Overview of SYNplescan
Half-open
(or SYN scanning)
works by taking advantage of the
three-way handshaking process the TCP protocol uses to establish a
connection. The three-way handshaking process, as shown in Figure 11-3, involves the system initiating the connection
to send a TCP packet with the SYN flag set. If the
port the system is attempting to connect to is accepting connections,
the destination system responds with a TCP packet with the
SYN and ACK flags set. To
complete the connection, the initiating system sends a TCP packet
back with the ACK flag set.
Figure 11-3. TCP three-way handshake
This is in contrast to the situation shown in Figure 11-4, in which the initiating system is attempting
to connect to a TCP port that is closed. In this case the destination
host responds with a TCP packet with the SYN and
RST flags set.
Figure 11-4. Attempted TCP connection to closed port
Whether connecting to an open port or a closed port, only two packets
are required to determine whether the port is open or closed. In
addition, many operating systems do not log incoming connections if
the full three-way handshaking process has not completed. Half-open
scanning relies on the ability to create a TCP packet with the
SYN packet set, and on capturing return traffic from the destination system ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
