Skip to content

06. Nmap TCP Connect, Stealth(SYN) and UDP Scan

1. nmap -sT 192.168.0.1 -p 21-8080

  • Purpose: TCP Connect Scan for Specific Port Range
  • Explanation:
    • -sT: Performs a TCP Connect Scan.
      • This is a full TCP three-way handshake scan (SYN, SYN-ACK, ACK).
      • It is reliable but slower and more easily detectable by firewalls or IDS.
    • -p 21-8080: Specifies a port range from 21 to 8080.
      • Nmap scans ports within this range to find open ports and services.
  • Use Case:
    • Useful when scanning a specific port range (e.g., FTP, SSH, HTTP) to reduce scan time.
    • Preferred when stealth is not a priority.

  • Example Command:

    nmap -sT 192.168.0.1 -p 21-8080

  • Output:

    • List of open ports and associated services within the specified range.

2. nmap -sS 192.168.0.1

  • Purpose: Stealthy SYN Scan
  • Explanation:
    • -sS: Performs a SYN Scan (half-open scan).
      • Nmap sends a SYN packet to the target port.
      • If the port is open, the target responds with SYN-ACK.
      • Nmap does not complete the TCP handshake (doesn't send ACK).
    • This scan is faster and stealthier than a full TCP Connect Scan (-sT) because it does not establish a full connection.
    • Requires root/admin privileges.
  • Use Case:
    • Preferred for stealthy scanning to avoid detection by firewalls or IDS.

  • Example Command:

    nmap -sS 192.168.0.1

  • Output:

    • List of open, closed, and filtered ports.

3. nmap -sS -sV 192.168.0.1 -p 21-8080

  • Purpose: Stealthy SYN Scan with Service Version Detection for Specific Ports
  • Explanation:
    • -sS: Performs a SYN Scan (half-open scan).
    • -sV: Enables Service Version Detection.
      • Nmap probes the open ports to identify the exact version of the running services.
    • -p 21-8080: Scans ports 21 to 8080.
  • Use Case:
    • For stealthy scans where detailed service information is needed for a specific port range.

  • Example Command:

    nmap -sS -sV 192.168.0.1 -p 21-8080

  • Output:

    • List of open ports and associated service versions (e.g., Apache 2.4.41, OpenSSH 7.9).

4. nmap -sU 192.168.0.1

  • Purpose: UDP Scan
  • Explanation:
    • -sU: Performs a UDP Scan.
      • Nmap sends UDP packets to target ports.
      • If the port responds, it is marked as open.
      • If there is no response, it is considered open|filtered (could be blocked by a firewall).
    • UDP scans are slower because UDP is connectionless and responses are less predictable.
  • Use Case:
    • Used to identify UDP services such as DNS (port 53), DHCP (port 67), SNMP (port 161), and TFTP.
    • Useful for comprehensive scans where UDP ports need to be analyzed.

  • Example Command:

    nmap -sU 192.168.0.1

  • Output:

    • List of open or filtered UDP ports.

Summary Table

Command Purpose Key Options Details Gathered Use Case
nmap -sT 192.168.0.1 -p 21-8080 TCP Connect Scan on Port Range -sT, -p 21-8080 Open ports within port range Non-stealthy, reliable scan
nmap -sS 192.168.0.1 Stealthy SYN Scan -sS Open, closed, and filtered ports Fast and stealthy port scan
nmap -sS -sV 192.168.0.1 -p 21-8080 SYN Scan with Service Version -sS, -sV, -p 21-8080 Open ports and service versions Stealthy scan with service info
nmap -sU 192.168.0.1 UDP Scan -sU Open/filtered UDP ports Identify UDP-based services

Key Notes:

  1. Use -sT for a full TCP scan when stealth is not a concern.
  2. Use -sS for faster and stealthier TCP scans.
  3. Combine -sS with -sV to get service versions.
  4. Use -sU for scanning UDP ports but expect slower results.