nmap -sSSYN scans are commonly referred to as “Half-Open” or “Stealth” scans. The key difference between a SYN scan and TCP scan is that a SYN scan sends back a RST TCP packet after receiving a SYN/ACK from the server instead of an ACK flag.
This provides a number of advantages:
It can be used to bypass older Intrusion Detection Systems as they are typically looking out for the full three-way handshake. However, modern IDS solutions typically don’t operate in this way.
SYN scans are often not logged by applications listening on open ports. Standard practice is to log a connection once it’s been fully established.
Since you don’t have to bother with completing and disconnecting from a three-way handshake for every port, SYN scans are significantly faster than a standard TCP Connect scan.
Of course there are a few disadvantages to keep in mind:
They require sudo permissions in ordee to work correctly in Linux. SYN scans require the ability to create raw packets (opposed to the full TCP handshake), which is a privilege only the root user has by default.
Unstable services are somtimes brought down by SYN scans, which could be problematic if a client has provided a production environment for pentesting.
The pros outweigh the cons, so SYN scans are the default scans used by Nmap if run with sudo permissions. If run without sudo permissions, TCP Connect scans will run by default.