LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is nmap, and what does the "stealth" in SYN stealth scan (nmap -sS) actually mean — and what doesn't it mean?

Nmap is the standard network scanner. "Stealth" is historical and relative-sS only avoids being logged by user-space applications. Firewalls, IDS, and SIEMs see it instantly.

The mechanic:

nmap → target:80 :  SYN
target → nmap   :  SYN-ACK   ← port is open!
nmap → target   :  RST       ← never complete the handshake
Outcome Interpretation
SYN-ACK Port open
RST Port closed
No reply Port filtered (firewall)

Where "stealth" came from (1990s):

Many old Unix services (inetd-spawned daemons) logged connections only after the handshake completed. A SYN scan never completes → no entry in the application's log. That was the original "stealth" — bypassing application-layer logging.

Where it's NOT stealthy at all:

Watcher Sees SYN scan?
Stateful firewall Yes — every SYN is logged
IDS / IPS (Snort, Suricata, Zeek) Yes — trivial signature match
SIEM aggregating firewall logs Yes — alerts within seconds
NetFlow / sFlow collectors Yes — flow records show the sweep
Modern endpoint detection (EDR) Yes — flags unusual outbound SYNs

The pattern is screamingly obvious:

  • One source IP hitting hundreds of ports in seconds
  • Very high SYN-to-completed-handshake ratio
  • Sequential or randomized port walks
  • Default nmap timing (~300 pkts/sec) is itself a fingerprint
  • TCP window size, TTL, source-port behavior all match nmap defaults

Snort has had scan.rules for SYN scans for ~20 years.

Real stealth requires effort beyond -sS:

nmap -sS -T2 ...                # slower timing
nmap -sS -f ...                 # fragment packets
nmap -sS -D RND:10 ...          # decoy IPs (mix in fakes)
nmap -sS --source-port 53 ...   # spoof source port (look like DNS)
nmap -sS --randomize-hosts ...

Even then, a competent SOC catches it — true stealth is about rate limiting + blending in, not the scan flag.

Why -sS is still the go-to:

It's the fastest accurate scan, not because it's actually stealthy. The historical name stuck.

SYN scan vs other modes:

Scan Need root? Best for
-sS (SYN) Yes Fast accurate scan
-sT (TCP Connect) No When you can't craft raw packets
-sn (Ping sweep) No Host discovery only
-sV No Service version detection
-O Yes OS fingerprinting

Tip: Nmap on your own network is fine. Nmap on networks you don't own is illegal in many jurisdictions — even if "stealthy." Practice only on networks you own or on CTF ranges.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026