What makes TCP SYN scan stealthy?

That's a really sharp question! You're focusing on one of the key advantages of the TCP SYN scan.

A TCP SYN scan is considered "stealthy" because it does not complete the full TCP 3-way handshake.

Let's break down the normal TCP connection process and then compare it to the SYN scan:

Normal TCP 3-Way Handshake:

When a legitimate client wants to connect to a server, they exchange three packets:

1. Client sends SYN (synchronize): "Hi server, I want to connect. My initial sequence number is X."
2. Server sends SYN/ACK (synchronize/acknowledge): "Okay, I'm ready. My initial sequence number is Y, and I acknowledge your X."
3. Client sends ACK (acknowledge): "Got it. I acknowledge your Y. Let's talk!"

At this point, a full connection is established, and both the client and server log this connection.

How a TCP SYN Scan Works (and why it's stealthy):

In a TCP SYN scan, Nmap only performs the first two steps of the handshake:

1. Nmap sends SYN: To a target port.

2. Target responds (if successful):

   • If the port is open, the target sends back a SYN/ACK packet.
   • If the port is closed, the target sends back an RST (reset) packet.

3. Nmap's stealthy move:

   • If Nmap receives a SYN/ACK, it knows the port is open. Instead of sending the final ACK to complete the connection, Nmap immediately sends an RST packet to the target. This closes the half-open connection.

Here's why this is "stealthy":

• Avoids Full Connection Logging: Because the full TCP connection is never established, many services and applications on the target machine (and some firewalls) won't log the attempt as a complete connection. They might only see a "half-open" connection attempt that was suddenly reset.
• Faster and More Efficient: Not having to establish and tear down full connections for every scanned port makes the scan significantly faster and uses fewer resources on both the scanner and the target.
• Less Intrusive/Noisy: By not completing the connection, it reduces the chances of triggering intrusion detection systems (IDS) or logging mechanisms that are configured to alert on fully established, but potentially suspicious, connections. A quick SYN-SYN/ACK-RST exchange might go unnoticed by simpler logging systems.

It's important to note that while SYN scans are considered "stealthy" compared to a full TCP connect scan, they are not invisible. Sophisticated firewalls and intrusion detection systems can still detect and log these half-open connection attempts. However, it requires more advanced monitoring to catch them, making them harder to spot than a full connection attempt.

Does this explanation clarify why the TCP SYN scan earns its "stealthy" reputation?