CAPEC-287: TCP SYN Scan
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its many advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method, the primary advantages of SYN scanning are its universality and speed.
执行流程
步骤 1 Experiment
An adversary sends SYN packets to ports they want to scan and checks the response without completing the TCP handshake.
步骤 2 Experiment
An adversary uses the response from the target to determine the port's state. The adversary can determine the state of a port based on the following responses. When a SYN is sent to an open port and unfiltered port, a SYN/ACK will be generated. When a SYN packet is sent to a closed port a RST is generated, indicating the port is closed. When SYN scanning to a particular port generates no response, or when the request triggers ICMP Type 3 unreachable errors, the port is filtered.
前提条件
- This scan type is not possible with some operating systems (Windows XP SP 2). On Linux and Unix systems it requires root privileges to use raw sockets.
所需资源
- The ability to send TCP SYN segments to a host during network reconnaissance via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
后果影响
影响范围: Confidentiality
技术影响: Other
说明: A successful attack of this kind can identify open ports and available services on a system.
影响范围: Confidentiality Access Control Authorization
技术影响: Bypass Protection Mechanism