This lesson explains TCP Connect (full-open) and SYN (half-open) scans: how they work at the protocol level, when to use each, what defenders look for, and high-level evasion concepts. It emphasizes ethics, detection strategies for defenders, and practical takeaways for authorized scanning and testing.
TCP Connect vs SYN Scanning — The Knock, The Nod, and the Ghost You already did the map-making (Footprinting and Reconnaissance) and learned who’s alive on the network (Host Discovery). Now it's time to knock on the doors and see which services answer. But do it like a responsible guest, not a...
Quick refresher (no replay, promised) You already: Collected OSINT to prioritize targets (Footprinting). Chosen a scanning strategy and target list. Performed host discovery using ARP/ICMP when appropriate. Now you’re deciding how to ask a target which services it’s running. The two classi...
The TCP handshake (the tiny drama that explains everything) Client -> Server : SYN (Hey, I want to talk) Server -> Client : SYN-ACK (I hear you, here’s how I respond) Client -> Server : ACK (Great — established) A completed three-way handshake = a full TCP connection. If the server re...
What are they, in plain (slightly dramatic) English? TCP Connect (Full-open) The scanner performs a complete TCP handshake with the target port. If the handshake succeeds, the port is open — then the scanner closes the connection politely (or awkwardly). Analogy: You walk up to a door, enter t...
SYN Scan (Half-open / Stealthy-ish) The scanner sends a SYN and waits. If it receives SYN-ACK, it notes the port as open and then sends RST to tear down the handshake before completion. Analogy: You press the doorbell, peek through the window, and leave before the homeowner opens the door. Less ...
Comparison table (TL;DR) Feature TCP Connect SYN Scan Noise level High (full connections) Lower (no full connections) Reliability Very reliable Reliable, but some defenses interfere Privileges needed Normal OS sockets Raw sockets / elevated privileges Detectable by IDS ...
High-level view of evasion (for defender empathy) I’ll be blunt: teaching people how to evade detection is a tightrope. Instead of a toolkit, here’s a categorization of evasion strategies so defenders can understand and prepare. I’ll deliberately avoid granular, how-to steps. Common evasion cate...
How defenders detect and respond (actionable for defenders, not attackers) Monitor SYN/connection ratios : lots of SYNs without established connections is suspicious. Correlate network flow logs with host logs: dropped RSTs, half-open sockets, or unexpected resets tell tales. Use baselining : ...
10 study modes available based on your content