A port scan attack is a common technique hackers use to discover open doors or weak points in a network. A port scan attack helps cyber criminals find open ports and figure out whether they are receiving or sending data. It is very important to detect such activity as soon as it take place and mitigate immediately.
Today, I would like to present a main differences between actual TCP connection and ones generated by popular network scanning tool Nmap. So, we will emphasize our attention on three common scan options
- TCP SYN (Stealth) Scan (-sS);
- TCP Connect Scan (-sT);
- and scan for version information (-sV)
and compare with real TCP communication flow.
The lab environment contains target Windows 10 machine with Wireshark installed and Kali Linux attacker’s machine. We will attack an python3 http web server listening on poty 80.
Before starting analysis, it would be very important to describe, what a TCP conversation completeness is. A TCP conversations are said to be complete when they have both opening and closing handshakes, independently of any data transfer. However, we might be interested in identifying complete conversations with some data sent, and we are using the following bit values to build a filter value on the tcp.completeness field :
- 1 : SYN
- 2 : SYN-ACK
- 4 : ACK
- 8 : DATA
- 16 : FIN
- 32 : RST
First, just capture a simple TCP communication between Windows 10 host and an internet server, let’s say, Amazon.com home page:
Here, we see whole TCP connection flow starting from 3-way handshake (SYN – SYN-ACK – ACK), data transfer, finalizing and connection reset. It should be note, the TCP conversation completeness is calculated as 63:
> 1 (SYN) + 2 (SYN-ACK) + 4 (ACK) + 8 (DATA) + 16 (FIN) + 32 (RST) = 63 (complete TCP connection)Noticed, the windows size is about 64kB, which is a quite common size for real world TCP communication.
Now, let’s host a simple python HTTP server on target Windows machine:
PS> python.exe -m http.server 80and leverage Nmap stealth scan (-sS) from Kali Linux:
As expected, Nmap found port 80 opened with http service running. Have a look at Wireshark capture:
It should be noticed, TCP conversation marked as Incomplete with only 35. It means. doing a stealth scan Nmap sent only SYN, waits for ACK from port and immediately RST the connection. Doing half handshake (SYN – SYN-ACK). Another visible difference is windows size of only 1024 bytes with only one header option.
No an activity detected in http server console as well:
Second test is complete TCP scan with -sT:
Now, the communication detected by http server but because of dropping the connection right after ACK it shows connection closed:
It might be the first bell, saying someone is trying to establish a connection but close it forcibly right after. Probably, doing active scanning.
The pcap looks like:
Pcap already contains 3-way handshake (SYN – SYN-ACK – ACK) and immediate RST, This is how exactly the Nmap complete TCP scan works. It should be noticed, the windows size is already 64kB.
The last test is full scan for specific port gathering information about target (-sV):
Here, we can see that target runs SimpleHTTPServer (Python 3.10.10) and server responses with correct log:
In Wireshark, we can find absolutely identical pcap as real one captured at the beginning. 63 indicates full complete communication, all options are there:
So, summarizing the lab results:
| TCP Conversation Completeness | Window size | Headers | |
| Stealth scan -sS | 35 | 1024B | 4B |
| Complete scan -sT | 39 | 64kB | 12B |
| Full version scan -sV | 63 | 64kB | 20B |
| Real TCP connection | 63 | 64kB | >20B |
-sT: The TCP flow is generated by machine itself, this is why the complete scan is much more difficult to detect. The key differences is a header size, usually it is smaller the standard TCP SYN packet header. Basically, such scan is dropped immediately after connection established, so the conversation will be incomplete.
-sV: Is a very similar to standard TCP conversation flow. It might be detected by analyzing a batch of packets during some time windows. An anomalies, like insufficient number of calls or port enumerating might indicate an attack.
I hope, you like the exercise. In case of any question, let me know in comments. I am eager to share more information about common packet capture techniques and analysis tactics.
Be an ethical, save your privacy!