1
00:00:00,270 --> 00:00:07,910
TCP scan, also known as TCP connect scan, is the default TCP scan type when SYN scan is not an option.

2
00:00:09,160 --> 00:00:11,880
Well, when is the SYN scan not an option?

3
00:00:11,890 --> 00:00:17,890
Do you remember the trip of a data packet on a DNS query. In that lecture, I said that Layer 3 and Layer 4

4
00:00:17,890 --> 00:00:21,010
packets are managed by the operating system of your device.

5
00:00:21,120 --> 00:00:27,790
That means, user does not interfere with the TCP 3-­way handshake, the whole process is managed by the

6
00:00:27,790 --> 00:00:29,690
the operating system itself.

7
00:00:30,130 --> 00:00:37,220
In SYN scan, we interrupt the 3-­way handshake and don’t send the last ACK packet to complete the handshake.

8
00:00:38,300 --> 00:00:43,310
You have to be a privileged used to be able to interrupt the handshake. If you are not a privileged user,

9
00:00:43,310 --> 00:00:48,230
you cannot interrupt 3-­way handshake and can not perform SYN scan as well.

10
00:00:48,230 --> 00:00:55,070
So instead of writing raw packets as most other scan types do, which needs admin privilege, Nmap asks

11
00:00:55,130 --> 00:01:00,710
the underlying operating system to establish a connection with a target machine and port by issuing

12
00:01:00,710 --> 00:01:03,510
the native connect system call.

13
00:01:03,590 --> 00:01:10,650
So you don’t need to be a privilege user to perform TCP connect scans. When SYN scan is available,

14
00:01:11,190 --> 00:01:16,890
it is usually a better choice. Nmap has less control over the high level connect call than with raw

15
00:01:16,890 --> 00:01:19,210
packets making it less efficient.

16
00:01:19,380 --> 00:01:25,190
The system call completes connections to open target ports rather than performing the half-­open reset

17
00:01:25,410 --> 00:01:31,760
SYN scan does. Not only does this take longer and require more packets to obtain the same information,

18
00:01:32,120 --> 00:01:39,810
but target machines are more likely to log the connection. The steps of TCP connect

19
00:01:39,810 --> 00:01:47,850
scan is exactly the same as TCP 3-­way handshake: You send a SYN packet, to open a real connection a

20
00:01:48,330 --> 00:01:57,230
and then wait for a response. A SYN/ACK response indicates the port is listening (open), while a RST (reset) is

21
00:01:57,350 --> 00:02:02,900
RST (reset) is indicative of a non-­listener. If no response is received

22
00:02:02,970 --> 00:02:08,729
after several retransmissions, or an ICMP unreachable error is received,

23
00:02:08,759 --> 00:02:11,380
the port is marked as filtered.

24
00:02:11,610 --> 00:02:17,290
If you receive a SYN/ACK from the target system, you send ACK packet to complete the three-­way handshake.

25
00:02:18,340 --> 00:02:21,980
Since we have nothing to say at the moment, we send RST to end the conversation.

26
00:02:22,270 --> 00:02:28,420
Let’s see what happens under the hood when we perform a TCP scan, and then compare the SYN scan with the TCP

27
00:02:28,420 --> 00:02:29,630
scan:

28
00:02:29,780 --> 00:02:33,830
Let’s perform an Nmap TCP scan in our virtual network first.

29
00:02:36,480 --> 00:02:39,590
Go to Kali and open a terminal screen.

30
00:02:39,690 --> 00:02:44,830
I want to scan my Metasploitable system. Let’s check if the host is up first.

31
00:02:45,330 --> 00:02:56,580
I know the IP address of my Metasploitable VM, so type “ping 172.16.99.206” and hit enter. OK. We received

32
00:02:56,580 --> 00:02:57,600
a response packs.

33
00:02:57,600 --> 00:03:02,820
The system is up. Let’s create the TCP scan command: nmap is the command itself,

34
00:03:03,110 --> 00:03:10,490
sT is to TCP scan. n is to avoid the DNS resolution.

35
00:03:10,720 --> 00:03:16,950
I’d like to see the IP addresses. Pn is to avoid the host discovery.

36
00:03:16,990 --> 00:03:21,640
I already know that the host is up. You should make it a habit to use -­Pn while you’re scanning a single system.

37
00:03:21,640 --> 00:03:22,990
a single system.

38
00:03:22,990 --> 00:03:29,360
Now we have the target IP address 172.16.99.206.

39
00:03:29,650 --> 00:03:34,270
Let’s keep it fast, scan for the top 10 ports only.

40
00:03:34,330 --> 00:03:39,250
I use top-­ports parameter for this purpose and hit enter.

41
00:03:39,340 --> 00:03:45,920
Here are the states of top 10 ports of Metasploitable. 7 ports are open and 3 ports are closed.

42
00:03:46,360 --> 00:03:50,850
OK let's open Wireshark and see what's happening when a TCP scan is performed.

43
00:03:51,010 --> 00:03:55,450
So you get to run wireshark first. Double click eth0 to start to

44
00:03:55,450 --> 00:03:57,600
listen to that interface.

45
00:03:57,710 --> 00:03:59,940
Skip the packets which we are not interested in.

46
00:03:59,980 --> 00:04:01,270
I add a filter.

47
00:04:01,410 --> 00:04:09,360
I only want to see the traffic for my destination computer, 172.16.99.206, and I want to see the

48
00:04:09,370 --> 00:04:17,160
TCP traffic only. Click to the blue arrow next to filter bar to activate the filter. To clear the packets

49
00:04:17,170 --> 00:04:18,070
we've already caught.

50
00:04:18,070 --> 00:04:23,930
I restart the Wireshark packet capturing. OK now go to the terminal screen.

51
00:04:24,110 --> 00:04:31,260
I’d like to analyse the TCP scan packets for an open port first. I’m going to run the latest Nmap query

52
00:04:31,260 --> 00:04:38,780
again, but in this time, I run the query for port 80 only. Hit enter and run the nmap query.

53
00:04:39,010 --> 00:04:41,760
Yes the port is open as I remember.

54
00:04:42,130 --> 00:04:44,020
It's good to know I'm not losing my memory.

55
00:04:45,160 --> 00:04:46,550
Go back to Wireshark.

56
00:04:46,840 --> 00:04:53,350
I want to stop Wireshark by clicking the red square at the upper left corner to avoid unwanted packets.

57
00:04:53,350 --> 00:04:55,110
Now here we have three packets.

58
00:04:55,300 --> 00:05:01,210
The first packet is a SYN packet to start the 3-­way handshake. It’s from an arbitrary port of Kali to

59
00:05:01,210 --> 00:05:04,940
the 80th port of Metasploitable -­the destination system.

60
00:05:05,320 --> 00:05:10,200
Second packet is a SYN/ACK sent by the destination system.

61
00:05:10,260 --> 00:05:16,770
The third packet is an ACK sent by Kali to complete the TCP 3-way handshake. And the fourth packet is a

62
00:05:17,100 --> 00:05:21,420
RST sent by Kali again, to end the conversation.

63
00:05:21,480 --> 00:05:27,770
This time I want to scan a closed port for example port 81 before running the query

64
00:05:27,780 --> 00:05:33,090
I restart the Wireshark packet capturing to clean it screen by clicking the blue button in the upper

65
00:05:33,090 --> 00:05:36,200
left corner. In the terminal screen

66
00:05:36,500 --> 00:05:42,410
I hit enter to run the query. As you see Port 81 is closed.

67
00:05:42,410 --> 00:05:47,680
Now let's look at the Wireshark interface to see what happens when we scan a closed port.

68
00:05:47,830 --> 00:05:52,440
The first packet is again a SYN packet to start the 3-­way handshake.

69
00:05:52,570 --> 00:05:57,050
The source system is Kali and the destination system is Metasploitable.

70
00:05:57,200 --> 00:06:02,090
he second packet is, for this scan, a RST packet. Because the port 81 is closed,

71
00:06:02,090 --> 00:06:05,820
the destination system sent us a RST packet.

72
00:06:05,950 --> 00:06:12,450
Here we have a comparison between SYN scan packets and TCP scan packets for an open port.

73
00:06:13,420 --> 00:06:21,280
In SYN scan, Nmap has corrupted the 3-­way handshake by a RST packet. •In TCP scan, on the other hand,

74
00:06:21,640 --> 00:06:27,010
the 3-­way handshake is completed and the communication is established.

75
00:06:27,050 --> 00:06:30,970
So let’s see the differences between the SYN scan and the TCP scan in a table that

76
00:06:30,980 --> 00:06:33,440
we've only really talked about up to now.

77
00:06:33,440 --> 00:06:41,070
3-way handshake is not completed in SYN scan while it’s completed in TCP scan. A RST packet is sent

78
00:06:41,540 --> 00:06:49,970
when a SYN/ACK received in SYN scan while an ACK packet is sent in TCP scan. Target machines

79
00:06:49,970 --> 00:06:57,470
are more likely to log the connection when the connection is established in TCP scan. No log for SYN scans, because

80
00:06:57,530 --> 00:07:03,230
3-­way handshake is not established. Because the native operating system call is interrupted,

81
00:07:03,380 --> 00:07:06,590
SYN scan has to be run by a privilege user.

82
00:07:06,590 --> 00:07:10,760
TCP scan uses the system call, so it does not need extra privileges.