askvity

What is TCP Scan?

Published in Network Security 3 mins read

A TCP scan is a type of network scanning technique used to discover open ports on a target system, often employed to assess network security or troubleshoot connectivity issues. It works by attempting to establish a TCP connection with target ports and analyzing the responses to determine their status.

Types of TCP Scans:

Several variations of TCP scans exist, each with its own methodology and advantages:

  • TCP Connect Scan (Full Open Scan): This is the most basic type. The scanner attempts to complete a full three-way handshake (SYN, SYN-ACK, ACK) with the target port. If successful, the port is open. The scanner then closes the connection to avoid establishing a full session. This is easily detectable.

  • TCP SYN Scan (Half-Open Scan): Often considered the stealthiest and most popular TCP scan. The scanner sends a SYN packet. If the target responds with SYN-ACK, it indicates an open port. The scanner then sends an RST (reset) packet, rather than an ACK, to abort the connection, thus never fully opening it. This makes it less detectable and faster than a full connect scan. If a RST packet is received, the port is closed.

  • TCP ACK Scan: This scan sends ACK packets to the target port. It does not determine if ports are open, but is used to map firewall rules and determine what ports are being filtered. The response (or lack thereof) can reveal information about firewall configurations.

  • TCP FIN Scan, TCP Xmas Scan, and TCP Null Scan: These scans send packets with specific TCP flags (FIN, URG, PSH for Xmas; none for Null) set. Their behavior depends on the operating system of the target, but generally, a response indicates a closed port according to RFC 793. These are often used to bypass simple firewalls or intrusion detection systems.

How TCP Scan Works (Focus on SYN Scan):

  1. Initiation: The scanning tool sends a SYN (synchronize) packet to the target port.
  2. Response Analysis:
    • Open Port: If the port is open, the target responds with a SYN-ACK (synchronize-acknowledgment) packet.
    • Closed Port: If the port is closed, the target responds with an RST (reset) packet.
    • Filtered Port: The target might not respond at all, indicating that a firewall or other security device is blocking the connection attempt.
  3. Connection Termination (for SYN Scan): After receiving a SYN-ACK from an open port (SYN scan), the scanner sends an RST packet to terminate the connection without completing the three-way handshake.

Applications of TCP Scan:

  • Security Auditing: Identify open ports to assess potential vulnerabilities.
  • Network Troubleshooting: Diagnose connectivity issues by checking port status.
  • Network Mapping: Discover services running on a network by identifying open ports.

Ethical Considerations:

Performing TCP scans without proper authorization is generally considered unethical and may be illegal, as it can be seen as an attempt to probe or exploit network security vulnerabilities.

Related Articles