| Name |
TCP Connect Scan |
|
| Likelyhood of attack |
Typical severity |
| Low |
Low |
|
| Summary |
An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. |
| Prerequisites |
The adversary requires logical access to the target network. The TCP connect Scan requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Experiment |
An adversary attempts to initialize a TCP connection with with the target port. |
|
| 2 |
Experiment |
An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open. |
|
|
| Solutions | Employ a robust network defense posture that includes an IDS/IPS system. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-300 |
An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. |
|