Nmap from Scratch | Part-1 | SYN Scan v/s TCP Connect Scan

Welcome folks , so before we start with different types of scans let’s get our basics clear .

So, a very simple definition of n-map:
“N-map is an open-source vulnerability scanner which is used to detect the port states and service running on the ports”.But n-map have so much more than just scanning abilities, we can use n-map to brute force, exploit the target machines.

N-map also comes with NSE which is a nmap scripting engine, with tons of different scripts to attack, n-map is written in Lua language and it scans 1000 ports by default.

Now Let’s do a very simple scan as a user :
This scan might take little while .

On scanning, we can see that we got port 80, open and a service called HTTP is running on it (typically a browser). This is how n-map shows the information, very simple threes columns PORT ( tells us about the port number and type TCP/UDP), STATE (what’s the state of the port ) and finally SERVICE (what service the port is running ).

Now let’s understand the different types of STATE, that n-map returns in different scenarios.


OPEN : N-map gives this state in result if the port is accessible and a service is running on it , basically the port is accepting TCP/UDP connections.

CLOSED : N-map gives this state , when the port is accessible but there’s no service running on it.

FILTERED : N-map gives this state , when n-map couldn’t identify whether the port is open or closed, this is due to the presence of firewalls , IDS etc.

UNFILTERED : N-map gives this state , when the port is accessible but n-map is couldn’t to identify if the port is closed or open .

OPEN/FILTERED : When n-map is confused between, if the port is open or filtered .

CLOSE/FILTERED : When n-map is confused between, if the port is closed or filtered .

Now , since we are done with various states , let’s understand what kind of scan does n-map do when a normal user uses it and when a sudo user uses it .

When we run n-map as a non-root user the n-map performs a TCP CONNECT scan , but when we use n-map as a root user the n-map performs a SYN scan .

SYN Scan ( -Ss )

When we run n-map as a root user , it performs a SYN scan by default , which is also known as raw stealth scan , as n-map sends raw packets to the target machine . Now, in this scan the n-map doesn’t complete the connection , a typical representation would be something like :

As we can see , the attacker machine ( in red ) , sends a TCP SYN packet to the target(in green) , and as soon as the target replies back , the attacker machine sends a RST flag , thereby aborting the connection .

This scan is fast and more stealthy as compared to TCP Connect Scan .


When we run n-map as a non-root user , the n-map performs a complete TCP connection , as a result of this , the scan is slower as compared to SYN scan , and more loud . TCP Connect scan looks something like :

So the attacker machine sends the SYN packet , the target sends SYN/ACK , basically a kind of acknowledgement , the attacker machine sends another ACK flag , after this some data is received from the target , it can be a service banner . Once data is received , the connection is closed using the RST flag .

Due to this nature of establishing a complete connections , the TCP Connect Scan is slow and leave many traces for the target to identify the attacker , wherein the SYN scan is better as compared to TCP Connect scan , as it’s faster and more stealthy .

That’s it for now , you can read my other blogs about some very interesting vulnerabilities here .




Infosec Enthusiast | Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

📢MetaWorld Breaking News📢

Creating A EC2 Instances With An Apache Webserver

How Loneliness Help Me to Find Vulnerability And Virtual Date

2020 is when cybersecurity gets significantly more odd, so prepare

Image result for cybersecurity tech

Lessons from OPCDE DXB 2017

Collecting and parsing IoCs at scale

Security Awareness Training for the Workforce

A Digital-Dangerous World

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Infosec Enthusiast | Student

More from Medium

Let’s Become a Cloud Security Engineer #3: Exploit Vulnerabilities(THM)

DevOps- Get Started with Shell Scripting

Top 5 Linux Distro for Ethical Hacking & Pentesting.


Linux Fundamental Part 2| TryHackMe