Basicamente, por padrão:
- Um usuário privilegiado executa uma -sS (verificação TCP SYN).
Esse tipo de verificação requer privilégios de soquete bruto / pacote bruto.
- Um usuário unprivileged executa uma -sT (verificação de conexão TCP).
Esse tipo de verificação não requer privilégios de soquete bruto / pacote bruto.
Adaptado dos documentos oficiais do Nmap:
PORT SCANNING TECHNIQUES
Most of the scan types are only available to privileged users. This is because they are able to send and receive raw packets, which requires root access on Unix systems. Using an
administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root
privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far
more people have always-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to
run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more
powerful and flexible.
--privileged (Assume that the user is fully privileged).
Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix
systems. By default, Nmap quits if such operations are requested but geteuid is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may
be configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan,
OS detection, etc). The NMAP_PRIVILEGED environment variable may be set as an equivalent alternative to --privileged.
-sS (TCP SYN Scan).
TCP SYN Scan is the default scan option for privileged users. It can be performed quickly, scanning thousands of ports per second; when on a fast network, not hampered by any
restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. A TCP SYN Scan works against any compliant TCP stack rather than
depending on the idiosyncrasies of specific platforms (as Nmap's other scans do). It allows clear, reliable differentiation between the (open), (closed), and (filtered) states.
This technique is often referred to as a Half-Open Scan, because it doesn't open a full TCP connection. You send a SYN packet, as if you are going to (open) a real connection
and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener (closed). If a SYN/ACK is received, a RST is
immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build
these custom SYN packets. If no response is received after several retransmissions, the port is marked as (filtered). The port is also marked (filtered) if an
ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered (open) if a SYN packet (without the ACK flag) is received in response.
This can be due to an extremely rare TCP feature known as a simultaneous (open) or split handshake connection. (https://nmap.org/misc/split-handshake.pdf)
--unprivileged (Assume that the user lacks raw socket privileges).
This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful if testing, debugging, or
the raw network functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to —unprivileged.
-sT (TCP Connect Scan).
TCP Connect Scan is the default TCP scan type for unprivileged users. This is the most basic form of TCP scanning. The connect() system call, provided by your operating system
is used to (open) a connection to some interesting ports on the machine. If the port is (listening), then connect() will succeed, otherwise the port is (filtered). One strong
advantage to this technique is that it doesn't require any special privileges. Usually, on most UNIX boxes, any user can make this call because it doesn't involve writing raw
packets like most other scan types do. This connect() call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use
to establish a connection.
When the TCP SYN Scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient.
Rather than performing the half-open (reset) that a SYN Scan does, the connect() system call makes complete connections to (open) target ports. This not only takes longer, it
requires sending more packets to obtain the same information, and target machines are more likely to log the connection. A decent IDS will catch either. Most machines, however,
have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the
connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs
from a single system should know that she has been TCP Connect Scanned.