CAPEC-301: TCP Connect Scan
An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack.
Last updated
Overview
RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming (performing a full TCP connect scan against a host can take multiple days). Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Experiment
An adversary attempts to initialize a TCP connection with with the target port.
- Step 2Experiment
An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open.
What the attacker needs
Prerequisites
- The adversary requires logical access to the target network. The TCP connect Scan requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.
Resources required
- The adversary can leverage a network mapper or scanner, or perform this attack via routine socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.
Consequences
What a successful CAPEC-301 attack can achieve.
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-301.
- Employ a robust network defense posture that includes an IDS/IPS system.
Frequently asked questions
Common questions about CAPEC-301.
- What is CAPEC-301?
- An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack.
- How does a TCP Connect Scan attack work?
- It typically unfolds over 2 phases. It begins with: An adversary attempts to initialize a TCP connection with with the target port.
- How do you prevent CAPEC-301?
- Employ a robust network defense posture that includes an IDS/IPS system.
- What weaknesses does CAPEC-301 target?
- CAPEC-301 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- How severe is CAPEC-301?
- MITRE rates CAPEC-301 as Low severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-301
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.