Introduction to TCP Connect Scan

A TCP Connect Scan is a widely-used scanning technique in network security that helps identify the status of ports on a target system. It is one of the basic scanning techniques implemented in tools like Nmap, and it leverages the fundamental TCP three-way handshake process. The goal is to determine whether a port is open, closed, or filtered based on the response from the target system.

The TCP Three-Way Handshake

The TCP three-way handshake is the foundation of establishing a TCP connection. This process involves three key steps:

1. SYN (Synchronize): The source system initiates the connection by sending a SYN (synchronize) packet to the target. This packet essentially asks the target if it is open to establishing a connection on a specific port.
2. SYN-ACK (Synchronize-Acknowledge): Upon receiving the SYN packet, if the port is open and listening, the target system responds with a SYN-ACK (synchronize-acknowledge) packet. This response confirms that the target is prepared to establish the connection.
3. ACK (Acknowledge): The source system completes the handshake by sending an ACK (acknowledge) packet to the target. At this point, the connection is considered established, and data can be transmitted between the systems.

If a port is closed, the target will respond with an RST (reset) packet, terminating the connection immediately. If the port is filtered (e.g., by a firewall), there may be no response or a delayed response, indicating that the port is not reachable.

Practical Example: Nmap and Wireshark

Nmap is a popular network scanning tool that supports various scanning techniques, including the TCP Connect Scan. When you use the -sT option in Nmap, it performs a full TCP Connect Scan by establishing the TCP three-way handshake on a target port.

In the practical demonstration, Nmap sends SYN packets to port 80 of a target system. If the port is open, the target system responds with a SYN-ACK packet. However, Nmap doesn't proceed with the connection. Instead, it sends an RST (reset) packet immediately after receiving the SYN-ACK to avoid fully establishing the connection.

Wireshark, a network packet analyzer, is used to capture and analyze the traffic generated during the scan. Wireshark visually confirms the three-way handshake by displaying the SYN, SYN-ACK, and ACK packets exchanged between the systems. This allows network administrators and security professionals to observe the scanning process in real-time.

Significance of the Reset (RST) Packet

The reason Nmap sends an RST packet after the handshake is completed is to avoid establishing a full connection, which could be logged by the target system and raise suspicion. By resetting the connection, the scanner can stealthily determine if the port is open without triggering extensive logging on the target.

Conclusion

The TCP Connect Scan is an effective way to identify open ports on a network. Although it fully establishes a connection, it quickly terminates it using an RST packet, making it a relatively stealthy scanning technique. Nmap's -sT flag enables easy implementation of this scan, while Wireshark provides a detailed view of the TCP handshake process.

Understanding the mechanics of TCP Connect Scans is crucial for network security professionals, as it helps in both offensive and defensive security practices. This knowledge can be applied to test networks for vulnerabilities or to monitor and mitigate unauthorized scanning attempts.

Watch video to know more about practical approach