Stealth scanning is a primary component of Nmap. When performing an audit of enterprise servers, it’s important to understand stealth scanning techniques. This is because a malicious attacker usually performs a stealth scan, which can be hard to detect. Including stealth scanning in our audits will help us build a better security framework for our clients.

Default stealth scan

The default SYN scan can also be called a stealth scan. This is because the SYN scan doesn’t finish the TCP handshake. A SYN scan (also known as a half-open scan) is performed using the SYN flag in the TCP header. In a SYN scan, Nmap sends a SYN packet to the target host and waits for a response.

Once Nmap receives a response, it drops the connection. This makes it hard for the target to analyze the incoming packets. Please note that using the SYN scan alone doesn’t guarantee stealth mode. There are other flags we can use in combination with the SYN scan to decrease the probability of alerting the target.

Now that we understand how stealthy a SYN scan can be, let’s look at the different use cases where we can use the SYN scan to perform different types of stealth scans.

How to perform a stealth SYN scan

To perform an SYN scan in Nmap, we can use the -sS option. This option tells Nmap to use SYN as the scan type. For example, to scan a host using the SYN scan, we can use the following command:

Get hands-on with 1200+ tech skills courses.