What is the primary difference between a SYN scan (-sS) and a TCP connect scan (-sT), and when would you choose one over the other?

• A. -sS is a SYN half-open scan that does not complete the TCP handshake, making it faster and often stealthier; -sT completes the TCP handshake via the OS, is more widely compatible but louder and more detectable. Choose -sS when you have raw sockets and want stealth; choose -sT when you lack raw privileges or need compatibility.
• B. -sS performs a full TCP handshake and is more compatible with firewalls.
• C. -sS uses UDP probes; -sT uses TCP probes.
• D. -sS only scans common ports; -sT scans all ports.

Answer: (A)

The main difference is how the TCP session is handled during the probe and what that means for stealth and practicality. A SYN scan sends only the initial handshake packet (SYN) and, if the port is open, receives a SYN-ACK but then immediately sends a reset to tear the connection down, so no full handshake is completed. This uses raw packets, so it’s typically faster and quieter to observers, making it feel stealthier, but you usually need elevated privileges to craft and send raw packets.

A TCP connect scan relies on the operating system’s normal TCP stack to perform a full three-way handshake (SYN, SYN-ACK, ACK). If the port is open, the handshake completes and the scanner then closes the connection. This works without raw-packet privileges and is highly compatible across environments, but it tends to be more detectable and sits more visibly in logs and firewall records because a full connection is established.

Choose the SYN scan when you have the required privileges to craft raw packets and you want a fast, quieter probe. Choose the connect scan when you don’t have raw-socket privileges or you need broad compatibility, accepting that it will be more conspicuous.