Skip to main content
Zondex
login
Browse Stats Pricing Blog Dorks How-To Docs
description

SYN Scan

A port scanning technique that sends a SYN packet to a target port and analyzes the response (SYN-ACK for open, RST for closed) without completing the TCP handshake, making it stealthier than a full c

What is a SYN Scan?

A SYN scan, often referred to as a "half-open scan" or "stealth scan," is a common port scanning technique used to determine the state of TCP ports on a target system. It leverages the initial step of the TCP three-way handshake. Instead of completing the full handshake (SYN, SYN-ACK, ACK), a SYN scan sends only the initial SYN (synchronize) packet to the target port. By analyzing the target's response, the scanner can deduce whether the port is open, closed, or filtered by a firewall, often without establishing a full connection, which can make it less detectable than a full TCP connect scan.

How a SYN Scan Works

When a SYN scan is performed, the following sequence of events typically occurs:

  1. Scanner sends SYN: The scanning tool sends a TCP packet with only the SYN flag set to a specific port on the target host.
  2. Target's Response:
    • Port Open: If the port is open and listening, the target responds with a SYN-ACK (synchronize-acknowledge) packet. At this point, the scanner knows the port is open. Instead of sending the final ACK packet to complete the handshake, the scanner sends an RST (reset) packet, tearing down the connection immediately. This prevents a full connection from being established and often avoids logging at the application layer.
    • Port Closed: If the port is closed, the target responds with an RST-ACK (reset-acknowledge) packet, indicating that it refuses the connection.
    • Port Filtered: If a firewall or other security device is filtering the port, the scanner may receive no response at all, or it might receive an ICMP (Internet Control Message Protocol) "destination unreachable" error.

This half-open nature is why it's considered stealthier; many intrusion detection systems might not log incomplete connection attempts as readily as full ones.

SYN Scan in Security Research

SYN scanning is a fundamental technique in network reconnaissance and penetration testing. It's highly efficient for quickly mapping out open ports on a system or across an entire network segment. Security researchers and ethical hackers use SYN scans to:

  • Discover Services: Identify which services are actively listening for connections.
  • Map Attack Surface: Understand the exposed entry points on a target system.
  • Vulnerability Assessment: Pinpoint ports running services that might be outdated or misconfigured.
  • Firewall Evasion: Its stealthier nature can sometimes bypass basic firewall rules that look for full connection attempts. Leading port scanning tools like Nmap heavily rely on SYN scans as their default and most efficient method.

Using Zondex to Find SYN Scan Results

Zondex, as an internet-wide scanning engine, extensively utilizes SYN scans (among other techniques) to build its comprehensive index of internet-connected devices. When you query Zondex, you are essentially leveraging the aggregated results of millions of SYN scan operations performed across the globe. You don't perform the SYN scan yourself; rather, you search Zondex's database for the information these scans have already uncovered. This allows for rapid and passive identification of open ports and services without directly interacting with the target. Examples include:

  • Find all hosts with an open HTTP port (identified via SYN scan): port:80
  • Discover SSL/TLS services running on Nginx: port:443 product:"nginx"
  • Locate Telnet services (often a security risk due to cleartext communication): port:23
  • Identify hosts that have both FTP and SSH ports open: has_port:21 has_port:22
  • Search for specific ports in certain geographic regions: port:8080 country:DE

Key Takeaways

  • Half-Open Handshake: A SYN scan sends a SYN packet and resets the connection without completing the TCP three-way handshake.
  • Efficient Port Discovery: It's a fast and effective method for determining if a port is open, closed, or filtered.
  • Stealthier Approach: Its incomplete connection often makes it less detectable than a full TCP connect scan.
  • Zondex's Foundation: Zondex's vast database is built upon the findings of internet-wide SYN scans, providing searchable access to this critical information.
search

Try it on Zondex

See SYN Scan data in action with these search queries:

Open Search
arrow_back
Previous
SSRF
Next
Service Enumeration
arrow_forward

At a Glance

Term SYN Scan
Updated Mar 14, 2026
menu_book
Browse All Terms
138 terms in the glossary
arrow_forward
support_agent
Zondex Support
Usually replies within minutes
Hi there!
Send us a message and we'll reply as soon as possible.