Home > CAPEC List > CAPEC-301: TCP Connect Scan (Version 2.10)  

CAPEC-301: TCP Connect Scan

TCP Connect Scan
Definition in a New Window Definition in a New Window
Attack Pattern ID: 301
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker uses full TCP connection attempts to determine if a port is open. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. This type of scanning has the following characteristics. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. In terms of port status, TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming. Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports. A TCP Connect scan has the following characteristics:

  • 1. Speed: TCP Connect scanning is very slow.
  • 2. Stealth: TCP SYN scanning is extremely noisy and involves a significant number of packets.
  • 3. Open Port: Detects that a port is open via a successful three-way handshake
  • 4. Filtered Port: Cannot distinguish a closed (unfiltered) port from an open (filtered) port.
  • 5 .Unfiltered Port: Can detect an unfiltered port only when the unfiltered port is in front of an active TCP/IP service.

The TCP Connect scan has the advantage of versatility and ease of use in that it works equally well against all TCP stacks and that it is easy for a novice to interpret the results of the scan due to its all or nothing nature. Its disadvantages are noise, speed, and poor visibility into the filter structure of a firewall. As a general rule, performing a full TCP connect scan against a host can take multiple days.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities


Target Attack Surface Types: Host Service

+ Attack Prerequisites
  • The TCP connect requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.

+ Typical Severity


+ Resources Required

The ability to build full TCP connections with a target. This can be achieved via the use of a network mapper or scanner, or via routine socket programming in a scripting language. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
+ References
[R.301.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 54. 6th Edition. McGraw Hill. 2009.
[R.301.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.301.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 5.3 TCP Connect Scanning, pg. 100. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
[R.301.4] [REF-10] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://www.phrack.org/issues.html?issue=51&id=11#article>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017