Nmap stealth scanning, specifically the TCP SYN scan technique, serves as the primary diagnostic tool for validating firewall egress rules and identifying exposed services without completing the full TCP three-way handshake. In high density network environments, such as those managing critical water or energy grid logic controllers, traditional connect scans create excessive overhead and log noise. This results in potential service latency or, in extreme cases, the triggering of rate limiting mechanisms that obscure the genuine attack surface. The problem centers on the balance between visibility and network stability; a full connection scan might crash a legacy industrial control system (ICS) or induce thermal-inertia in hardware by overwhelming connection tables. A stealth scan provides the required intelligence while maintaining operational continuity. By utilizing packet encapsulation techniques and manipulating TCP header flags, auditors can map infrastructure layouts with a minimal footprint, ensuring that the auditing process is idempotent and does not disrupt the production environment.
Technical Specifications
| Requirement | Default Port Range | Protocol/Standard | Impact Level (1-10) | Recommended Resources |
| :— | :— | :— | :— | :— |
| Root/Sudo Privileges | 1-65535 (TCP/UDP) | IEEE 802.3 / TCP/IP | 4 | 2 vCPU / 4GB RAM |
| libpcap Library | N/A | POSIX.1-2008 | 2 | 100MB Disk Space |
| nmap Binary | Filtered/Unfiltered | RFC 793 (TCP) | 5 | Low CPU Overhead |
| Kernel Raw Socket Support | Non-privileged | Linux/Unix Kernel | 3 | High Interrupt Priority |
The Configuration Protocol
Environment Prerequisites:
Successful stealth scanning requires an environment configured for raw socket manipulation. The auditing workstation must run a modern Linux distribution with nmap version 7.90 or higher. You must ensure that libpcap-dev is installed to handle packet capture and injection. Users require sudo access because raw socket creation is a privileged operation at the kernel level. From a networking standpoint, the environment must allow outgoing packets with customized TCP flags; some cloud providers or egress filters may drop these packets if they detect non-standard header configurations. Ensure the MTU settings on the local interface eth0 or wlan0 are set to standard 1500 bytes to avoid unnecessary packet fragmentation unless specifically testing for firewall bypass logic.
Section A: Implementation Logic:
The implementation logic behind a stealth scan resides in the manipulation of the TCP state machine. In a standard scan, the auditing tool completes the SYN, SYN-ACK, ACK sequence. This final ACK triggers the application layer of the target service to log a connection attempt. Stealth scanning, or “half-open” scanning, sends the initial SYN packet and waits for the SYN-ACK response. Once the SYN-ACK is received, the scanner immediately sends a RST (Reset) packet instead of an ACK. This prevents the connection from being fully established; consequently, the application layer never receives the data, and the attempt often remains unlogged by the service. This methodology reduces the throughput required for a heavy audit and minimizes the payload size, effectively lowering the chance of triggering packet-loss alarms or signal-attenuation thresholds in stressed network segments.
Step-By-Step Execution
Step 1: Initiating the Basic SYN Stealth Scan
Execute the command: sudo nmap -sS -Pn
System Note: This command instructs the kernel to bypass the standard connect() system call and instead use raw sockets to craft a packet with the SYN flag set. Use of the -Pn flag prevents the initial ICMP echo request, which is often blocked by enterprise firewalls. This action minimizes the initial footprint and avoids latency associated with waiting for a ping response that may never arrive.
Step 2: Fragmenting Portions of the IP Header
Execute the command: sudo nmap -sS -f –mtu 24
System Note: The -f flag forces the fragmentation of the TCP header into smaller pieces. By reducing the MTU to a value like 24 bits, the scanner splits the header across multiple packets. This forces the target firewall or intrusion detection system (IDS) to reassemble the packets before inspection. If the IDS has a low look-ahead buffer or high concurrency load, it may pass the fragments without inspection to maintain throughput, effectively bypassing deep packet inspection rules.
Step 3: Implementing Decoy Scans for Traffic Camouflage
Execute the command: sudo nmap -sS -D RND:10
System Note: This command generates 10 random “decoy” IP addresses that appear to be scanning the target simultaneously with the auditor’s actual IP. This creates significant noise in the target’s firewall logs. The underlying network infrastructure must handle the increased packet concurrency, but the auditor is shielded because the defender cannot easily distinguish which of the 11 sources is the legitimate audit origin. This is critical in high-sensitivity cloud environments where automated blocking is based on single-source volume.
Step 4: Customizing the Source Port and Payload
Execute the command: sudo nmap -sS –source-port 53 –data-length 25
System Note: Many legacy firewalls are configured to allow all traffic originating from common ports such as 53 (DNS) or 67 (DHCP) to pass through the perimeter unchallenged. By setting the –source-port to 53, the auditor exploits this misconfiguration. Additionally, –data-length appends a 25-byte random payload to every packet, making the scan look like generic application traffic rather than a skeletonized stealth scan. This prevents signature-based detection systems from flagging the activity as a probe.
Step 5: Modifying Scan Timing and Aggression
Execute the command: sudo nmap -sS -T2
System Note: The -T2 (polite) timing template increases the delay between individual probes. This reduces the packets-per-second rate, which is vital when auditing low power logic-controllers or older energy grid sensors that may experience thermal-inertia or CPU exhaustion if bombarded with traffic. While this increases total audit time, it minimizes the risk of service disruption and ensures the process remains non-destructive.
Section B: Dependency Fault-Lines:
Auditors often encounter failures when the local machine’s kernel automatically sends a RST packet before nmap can process the SYN-ACK. This occurs because the kernel sees an incoming SYN-ACK for a connection it did not initiate through the standard stack. To resolve this, use iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP to prevent the kernel from interfering with the scan results. Another bottleneck involves the pcap buffer size; in high traffic environments, the scanner may drop packets if the buffer overflows, leading to inaccurate results that suggest a port is filtered when it is actually open. Always verify that the network interface path /sys/class/net/eth0/statistics/rx_dropped shows zero increments during the audit.
THE TROUBLESHOOTING MATRIX
Section C: Logs & Debugging:
When a stealth scan yields “Filtered” results across all ports, investigate the potential for an egress filter or an intermediate transparent proxy. Use the command sudo nmap -sS –packet-trace
OPTIMIZATION & HARDENING
Performance Tuning:
To increase throughput without sacrificing the stealth profile, utilize the –min-rate and –max-parallelism flags. Setting –min-rate 100 ensures the scan maintains a steady cadence, preventing the audit from stalling on high-latency hops. In high-bandwidth environments, adjusting the –min-parallelism to 10 allows the scanner to probe multiple ports simultaneously, taking advantage of modern multi-core CPU architectures.
Security Hardening:
Harden the auditing workstation by restricting all ports except those necessary for the scan. Use ufw default deny incoming and ufw default allow outgoing. Ensure that the nmap binary is not globally executable by non-privileged users; use chmod 700 /usr/bin/nmap to restrict access. This prevents unauthorized personnel from using the advanced auditing tools for malicious internal discovery.
Scaling Logic:
When expanding the audit from a single host to a wide CIDR block (e.g., /16), the auditor must account for the accumulation of state in mid-path devices. Large scale stealth scanning can overwhelm the state tables of intermediate stateful firewalls. To mitigate this, split the target list into multiple smaller subnets and utilize a randomized scan order with the –randomize-hosts flag. This distributes the load across different segments of the network fabric, preventing any single router or switch from becoming a mechanical bottleneck.
THE ADMIN DESK
How do I confirm if a port is truly closed or just filtered?
A closed port returns a RST packet immediately. A filtered port returns nothing or an ICMP error. Use –reason with your nmap command to see the specific packet response that led to the determination.
Why is my scan taking five hours for one subnet?
Timing templates like -T0 or -T1 introduce significant delays to evade IDS. If safety permits, increase to -T3 or -T4. High latency or packet-loss on the network will also trigger retransmission delays, extending the scan duration.
Can I run stealth scans on Windows machines?
Windows does not provide native raw socket support in the same way Linux does. While Nmap works on Windows using the Npcap driver, the performance and stealth capabilities are generally superior on Unix-based kernels due to more granular control over the packet stack.
Will a SYN scan be caught by a modern EDR?
Endpoint Detection and Response (EDR) agents often monitor the network stack. While the service itself might not log the connection, the EDR may detect the rapid succession of half-open connections. Use slower timing and decoys to minimize this risk.
What is the best way to scan through a proxy?
Stealth scanning (SYN) does not work through standard SOCKS or HTTP proxies because proxies require a full TCP connection. For proxy-based auditing, you must use the -sT connect scan, recognizing it is less stealthy than the SYN method.
