How does a SYN stealth scan (-sS) differ from a TCP connect scan (-sT) in terms of connection behavior and detectability?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the Nmap/ZenMap Switches Test. Prepare with flashcards and multiple choice questions, each question provides hints and explanations. Get ready for your exam!

Multiple Choice

How does a SYN stealth scan (-sS) differ from a TCP connect scan (-sT) in terms of connection behavior and detectability?

Explanation:
The key idea is how each scan handles the TCP connection and what that means for being seen by the target and logs. A SYN stealth scan sends just a SYN and waits for a response. If the port is open, the target replies with SYN-ACK, and the scanner immediately tears the connection down with a RST, so no full three-way handshake is completed. Because the connection isn’t established, there’s often no normal log entry of an established TCP session, making this approach harder for the target to log or correlate as a real connection. It’s considered stealthier for that reason. A TCP connect scan, on the other hand, uses the OS’s normal TCP stack to perform a full connect. It completes the three-way handshake (SYN, SYN-ACK, ACK) and only then closes. That establishes an actual connection on the target side, which is typically recorded in logs and monitoring tools, making it much more visible and easier to detect and log. Privilege and how the scan is implemented can also differ, since the connect scan relies on standard socket calls and often doesn’t require raw privileges, whereas the stealth SYN scan usually requires raw sockets and elevated privileges.

The key idea is how each scan handles the TCP connection and what that means for being seen by the target and logs. A SYN stealth scan sends just a SYN and waits for a response. If the port is open, the target replies with SYN-ACK, and the scanner immediately tears the connection down with a RST, so no full three-way handshake is completed. Because the connection isn’t established, there’s often no normal log entry of an established TCP session, making this approach harder for the target to log or correlate as a real connection. It’s considered stealthier for that reason.

A TCP connect scan, on the other hand, uses the OS’s normal TCP stack to perform a full connect. It completes the three-way handshake (SYN, SYN-ACK, ACK) and only then closes. That establishes an actual connection on the target side, which is typically recorded in logs and monitoring tools, making it much more visible and easier to detect and log. Privilege and how the scan is implemented can also differ, since the connect scan relies on standard socket calls and often doesn’t require raw privileges, whereas the stealth SYN scan usually requires raw sockets and elevated privileges.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy