Nmap from Scratch | Part-1 | SYN Scan v/s TCP Connect Scan

Welcome folks , so before we start with different types of scans let’s get our basics clear .

So, a very simple definition of n-map:
“N-map is an open-source vulnerability scanner which is used to detect the port states and service running on the ports”.But n-map have so much more than just scanning abilities, we can use n-map to brute force, exploit the target machines.

N-map also comes with NSE which is a nmap scripting engine, with tons of different scripts to attack, n-map is written in Lua language and it scans 1000 ports by default.

Now Let’s do a very simple scan as a user :
nmap 192.168.10.1
This scan might take little while .

On scanning, we can see that we got port 80, open and a service called HTTP is running on it (typically a browser). This is how n-map shows the information, very simple threes columns PORT ( tells us about the port number and type TCP/UDP), STATE (what’s the state of the port ) and finally SERVICE (what service the port is running ).

Now let’s understand the different types of STATE, that n-map returns in different scenarios.

STATES

OPEN : N-map gives this state in result if the port is accessible and a service is running on it , basically the port is accepting TCP/UDP connections.

CLOSED : N-map gives this state , when the port is accessible but there’s no service running on it.

FILTERED : N-map gives this state , when n-map couldn’t identify whether the port is open or closed, this is due to the presence of firewalls , IDS etc.

UNFILTERED : N-map gives this state , when the port is accessible but n-map is couldn’t to identify if the port is closed or open .

OPEN/FILTERED : When n-map is confused between, if the port is open or filtered .

CLOSE/FILTERED : When n-map is confused between, if the port is closed or filtered .

Now , since we are done with various states , let’s understand what kind of scan does n-map do when a normal user uses it and when a sudo user uses it .

When we run n-map as a non-root user the n-map performs a TCP CONNECT scan , but when we use n-map as a root user the n-map performs a SYN scan .

SYN Scan ( -Ss )

When we run n-map as a root user , it performs a SYN scan by default , which is also known as raw stealth scan , as n-map sends raw packets to the target machine . Now, in this scan the n-map doesn’t complete the connection , a typical representation would be something like :

As we can see , the attacker machine ( in red ) , sends a TCP SYN packet to the target(in green) , and as soon as the target replies back , the attacker machine sends a RST flag , thereby aborting the connection .

This scan is fast and more stealthy as compared to TCP Connect Scan .

TCP CONNECT Scan

When we run n-map as a non-root user , the n-map performs a complete TCP connection , as a result of this , the scan is slower as compared to SYN scan , and more loud . TCP Connect scan looks something like :

So the attacker machine sends the SYN packet , the target sends SYN/ACK , basically a kind of acknowledgement , the attacker machine sends another ACK flag , after this some data is received from the target , it can be a service banner . Once data is received , the connection is closed using the RST flag .

Due to this nature of establishing a complete connections , the TCP Connect Scan is slow and leave many traces for the target to identify the attacker , wherein the SYN scan is better as compared to TCP Connect scan , as it’s faster and more stealthy .

That’s it for now , you can read my other blogs about some very interesting vulnerabilities here .

Infosec Enthusiast | Student