In network security and penetration testing, TCP scans are used to discover open ports and services on a target system. Since you’re currently working on your CompTIA PenTest+ and setting up your Linux lab, understanding the nuances of how these scans interact with the TCP stack is essential.
Transmission Control Protocol (TCP) Scanning
TCP is a connection-oriented protocol that provides more detailed scanning results. Nmap has a variety of scans that use TCP, including the following:
- A TCP ACK scan is used to bypass firewall rulesets, determine which ports are filtered, and determine if a firewall is stateful or not. This scan uses the option -sA.
- A full (or TCP connect) scan will use a standard TCP three-way handshake. This scan uses the option -sT.
- A Christmas tree scan sends a TCP segment with the FIN, PSH, and URG flags raised to bypass a firewall or IDS. This scan uses the option -sX.
The strength of using TCP when scanning is the connection-oriented nature of the protocol, along with the flexibility of the six flags that can be manipulated and used during the scan.
Here are the most common TCP scan types, categorized by how they handle the Three-Way Handshake.
1. TCP Connect Scan (-sT)
As we discussed earlier, this is the “complete” scan. It performs the full handshake.
-
Mechanism: SYN SYN/ACK ACK.
-
Pros: Highly reliable; does not require “root/admin” privileges to run.
-
Cons: Very “noisy.” Every connection is logged by the target system’s services, making it easy for defenders to spot.
2. TCP SYN Scan (-sS)
Often called a “Half-Open” or “Stealth” scan. It is the default scan in Nmap.
-
Mechanism: It sends a SYN, waits for a SYN/ACK, but then immediately sends a RST (Reset) instead of the final ACK.
-
Why it’s used: It identifies the port state without ever fully establishing a connection, which often bypasses older logging systems.
-
Note: You need
sudoor root privileges to run this because it requires crafting raw packets.
3. TCP ACK Scan (-sA)
This scan is unique because it cannot tell you if a port is Open or Closed.
-
Mechanism: It sends a packet with only the ACK flag set.
-
Purpose: It is used to map out Firewall Rules.
-
If the scanner receives a RST, the port is “unfiltered.”
-
If there is no response, the port is “filtered” (blocked by a firewall).
-
4. “Inverse” Scans (Stealthy/RFC-Compliant)
These scans take advantage of how the TCP RFC (rules) says a system should respond to unexpected packets. If a port is closed, the target sends a RST. If the port is open, the target ignores the packet (no response).
-
TCP NULL Scan (
-sN): Sends a packet with no flags set at all. -
TCP FIN Scan (
-sF): Sends a packet with only the FIN (finish) flag. -
TCP Xmas Scan (
-sX): Sends a packet with the FIN, PSH, and URG flags set (it’s “lit up like a Christmas tree”).
| Scan Type | Flag(s) Sent | Response (Open Port) | Response (Closed Port) |
|---|---|---|---|
| Connect | SYN | SYN/ACK (Handshake completes) | RST/ACK |
| SYN | SYN | SYN/ACK (Followed by RST) | RST/ACK |
| ACK | ACK | RST (Unfiltered) | RST (Unfiltered) |
| NULL | None | No Response | RST/ACK |
| FIN | FIN | No Response | RST/ACK |
| Xmas | FIN, PSH, URG | No Response | RST/ACK |