TCP Connect Scan |
| Attack Pattern ID: 301 (Detailed Attack Pattern Completeness: Stub) | Typical Severity: Low | Status: Draft |
DescriptionSummary
An attacker uses full TCP connection attempts to determine if a port is open. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. This type of scanning has the following characteristics. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. In terms of port status, TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming. Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports. A TCP Connect scan has the following characteristics:
1. Speed: TCP Connect scanning is very slow.
2. Stealth: TCP SYN scanning is extremely noisy and involves a significant number of packets.
3. Open Port: Detects that a port is open via a successful three-way handshake
4. Filtered Port: Cannot distinguish a closed (unfiltered) port from an open (filtered) port.
5 .Unfiltered Port: Can detect an unfiltered port only when the unfiltered port is in front of an active TCP/IP service.
The TCP Connect scan has the advantage of versatility and ease of use in that it works equally well against all TCP stacks and that it is easy for a novice to interpret the results of the scan due to its all or nothing nature. Its disadvantages are noise, speed, and poor visibility into the filter structure of a firewall. As a general rule, performing a full TCP connect scan against a host can take multiple days.
Target Attack SurfaceTarget Attack Surface Description
Targeted OSI Layers: Transport Layer
Target Attack Surface Localities
Target Attack Surface Types: Host Service
Attack PrerequisitesThe TCP connect requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.
Resources RequiredThe ability to build full TCP connections with a target. This can be achieved via the use of a network mapper or scanner, or via routine socket programming in a scripting language. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.
Related Attack Patterns| Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
|---|---|---|---|---|---|
| ChildOf |  Attack Pattern | 300 | Port Scanning | Mechanism of Attack1000 |
References
