How does a half-open scan work in Nmap?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Here in Nmap we have -sS option, which starts a "half-open scan."



 ➜ ~ sudo nmap -sS 192.168.1.4
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.000082s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


then I use -sT option, which start a "full connection"



 ➜ ~ sudo nmap -sT 192.168.1.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


The results of these two scans are exactly the same.



Question: How does a "half-open" TCP scan work, and can I simply use it instead of "full connection scan"?







share|improve this question





















  • Relevant documentation: nmap.org/book/man-port-scanning-techniques.html
    – bonsaiviking
    Jul 5 at 21:12














up vote
0
down vote

favorite












Here in Nmap we have -sS option, which starts a "half-open scan."



 ➜ ~ sudo nmap -sS 192.168.1.4
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.000082s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


then I use -sT option, which start a "full connection"



 ➜ ~ sudo nmap -sT 192.168.1.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


The results of these two scans are exactly the same.



Question: How does a "half-open" TCP scan work, and can I simply use it instead of "full connection scan"?







share|improve this question





















  • Relevant documentation: nmap.org/book/man-port-scanning-techniques.html
    – bonsaiviking
    Jul 5 at 21:12












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Here in Nmap we have -sS option, which starts a "half-open scan."



 ➜ ~ sudo nmap -sS 192.168.1.4
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.000082s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


then I use -sT option, which start a "full connection"



 ➜ ~ sudo nmap -sT 192.168.1.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


The results of these two scans are exactly the same.



Question: How does a "half-open" TCP scan work, and can I simply use it instead of "full connection scan"?







share|improve this question













Here in Nmap we have -sS option, which starts a "half-open scan."



 ➜ ~ sudo nmap -sS 192.168.1.4
Password:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.000082s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


then I use -sT option, which start a "full connection"



 ➜ ~ sudo nmap -sT 192.168.1.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 20:23 CST
Nmap scan report for 192.168.1.4
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
49159/tcp open unknown


The results of these two scans are exactly the same.



Question: How does a "half-open" TCP scan work, and can I simply use it instead of "full connection scan"?









share|improve this question












share|improve this question




share|improve this question








edited Jul 4 at 12:44









Kusalananda

101k13199312




101k13199312









asked Jul 4 at 12:33









Albert Zhang

172




172











  • Relevant documentation: nmap.org/book/man-port-scanning-techniques.html
    – bonsaiviking
    Jul 5 at 21:12
















  • Relevant documentation: nmap.org/book/man-port-scanning-techniques.html
    – bonsaiviking
    Jul 5 at 21:12















Relevant documentation: nmap.org/book/man-port-scanning-techniques.html
– bonsaiviking
Jul 5 at 21:12




Relevant documentation: nmap.org/book/man-port-scanning-techniques.html
– bonsaiviking
Jul 5 at 21:12










1 Answer
1






active

oldest

votes

















up vote
1
down vote













The -sT option does a full 3 way handshake. The -sS option is a SYN only scan. It never makes the full connection. A syn scan waits for a SYN/ACK (SA) or a RESET packet. If it gets either it knows how to mark the connection. The -sT option performs a full connection waiting for the S/SA/A flags.






share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453421%2fhow-does-a-half-open-scan-work-in-nmap%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    The -sT option does a full 3 way handshake. The -sS option is a SYN only scan. It never makes the full connection. A syn scan waits for a SYN/ACK (SA) or a RESET packet. If it gets either it knows how to mark the connection. The -sT option performs a full connection waiting for the S/SA/A flags.






    share|improve this answer

























      up vote
      1
      down vote













      The -sT option does a full 3 way handshake. The -sS option is a SYN only scan. It never makes the full connection. A syn scan waits for a SYN/ACK (SA) or a RESET packet. If it gets either it knows how to mark the connection. The -sT option performs a full connection waiting for the S/SA/A flags.






      share|improve this answer























        up vote
        1
        down vote










        up vote
        1
        down vote









        The -sT option does a full 3 way handshake. The -sS option is a SYN only scan. It never makes the full connection. A syn scan waits for a SYN/ACK (SA) or a RESET packet. If it gets either it knows how to mark the connection. The -sT option performs a full connection waiting for the S/SA/A flags.






        share|improve this answer













        The -sT option does a full 3 way handshake. The -sS option is a SYN only scan. It never makes the full connection. A syn scan waits for a SYN/ACK (SA) or a RESET packet. If it gets either it knows how to mark the connection. The -sT option performs a full connection waiting for the S/SA/A flags.







        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 4 at 12:48









        Joe M

        5964




        5964






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453421%2fhow-does-a-half-open-scan-work-in-nmap%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?