HTB Academy - Network discovery with Nmap: -sT being the most stealthy scan is unaccurate info?

Hello everyone,

so I was reading through the “Network discovery with Nmap” module, and when I reached the “Host and Port scanning section”, I saw this bit of information about the -sT (TCP Connection scan) being said:

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Nevertheless, according to the official Nmap documentation, they say that -sS is the most stealthy TCP scan, precisely because it does not make a connection:

SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections.

When discussing TCP Connect scan in the Nmap official docu, this is what they say:

When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.

Is there something I’m missing, or are these bits of information contradicting each other (Nmap docu vs HTB Academy)?

-sS docu: https://nmap.org/book/synscan.html
-sT docu: https://nmap.org/book/scan-methods-connect-scan.html

The Network is a very complex and vaste world. You don’t fossilize on the concept word by word, because every system have of its own peculiarities.

The concept is this: -sT make a complete handshakem, -sS No don’t. Probably, that if you make a -sT in a know port is more than stealth of -sS, and if yuo make a -sT port on a unknow port can alarm someone.

I think that every situation is different, and only with a 360 degree view can really take a answer.

Thanks for your answer, it definitely makes sense.

I wish they would at least mention something along the lines of what you said so that complete newcomers don’t get the wrong idea about -sT being stealthier no matter what!

In addition to what the previous answer says:

A nmap module offered by one of HTBs competitors phrases it along those lines: TCP SYN scan used to be stealthier as defenders were often just analyzing established connections. But since the SYN scan technique is now widely known, this advantage is often negated against targets prepared for it, while the disadvantage of anomalous behavior (just SYN and never ACK) stayed.

Good contribute Gordin.

You’re welcome Sk4na, as the years go by everyone can learn a foundamental concept that the life in the real world isn’t only 0 or 1. Now, with the quantum computer not even in computer science is true anymore.

To quote HTB think outside the Box!

Thank you both for the insights!

The pieces of information stated about TCP scanning using the -sT and -sS options in Nmap do contradict each other. The Nmap documentation states that SYN scanning (-sS) is more stealthy and efficient because it does not terminate TCP connections, making it less likely to be detected by intrusion detection and intrusion prevention systems. However, when it comes to TCP Connect (-sT) scanning, Nmap indicates its less efficient and more visible nature, which may attract the attention of system administrators and intrusion detection systems. Thus, the contradiction between pieces of information in HTB Academy and the official Nmap documentation raises questions about the correctness of the information presented in an academic context. It may be worth doing more research and consulting official sources for more accurate information about the different TCP scanning methods in Nmap.