CAPEC-301: TCP Connect Scan
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack.
执行流程
步骤 1 Experiment
An adversary attempts to initialize a TCP connection with with the target port.
步骤 2 Experiment
An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open.
前提条件
- The adversary requires logical access to the target network. The TCP connect Scan requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.
所需资源
- The adversary can leverage a network mapper or scanner, or perform this attack via routine socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.
后果影响
影响范围: Confidentiality
技术影响: Read Data
缓解措施
Employ a robust network defense posture that includes an IDS/IPS system.