Nmap Stealth Scan

Nmap Stealth Scan Description:

Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP threeway handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.

SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between open, closed, and filtered states.

root@kali:~# nmap -d --packet-trace -p22,113,139 scanme.nmap.org

Starting Nmap ( http://nmap.org )

SENT (0.0130s) ICMP krad > scanme echo request (type=8/code=0) ttl=52 id=1829

SENT (0.0160s) TCP krad:63541 > scanme:80 A iplen=40 seq=91911070 ack=99850910

RCVD (0.0280s) ICMP scanme > krad echo reply (type=0/code=0) iplen=28

We got a ping packet back from scanme: id = 48821 seq = 714 checksum = 16000

massping done: num_hosts: 1 num_responses: 1

Initiating SYN Stealth Scan against scanme.nmap.org (scanme) [3 ports] at 00:53

SENT (0.1340s) TCP krad:63517 > scanme:113 S iplen=40 seq=10438635

SENT (0.1370s) TCP krad:63517 > scanme:22 S iplen=40 seq=10438635

SENT (0.1400s) TCP krad:63517 > scanme:139 S iplen=40 seq=10438635

RCVD (0.1460s) TCP scanme:113 > krad:63517 RA iplen=40 seq=0 ack=10438636

RCVD (0.1510s) TCP scanme:22 > krad:63517 SA iplen=44 seq=75897108 ack=10438636

SENT (1.2550s) TCP krad:63518 > scanme:139 S iplen=40 seq=10373098 win=3072

The SYN Stealth Scan took 1.25s to scan 3 total ports.

Nmap scan report for scanme.nmap.org (64.13.134.52)

PORT STATE SERVICE

22/tcp open ssh

113/tcp closed auth

139/tcp filtered netbios-ssn

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

Nmap Usage Example:

root@kali:~# nmap -sS -T4 sscoetjalgaon.ac.in

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 13:09 India Standard Time

Nmap scan report for sscoetjalgaon.ac.in (139.59.37.252)

Host is up (0.12s latency).

Not shown: 967 closed ports, 27 filtered ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

80/tcp open http

443/tcp open https

3306/tcp open mysql

8443/tcp open https-alt

Nmap done: 1 IP address (1 host up) scanned in 46.17 seconds