CAPEC-301 - TCP Connect Scan

An attacker uses full TCP connection attempts to determine if a port is open. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. This type of scanning has the following characteristics. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. In terms of port status, TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming. Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports. A TCP Connect scan has the following characteristics:

The TCP Connect scan has the advantage of versatility and ease of use in that it works equally well against all TCP stacks and that it is easy for a novice to interpret the results of the scan due to its all or nothing nature. Its disadvantages are noise, speed, and poor visibility into the filter structure of a firewall. As a general rule, performing a full TCP connect scan against a host can take multiple days.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Scopes 1
  • Read application data
  • Confidentiality

The TCP connect requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.

The ability to build full TCP connections with a target. This can be achieved via the use of a network mapper or scanner, or via routine socket programming in a scripting language. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.