Question

What is(are) the difference(s) between stealth scan and full scan? When would you use one or another?

Answer 1

# Nmap Stealth Scan

• Syntax : nmap -sS <IP>
• Also called SYN scan
• It is the default scan, if you don't provide any flags, nmap will resolve to performing stealth scan.
• It is very fast, and can scan thousands of ports in small amount of time relative to full scan.
• It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do.
• It requires low packet privilages
• Nmap Sends a SYN request to host, if the host returns a SYN-ACK response, nmap knows the port is open. Then it sends a RST to terminate the handshake.
• It is also called half-open scanning

# Nmap Full Scan

• Syntax: nmap -sT <IP>
• If the host uses ipv6, then this type of scan it to be used rather than SYN scan.
• Nmap sends SYN request to host, if the host returns a SYN-ACK, nmap then connects to it by sending ACK packet, grabs the banner of the service that is running and then sends an RST to terminate the connection.
• Full scan is useful when we are intrested in the version of service running on a specific port
• It required higher privilages and is noisy.
• It can easily be detected by the sysadmin