This is an extremely basic question but also one I can't really seem to find an answer for, despite looking through the nmap documentation (man, online, and google).
My question is, what is the difference between doing nmap <target> and nmap -sS <target>, for example? I know that -sS is a TCP SYN scan, but I guess what I am not sure of is how/why this differs from just scanning ports using nmap <target>?
There is no difference. Per the man page -sS is the default scan type (usually.. see the man page for exceptions). I've confirmed this with a tcpdump.
-sS will force nmap to perform a SYN scan. Don't specifying a scan type will let nmap choose the best one.
If you're running nmap as a privileged user (typically: root), SYN scan will be selected by default. In this case there is no difference between both command lines (with or without -sS).
If you're running nmap as a simple user, SYN scan won't be available, in this case -sS will likely fail and the simple command nmap <target> command line will perform a TCP connect scan (equivalent of -sT).
If your system allows it you can force nmap to act as if it was (or not) privileged using --privileged or --unprivileged.
man nmap
-sS (TCP SYN scan)
SYN scan is the default and most popular scan option ...
-sS named "TCP SYN (Stealth) scan" (SYN,SYN-ACK,RST) is used by default for privileged (admin,root) user: there is no need to specify it.
Otherwise -sT named "TCP Connect scan" (full TCP handshake:SYN,SYN-ACK,ACK) is used for standard user, this is not as fast and stealthy.
Using -sS with standard (unprivileged) user will result in a failure as it required raw-packet privileges.
Using --packet-trace option will nmap will show you what happen at a low level and demonstrates the differences between -sT and -sS.
