A TCP SYN scan, often referred to as a SYN scan or a half-open scan, is a technique used in network reconnaissance to determine which ports on a target system are open. It’s a type of stealth scanning because it doesn’t complete the full TCP handshake, making it less likely to be logged by intrusion detection systems (IDS) or firewalls compared to other scanning methods.
Here’s how a TCP SYN scan works:
- Sender sends SYN packet: The scanning tool (such as Nmap) sends a TCP SYN packet to the target system with the SYN (synchronize) flag set and the destination port number specified. This initiates the first step of the TCP three-way handshake.
- Response analysis:
- If the port is open: The target system responds with a SYN-ACK (synchronize-acknowledgment) packet, indicating that the port is open and ready to establish a connection.
- If the port is closed: The target system responds with an RST (reset) packet, indicating that the port is closed and it cannot establish a connection.
- If the port is filtered: If a firewall or other network device is blocking the SYN packet from reaching the target port, there may be no response, or the sender may receive an ICMP unreachable message.
- No completion of the three-way handshake: Unlike a full TCP connection where the sender would send an ACK (acknowledge) packet to complete the three-way handshake, in a SYN scan, the sender does not send this final ACK packet. This prevents the connection from being established fully, making the scan less detectable.
TCP SYN scans are popular among attackers and security professionals alike because they are relatively fast and less likely to be detected compared to other scanning methods like TCP connect scans. However, they can still be detected by advanced IDS or firewall systems that are specifically configured to detect such scanning activity.
