What is nmap, and what does the "stealth" in SYN stealth scan (nmap -sS) actually mean — and what doesn't it mean?
Nmap is the standard network scanner. "Stealth" is historical and relative — -sS only avoids being logged by user-space applications. Firewalls, IDS, and SIEMs see it instantly.
The mechanic:
nmap → target:80 : SYN
target → nmap : SYN-ACK ← port is open!
nmap → target : RST ← never complete the handshake
| Outcome | Interpretation |
|---|---|
| SYN-ACK | Port open |
| RST | Port closed |
| No reply | Port filtered (firewall) |
Where "stealth" came from (1990s):
Many old Unix services (inetd-spawned daemons) logged connections only after the handshake completed. A SYN scan never completes → no entry in the application's log. That was the original "stealth" — bypassing application-layer logging.
Where it's NOT stealthy at all:
| Watcher | Sees SYN scan? |
|---|---|
| Stateful firewall | Yes — every SYN is logged |
| IDS / IPS (Snort, Suricata, Zeek) | Yes — trivial signature match |
| SIEM aggregating firewall logs | Yes — alerts within seconds |
| NetFlow / sFlow collectors | Yes — flow records show the sweep |
| Modern endpoint detection (EDR) | Yes — flags unusual outbound SYNs |
The pattern is screamingly obvious:
- One source IP hitting hundreds of ports in seconds
- Very high SYN-to-completed-handshake ratio
- Sequential or randomized port walks
- Default nmap timing (~300 pkts/sec) is itself a fingerprint
- TCP window size, TTL, source-port behavior all match nmap defaults
Snort has had scan.rules for SYN scans for ~20 years.
Real stealth requires effort beyond -sS:
nmap -sS -T2 ... # slower timing
nmap -sS -f ... # fragment packets
nmap -sS -D RND:10 ... # decoy IPs (mix in fakes)
nmap -sS --source-port 53 ... # spoof source port (look like DNS)
nmap -sS --randomize-hosts ...
Even then, a competent SOC catches it — true stealth is about rate limiting + blending in, not the scan flag.
Why -sS is still the go-to:
It's the fastest accurate scan, not because it's actually stealthy. The historical name stuck.
SYN scan vs other modes:
| Scan | Need root? | Best for |
|---|---|---|
-sS (SYN) |
Yes | Fast accurate scan |
-sT (TCP Connect) |
No | When you can't craft raw packets |
-sn (Ping sweep) |
No | Host discovery only |
-sV |
No | Service version detection |
-O |
Yes | OS fingerprinting |
Tip: Nmap on your own network is fine. Nmap on networks you don't own is illegal in many jurisdictions — even if "stealthy." Practice only on networks you own or on CTF ranges.
Go deeper:
TCP SYN (Stealth) Scan (Nmap book) — Fyodor's own canonical writeup of exactly why
-sSis the default and where the "stealth" name comes from.Nmap (Wikipedia) — tool history, scan modes, and the legal-use discussion at a glance.