Scan our target host for open TCP ports.

There are actually a few TCP scans that nmap knows how to do. The best one to usually start off with is a SYN scan, also known as a “half-open scan” because it never actually negotiates a full TCP connection. This is often used by attackers because it fails to register on some intrusion detection systems because it never completes a full handshake.

Use tcpdump to capture the traffic generated by the test. This will be used to analyze the packets sent and received in more depth later on if we need to. Let's create a directory within ~/scan_results so that we can keep the files related to our SYN scan together:

mkdir ~/scan_results/syn_scan

We can start a tcpdump capture and write the results to a file in our ~/scan_results/syn_scan directory with the following command:

sudo tcpdump host target_ip_addr -w ~/scan_results/syn_scan/packets

By default, tcpdump will run in the foreground. In order to run our nmap scan in the same window, we'll need to pause the tcpdump process and then restart it in the background.

We can pause the running process by hitting CTRL-Z:

CTRL-Z

This will pause the running process:

Output

^Z
[1]+  Stopped                 sudo tcpdump host target_ip_addr -w ~/scan_results/syn_scan/packets

NOTE: You can restart the job in the background by typing bg:

bg

You should see a similar line of output, this time without the “Stopped” label and with an ampersand at the end to indicate that the process will be run in the background:

Output

[1]+ sudo tcpdump host target_ip_addr -w ~/scan_results/syn_scan/packets &

The command is now running in the background, watching for any packets going between our audit and target machines. We can now run our SYN scan.