RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming (performing a full TCP connect scan against a host can take multiple days). Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports.
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | S | 300 | Port Scanning |
An adversary attempts to initialize a TCP connection with with the target port.
An adversary attempts to initialize a TCP connection with with the target port.
| Technique |
|---|
An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open.
An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open.
| Technique |
|---|
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| Confidentiality | N/A | Read Data | N/A |
| Taxonomy Name | Entry ID | Entry Name |
|---|