TCP SYN Scan

From VulneraPedia

Jump to: navigation, search

This is an Attack. To view all of them, please see the Attack Category page.


Contents

CAPEC Identificator

287


Description

Summary

An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method the primary advantages of SYN scanning are its universality and speed. RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered. When a SYN is sent to an open port and unfiltered port, a SYN/ACK will be generated. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. When a SYN packet is sent to a closed port a RST is generated, indicating the port is closed. When SYN scanning to a particular port generates no response, or when the request triggers ICMP Type 3 unreachable errors, the port is filtered. A TCP Connect scan has the following characteristics:

  • 1. Speed: TCP SYN scanning is fast compared to other types of scans.
  • 2. Stealth: TCP SYN scanning is stealthy and SYN scan detection is fraught with false positives.
  • 3. Open Port: Detects that a port is open via a successful SYN/ACK to the SYN.
  • 4. Closed Port: Detects that a port is closed via a successful RST to the SYN
  • 5. Filtered Port: No response, or ICMP messages, indicates the presence of a filter.
  • 6. Unfiltered Port: Cannot distinguish between a state-fully filtered port and an unfiltered port.

SYN scanning is fast and provides the attacker with a wealth of information. The primary drawback is that SYN scanning requires the ability to access "raw sockets" in order to create the packets. As a result, it is not possible to perform a SYN scan from some systems (Windows XP SP 2). On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.

Attack_Prerequisites

  • This scan type is not possible with some operating systems (Windows XP SP 2). On linux and unix systems it requires root privileges to use raw sockets.

Resources_Required

  • The ability to send TCP SYN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.


Severity

Low

Related Attack Patterns

ID Name Description
300 Category:Port Scanning

Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities: Server-side

Target Attack Surface Types: Host Service

Target Functional Services

Target_Functional_Service 1: None

Protocol 1: Transmission Control Protocol (RFC 793)
    Protocol Header 1:
        Protocol RFC: RFC 793
        Protocol Field Name: Flag
        Protocol Field Description: A TCP SYN "synchronize" flag is the first step in the procedures to establish new TCP connections. This control flag is used to initialize a three-way handshake. The logic of the Transmission Control Block (TCB) dictates that any host that receives a SYN packet to an open port must respond with a "SYN/ACK" packet in acknowledgement.
        Protocol Operation Code: 8
        Protocol Data: Any data in the payload portion of a TCP SYN packet is ignored for the purpose of establishing a connection.
    Related Protocol: Internet Protocol (RFC 791)
        Relationship_Type: Uses Protocol


References

Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets and Solutions, Chapter 2: Scanning, pg. 56, 6th Edition, McGraw Hill, ISBN: 978-0-07-161374-3, 2009

Defense Advanced Research Projects Agency (DARPA), RFC793 - Transmission Control Protocol, 1981. http://www.faqs.org/rfcs/rfc793.html

Gordon "Fyordor" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, Section 5.32 TCP SYN (Stealth) Scan, pg. 100, 3rd "Zero Day" Edition, , Insecure.com LLC, ISBN: 978-0-9799587-1-7, 2008

Gordon "Fyordor" Lyon, The Art of Port Scanning, Volume: 7, Issue. 51, Phrack Magazine, 1997. http://nmap.org/p51-11.html

Facts about TCP SYN ScanRDF feed
AttackPort Scanning  +
CAPEC Identificator287  +
DescriptionSummary

An attacker uses a S Summary

An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method the primary advantages of SYN scanning are its universality and speed. RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered. When a SYN is sent to an open port and unfiltered port, a SYN/ACK will be generated. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. When a SYN packet is sent to a closed port a RST is generated, indicating the port is closed. When SYN scanning to a particular port generates no response, or when the request triggers ICMP Type 3 unreachable errors, the port is filtered. A TCP Connect scan has the following characteristics:

  • 1. Speed: TCP SYN scanning is fast compared to other types of scans.
  • 2. Stealth: TCP SYN scanning is stealthy and SYN scan detection is fraught with false positives.
  • 3. Open Port: Detects that a port is open via a successful SYN/ACK to the SYN.
  • 4. Closed Port: Detects that a port is closed via a successful RST to the SYN
  • 5. Filtered Port: No response, or ICMP messages, indicates the presence of a filter.
  • 6. Unfiltered Port: Cannot distinguish between a state-fully filtered port and an unfiltered port.

SYN scanning is fast and provides the attacker with a wealth of information. The primary drawback is that SYN scanning requires the ability to access "raw sockets" in order to create the packets. As a result, it is not possible to perform a SYN scan from some systems (Windows XP SP 2). On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.

Attack_Prerequisites

  • This scan type is not possible with some operating systems (Windows XP SP 2). On linux and unix systems it requires root privileges to use raw sockets.

Resources_Required

  • The ability to send TCP SYN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.

the network in order to see the response.

ProviderMITRE  +
ReferenceStuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets and Solutions, Chapter 2: Scanning, pg. 56, 6th Edition, McGraw Hill, ISBN: 978-0-07-161374-3, 2009

, Defense Advanced Research Projects Agency (DARPA), RFC793 - Transmission Control Protocol, 1981. http://www.faqs.org/rfcs/rfc793.html , Gordon "Fyordor" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, Section 5.32 TCP SYN (Stealth) Scan, pg. 100, 3rd "Zero Day" Edition, , Insecure.com LLC, ISBN: 978-0-9799587-1-7, 2008 , and Gordon "Fyordor" Lyon, The Art of Port Scanning, Volume: 7, Issue. 51, Phrack Magazine, 1997. http://nmap.org/p51-11.html

SeverityLow  +
Target Attack SurfaceTarget Attack Surface Description <u>Target Attack Surface Description</u>

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities: Server-side

Target Attack Surface Types: Host Service

Target Functional Services

Target_Functional_Service 1: None

Protocol 1: Transmission Control Protocol (RFC 793)
    Protocol Header 1:
        Protocol RFC: RFC 793
        Protocol Field Name: Flag
        Protocol Field Description: A TCP SYN "synchronize" flag is the first step in the procedures to establish new TCP connections. This control flag is used to initialize a three-way handshake. The logic of the Transmission Control Block (TCB) dictates that any host that receives a SYN packet to an open port must respond with a "SYN/ACK" packet in acknowledgement.
        Protocol Operation Code: 8
        Protocol Data: Any data in the payload portion of a TCP SYN packet is ignored for the purpose of establishing a connection.
    Related Protocol: Internet Protocol (RFC 791)
        Relationship_Type: Uses Protocol

nbsp;Relationship_Type: Uses Protocol </td></tr></table></div>

Personal tools