Nmap Series v01

January 16, 2026

Nmap Series — v.01

Understanding the TCP Connect Scan (`-sT`)

Introduction

In this series, I’ll be taking a deep, methodical dive into widely used penetration testing tools.
The goal is not to memorize commands, but to understand what the tools are doing under the hood and why we choose certain techniques over others.

We’ll be starting with Nmap.

Important: All scans demonstrated in this series are performed only against systems and networks that I personally own or manage. Do not scan targets without explicit authorization.

What Nmap Actually Does

Nmap is often described as a “port scanner,” but that description is incomplete.

At its core, Nmap is a packet-based inference engine.
It sends carefully crafted packets to a target and interprets the responses (or lack of responses) to determine:

Port states
Service behavior
Network filtering
Host responsiveness

Understanding this distinction is critical. Nmap does not magically “see” open ports — it infers state based on protocol behavior.

Why “Scan & Pray” Fails

Knowing an IP address and blindly launching scans is a fast way to generate noise without insight.

Effective scanning requires:

Intentional scan selection
Awareness of protocol behavior
Understanding the tradeoffs between speed, accuracy, and stealth

This series will focus on explaining each scan type in terms of:

What it does
What protocol it uses
Which OSI layer(s) it operates on
When and why it’s appropriate

Environment Used

For this walkthrough, I’m using Kali Linux on a dedicated machine.
However, Nmap runs on almost any operating system, and the concepts apply universally.

Linux/Unix-specific commands (e.g., sudo, ls) will be referenced.
Windows equivalents will be noted where relevant.

TCP Connect Scan (`-sT`)

The first scan type we’ll examine is the TCP Connect scan, invoked with the -sT flag.

What Makes the TCP Connect Scan Unique

Unlike several other Nmap scan types, -sT:

Uses the operating system’s native TCP stack
Does not require raw socket access
Does not require root or sudo privileges

Because Nmap is relying on the OS to handle the TCP connection, it behaves like any normal client application attempting to connect to a service.

How the Scan Works

When scanning a TCP port with -sT, Nmap attempts a standard TCP connection.

If the port is open:

Nmap sends a SYN
The target responds with SYN/ACK
Nmap completes the handshake with ACK

If the port is closed, the target typically responds with an RST.

Nmap then interprets these responses to determine the port’s state.

This behavior primarily operates at OSI Layer 4 (Transport), but it often has visibility into Layer 7, as completed connections may appear in application logs.

Tradeoffs of a TCP Connect Scan

Because the full TCP handshake is completed (when ports are open), this scan has several important implications:

Advantages

High reliability
Accurate port state detection
Works without elevated privileges

Disadvantages

Easily logged by firewalls, SIEMs, and application logs
Considered “loud” in monitored environments
Typically slower than half-open scans due to full connection handling

This makes -sT useful when stealth is not a priority and reliability is more important.

A Note on Stealth

Stealth is not about using a single flag or scan type.

It’s about behavior over time:

Scan timing
Volume of traffic
Pattern consistency

Understanding how a scan behaves is far more important than trying to “hide” behind specific options.

The Command:
{nmap -sT 127.0.0.1}

Command Breakdown

nmap — Executes the Nmap program
-sT — Specifies a TCP Connect scan
127.0.0.1 — Loopback address (the local system)

Using the loopback address allows you to safely observe scan behavior on your own machine.

Quick Overview:

TCP Connect scans use the OS TCP stack
No raw packet crafting or elevated privileges are required
Full TCP handshakes make this scan reliable but noisy
Logging is expected in most monitored environments
Understanding why a scan behaves a certain way matters more than memorizing flags