. Firewalls often block or throttle ICMP messages, leading to many "open|filtered" results.

In summary, each scan type balances speed, stealth, and reliability:

• TCP connect scan: most reliable, least stealthy;
• SYN scan: fast, stealthier, requires privileges;
• UDP scan: useful for non-TCP services, slow, can be unreliable.

# Example: Running a SYN scan with Nmap
# Command:
nmap -sS 192.168.1.1

The -sS option in the Nmap command tells Nmap to perform a SYN scan. This scan type is often called a "stealth scan" because it does not complete the TCP handshake, making it less likely to be logged by the target system. It is typically used when you need to quickly discover open ports without drawing attention, as it balances speed and stealth effectively.