What is the difference between a SYN scan and a TCP connect scan?

SYN scans and TCP connect scans are techniques used in network scanning to identify open ports on a target system, but they operate in different ways and have distinct characteristics.

SYN Scan

1. Method:

   • A SYN scan, often referred to as a "half-open scan," involves sending a SYN packet (part of the TCP handshake) to a target port.
   • If the port is open, the target responds with a SYN-ACK packet.
   • The scanner then sends an RST packet to tear down the connection before it is fully established, hence the term "half-open."

2. Stealth:

   • SYN scans are relatively stealthy compared to TCP connect scans. Since the connection is never fully established, the scan is less likely to be logged by the target system.

3. Speed:

   • SYN scans are generally faster because they do not complete the TCP handshake, which avoids some of the overhead involved in establishing a full connection.

4. Detection:

   • While less detectable than TCP connect scans, SYN scans can still be detected by advanced intrusion detection systems (IDS) or firewalls that look for unusual patterns in network traffic.

5. Usage:

   • SYN scans are often used in tools like Nmap for efficient port scanning.

TCP Connect Scan

1. Method:

   • A TCP connect scan involves attempting to complete the full TCP handshake (SYN, SYN-ACK, ACK) with the target port.
   • If the handshake is successful, the port is open, and the connection is established.
   • The scanner then closes the connection with a FIN or RST packet.

2. Stealth:

   • TCP connect scans are less stealthy because they complete the full TCP handshake and establish a connection, which is more likely to be logged by the target system.

3. Speed:

   • TCP connect scans can be slower compared to SYN scans due to the additional steps involved in completing the full handshake and establishing a connection.

4. Detection:

   • Since the connection is fully established, TCP connect scans are more likely to be detected by logging mechanisms on the target system.

5. Usage:

   • TCP connect scans are sometimes used when SYN scans are not feasible, such as when firewalls or other security mechanisms are configured to detect or block SYN scans.

In summary, SYN scans are more stealthy and faster, making them useful for avoiding detection, while TCP connect scans are straightforward but more detectable due to their complete handshake process.