Full Connect Scan in Identifying Open Ports

Overview of Full Connect Scan

A full connect scan, also known as a TCP connect scan, is a network scanning technique used to identify open ports on a target system. This scan completes the TCP three-way handshake process, establishing a full connection with each target port to determine if they are open. Unlike SYN scans, which perform a half-open connection to minimize detection, full connect scans are more forward and easy to detect, providing a clear indication of the presence of an active scanner. This method, while less stealthy, is straightforward and often supported by default in many scanning tools, making it a reliable choice for confirming open ports.

TCP Three-Way Handshake

The TCP three-way handshake is fundamental to understanding full connect scans. The process begins with the scanner sending a SYN (synchronize) packet to the target port. If the port is open, the target responds with a SYN-ACK (synchronize-acknowledge) packet. The scanner then completes the handshake by sending an ACK (acknowledge) packet back to the target. Upon completion of this handshake, the connection is considered established, and the scanner knows the port is open. Closing the connection usually follows with an RST (reset) packet sent by the scanner.

This complete handshake process provides the assurance that a port is not only open but also capable of processing a full TCP session, making it a robust method for correlation in offensive operations.

Execution of Full Connect Scan

Tools like nmap are commonly used to perform full connect scans. The command to execute a full connect scan using nmap is straightforward:

nmap -sT <target>

Here, -sT specifies the full connect scan type, and <target> is the IP address or hostname of the system being scanned. Additional parameters can be included to refine the scan, such as specifying a range of ports with -p or adjusting timing options with -T.

Advantages and Disadvantages

Full connect scans offer several advantages. Their main advantage is reliability due to the completion of the three-way handshake, providing confirmation that the port is genuinely open. They are also less susceptible to TCP spoofing tricks that might mislead half-open scans.

However, the primary disadvantage of full connect scans is their high profile. Completing the handshake makes these scans easy to detect by network monitoring tools, which can log connection attempts. Additionally, these scans are slower than SYN scans because of the overhead of managing full TCP connections.

Detection and Evasion Techniques

Network security systems like Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) can easily detect full connect scans due to their complete session establishment pattern. These systems commonly log these events as potential probes or reconnaissance activities.

To evade detection, attackers might spread their scanning activities over extended periods, randomize the order of IPs scanned, or limit the rate of connection attempts. These strategies aim to disguise the scan as normal traffic patterns.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.