How to perform a stealth scan using Nmap

Network Mapper (Nmap) is a popular, effective open-source network scanning and inspection tool. It is intended to find hosts and services on a computer network to create a network map. Nmap has a variety of scanning techniques, including TCP, UDP, SYN, ACK, and ICMP scans.

What is a stealth scan?

A stealth scan is a scanning technique in Nmap that seeks to minimize the detection of scanning activity by the target host's firewalls and other security measures.

The default SYN scan is also known as a stealth scan. This is due to the SYN scan failing to complete the TCPTransmission Control Protocol handshake. The SYN flag in the TCP header is used to execute an SYN scan, also known as a half-open scan. Nmap does an SYN scan by sending an SYN packet to the target host and waiting for a response. Nmap closes the connection once it receives a response. This makes analyzing incoming packets difficult for the target.

Note: The SYN scan alone does not guarantee perfect stealth mode. To reduce the possibility of notifying the target host, extra flags must be included in combination with the scan.

Syntax

The -sS flag is used to perform the default SYN scan or stealth scan on target.

We can either add the name of the server or the IP address of the server just after the -sS flag.

Coding example

Let's investigate the Nmap official testing server (i.e., scanme.nmap.org) using Nmap's stealth scan in the following terminal.

As we can see from the result, stealth scan provides information on open ports and associated services.