[SOLVED] Difference beween nmap -PS and -sS

bangnagr · 02-22-2015, 10:08 AM

Hi All,

I was just going through man pages of nmap, but I couldn't figure out the difference between different SYN scans: -PS vs -sS.

According to man pages, both do the same thing from what I could understand, except -sS is only by root authority.

-PS vs -sS:

Code:

$ nmap -PS www.example.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-22 21:25 IST
Nmap scan report for www.example.com (93.184.216.34)
Host is up (0.32s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
53/tcp   closed domain
80/tcp   open   http
443/tcp  open   https
554/tcp  closed rtsp
1119/tcp closed bnetgame
1755/tcp closed wms
1935/tcp closed rtmp

# nmap -sS www.example.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-22 21:25 IST
Nmap scan report for www.example.com (93.184.216.34)
Host is up (0.32s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
53/tcp   closed domain
80/tcp   open   http
443/tcp  open   https
554/tcp  closed rtsp
1119/tcp closed bnetgame
1755/tcp closed wms
1935/tcp closed rtmp

Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds

So how is -PS different to -sS ?

Thanks

JeremyBoden · 02-22-2015, 11:22 AM

I don't know the answer - but

Code:

nmap -PS www.linuxquestions.org

Starting Nmap 6.40 ( http://nmap.org ) at 2015-02-22 17:10 GMT
Nmap scan report for www.linuxquestions.org (75.126.162.205)
Host is up (0.17s latency).
Not shown: 988 filtered ports
PORT     STATE  SERVICE
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   open   http
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  open   https
2323/tcp closed 3d-nfsd
4662/tcp closed edonkey
6346/tcp closed gnutella
6699/tcp closed napster
6881/tcp closed bittorrent-tracker
7778/tcp closed interwise

Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds

Code:

nmap -sS www.linuxquestions.org
You requested a scan type which requires root privileges.
QUITTING!

Code:

sudo nmap -sS www.linuxquestions.org

Starting Nmap 6.40 ( http://nmap.org ) at 2015-02-22 17:11 GMT
Nmap scan report for www.linuxquestions.org (75.126.162.205)
Host is up (0.16s latency).
Not shown: 994 filtered ports
PORT    STATE  SERVICE
25/tcp  closed smtp
53/tcp  closed domain
80/tcp  open   http
110/tcp closed pop3
143/tcp closed imap
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 9.91 seconds

I would guess that one shows all ports & the other only shows "well-known ports"???

bonsaiviking · 02-22-2015, 03:45 PM

All the -P* options affect the method by which Nmap does host discovery. In particular, -PS means "send a SYN packet." If the target gives any reply (SYN/ACK or RST, usually) then it is marked as "up" and is subject to whatever port scan options have been selected (default is a TCP scan of 1000 most-common ports). For this and -PA (ACK packet), Nmap will intelligently change it to a TCP connect() call if you don't have the root privileges necessary to send raw packets and sniff the reply. This is why there's not a special "TCP connect host discovery" option. The -PT option that you might expect is actually an old, deprecated alias for -PA.

All the -s* options select what kind of port scan to do. The -sS option is a TCP half-open SYN scan. This scan requires root privilege. The non-privileged version, -sT, uses a TCP connect() call for each scanned port. If you don't specify any -s* option, Nmap defaults to -sS if you have root, or -sT if you don't. Because there are explicit options for each of these, it is a fatal error to select -sS if you don't have the requisite privilege.

bangnagr · 02-23-2015, 05:44 AM

@bonsaiviking Thanks...