[Lesson 5] Network Vulnerability and Scanning: TCP Connect Scan in Nmap

Koay Yong Cett
5 min readMay 21, 2020

--

In this lesson, we are going to have a discussion about TCP scan ✋TCP scan also known as TCP connect scan which is the default TCP scan type when SYN scan is not an option.

SYN scan

Well, when is the SYN scan is not an option ❓

  • For an example, the Domain Name System (DNS) query between two end communication. The Layer 3 and Layer 4 of the packets are managed by the operating system of your device.
  • This means that the user doesn’t interfere with the TCP three way handshake, the whole process is managed by the operating itself.
  • In SYN scan, we interrupt the three way handshake and don’t send the last ACK packet to complete handshake.
  • You have to be a privileged user to be able to interrupt the handshake(SYN scan). If you are not a privileged user, you cannot interrupt three way handshake and cannot perform SYN scan as well.

Why the SYN scan is better than TCP connect Scan

TCP scan
  • So instead of writing raw packets as most other scan types do which require admin privileges, Nmap asks the underlying operating system to establish connection with a target machine and port by issuing native connect system call. This is referred as TCP connect scan/TCP scan.
  • Therefore, you don’t need to be a privilege user to perform TCP connect scans. When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect call than raw packets which make it less efficient.
  • The system call completes the connections to the open target ports rather than performing the half open reset where SYN scan perform. This will not only take longer and require more packets to obtain the same information.
  • However with TCP connect scan,the target machines are more likely to log the connection which are not stealthy.

Steps of TCP connect Scan:

TCP connect scan

The steps of TCP connect scan us exactly same as the TCP three way handshake:

  1. You send a SYN packet to open a real connection and wait for the response.
  2. The SYN/ACK response indicates the port is listening (open). While RST(reset) indicate that the target port is a non listener. If no response is received after several re-transmissions or an ICMP unreachable error is received, the port is marked as filtered.
  3. If you receive a SYN/ACK from the target system, you send ACK packet to complete three way handshake.
  4. Since we have nothing to say the moment, then we send RST to end the communication.

Let’s see what happen in the wireshark when we perform a TCP scan and then compare the TCP scan with the TCP scan:

Hands on practice 👊

Let’s scan the metasploitable machine and whether the host is up first:

Since we get a response packs, the system is up.

Let’s create the TCP scan command:

Here, we create a command for TCP scan:

  • nmap is the command to start the nmap application
  • -sT is the TCP scan
  • -n is used to avoid DNS resolution (See the IP address only)
  • -Pn is to avoid the host discovery as we already know that the host is up. You should make it a habit to use -Pn when you are scanning a single system.
  • Target IP address for the Metasploitable machine.
  • -- top-ports 10 is used to make the scanning time fast and short which scan for top 10 ports only.

Results: Only the port 445 is open state whereas the other ports is in the filtered state.

Let’s see the differences between the TCP scan and SYN scan in Wireshark:

TCP scan

Run the command line for the port 445 which we know that it is a open port.

TCP scan

Now, here we have three packets:

  1. First packet is a SYN packet to initiate a three way handshake. It is from the arbitrary port of Kali Linux to the port of 445 in the metasploitable system.
  2. Second packet is a SYN/ACK packet sent by the destination system which is the meetasploitable machine.
  3. The third packet which is ACK sent by the Kali to complete the TCP three way handshake.
  4. The fourth packet is a RST packet which is sent by Kali to end the conversation.

Run the SYN scan query and get the intercept the packet in the Wireshark for the comparison purpose.

Next, we will see the comparison between both TCP scan and SYN scan:

SYN Scan:

SYN Scan

TCP Scan:

TCP scan
  • Here, we have a comparison between SYN scan packets and TCP scan packets for an open port.
  • In SYN scan, nmap corrupt the three way handshake by a RST packet.
  • Whereas in TCP scan, the three way handshake is completed and the communication is established.
Differences between SYN scan and TCP scan

Let’s explain about it briefly:

  • The 3 way handshake is not completed by the SYN scan whereas the 3 way handshake is completed by the TCP scan.
  • A RST packet is sent when a SYN/ACK packet is received in SYN scan while an ACK packet is sent in TCP scan.
  • Target machines are more likely to log the connection when the connection is established in TCP scan. However, the target machines doesn’t log the connection for SYN scan as the 3 way handshake is not established.
  • Due to the native operating system call is interrupted, then SYN scan has to be run by a privileged user. Moreover, TCP scans uses the system call so it doesn’t require extra privileges.

Thanks for reading… 😃

--

--

Koay Yong Cett
Koay Yong Cett

Written by Koay Yong Cett

Every stories I shared is based on my personal opinion. Interest in ethical hacking and penetration testing. Thank you.

Responses (2)