Home > CAPEC List > CAPEC-297: TCP ACK Ping (Version 2.10)  

CAPEC-297: TCP ACK Ping

 
TCP ACK Ping
Definition in a New Window Definition in a New Window
Attack Pattern ID: 297
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, an attacker identify that the host is alive by looking for a RST packet. Typically a remote server will respond with a RST regardless of whether a port is open or closed. In either case, the attacker can determine that the host is alive. TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. TCP ACK pings are most likely to fail in cases where a stateful firewall is present. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping has the following characteristics:

  • 1. Host Discovery: Can be used to discover if a host is alive via RST response packets sent from the host.
  • 2. Effective Against: Stateless Firewalls due to a typical lack of rules that reject unsolicited ACK packets.
  • 3. Weak Against: Stateful Firewalls due to the ability to reject a packet not part of an existing connection.
  • 4. Port State: Unable to determine if a port is open or closed.

The tool nmap will send TCP ACK pings when the command line "-PA" switch is used. Sending an ACK ping requires the ability to access "raw sockets" in order to create the packets with direct access to the packet header.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

+ Attack Prerequisites
  • The ability to send an ACK packet to a remote host and identify the response. Creating the ACK packet without building a full connection requires the use of raw sockets. As a result, it is not possible to send a TCP ACK ping from some systems (Windows XP SP 2) without the use of third-party packet drivers like Winpcap. On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.

+ Typical Severity

Low

+ Resources Required

The ability to craft custom TCP ACK segments for use during network reconnaissance. ACK scanning can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
+ References
[R.297.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 49. 6th Edition. McGraw Hill. 2009.
[R.297.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.297.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6.2 TCP ACK Ping, pg. 61. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
[R.297.4] [REF-28] Mark Wolfgang. "Host Discovery with Nmap". November 2002. <http://nmap.org/docs/discovery.pdf>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017