What type of network discovery scan only follows the first two steps of the tcp handshake?

The TCP handshake

TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The exchange of these four flags is performed in three steps: SYN, SYN-ACK, ACK, as shown in Figure 5.8.

The client chooses an initial sequence number, set in the first SYN packet. The server also chooses its own initial sequence number, set in the SYN/ACK packet shown in Figure 5.8. Each side acknowledges each other’s sequence number by incrementing it: this is the acknowledgement number. The use of sequence and acknowledgement numbers allows both sides to detect missing or out-of-order segments.

Once a connection is established, ACKs typically follow for each segment. The connection will eventually end with a RST (reset or tear down the connection) or FIN (gracefully end the connection).

24.7 Opening and closing a connection

Figure 24.7 shows a basic three-way handshake. The steps are:

The initial state on the initiator is CLOSED and, on the recipient, it is LISTEN (the recipient is waiting for a connection see figure 24.7).

The initiator goes into the SYN-SENT state and sends a packet with the SYN bit set and then indicates that the starting sequence number will be 999 (the current sequence number, thus the next number sent will be 1000). When this is received the recipient goes into the SYN-RECEIVED state.

The recipient sends back a TCP packet with the SYN and ACK bits set (which identifies that it is a SYN packet and also that it is acknowledging the previous SYN packet). In this case, the recipient tells the originator that it will start transmitting at a sequence number of 100. The acknowledgement number is 1000, which is the sequence number that the recipient expects to receive next. When this is received, the originator goes into the ESTABLISHED state.

The originator sends back a TCP packet with the SYN and ACK bits set and the acknowledgement number is 101, which is the sequence number it expects to see next.

The originator transmits data with the sequence number of 1000.

Note that the acknowledgement number acknowledges every sequence number up to but not including the acknowledgement number.

Figure 24.8 shows how the three-way handshake prevents old duplicate connection initiations from causing confusion. In state 3, a duplicate SYN has been received, which is from a previous connection. The recipient sends back an acknowledgement for this (4), but when this is received by the originator, the originator sends back a RST (reset) packet. This causes the recipient to go back into a LISTEN state. It will then receive the SYN packet sent in 2, and after acknowledging it, a connection is made.

TCP connections are half-open if one of the TCPs has closed or aborted, and the other end is still connected. They can also occur if the two connections have become desynchronised because of a system crash. This connection is automatically reset if data is sent in either direction. This is because the sequence numbers will be incorrect, otherwise the connection will time-out.

A connection is normally closed with the CLOSE call. A host who has closed cannot continue to send, but can continue to RECEIVE until it is told to close by the other side. Figure 24.9 shows a typical sequence for closing a connection. Normally the application program sends a CLOSE call for the given connection. Next, a TCP packet is sent with the FIN bit set, the originator enters into the FIN-WAIT-1 state. When the other TCP has acknowledged the FIN and sent a FIN of its own, the first TCP can ACK this FIN.

II.E.2 TCP Connection Establishment

As discussed above, a connection is established using a three-way handshake procedure. The flow of data in each direction of a connection is controlled independently so as to avoid ambiguity with initial sequence numbers. These are in turn acknowledged as part of the handshake procedure. Figure 10 shows this three-way handshake establishment.

The initiating side sends a segment with the SYN flag set and the proposed initial sequence number in the sequence number field (SEQ = X). On receipt of this, the responding side notes the sequence number setting for the incoming direction and then returns a segment with both the SYN and ACK flags set with the sequence number field set to its own assigned value for the reverse direction (SEQ = Y) and a piggy backed acknowledgement field of X + 1 (PACK = X + 1) to confirm it has noted the initial value for its incoming direction. On receipt of this, the initiating returns a segment with the ACK flag set and a piggybacked acknowledgement field of Y + 1.

Transmission Control Protocol Session Hijacking

Let us recall that a TCP session starts out with a three-way handshake between the two nodes (one node is a client, and the other node is a server) that would like to establish a session between them. The nodes would exchange a sequence of TCP segments with well-defined sequence numbers to establish an active session. This active session is normally terminated by an exchange of FIN (finish) packet or abruptly with RST (reset) packets.

If a would-be hijacker were to correctly guess the sequence number of TCP segments between the two nodes, then it is quite possible that the hijacker could hijack the session before that session gets established between the original TCP client and the server. The original client would still send an ACK segment to the server, but the server would assume that it has received a duplicate segment with a matching sequence number, and thus ignore, as this happens quite a lot of times on the network. This scenario is not a complete description of session hijacking, but just an overview.

Connection Establishment

Let’s look at the normal TCP connection establishment’s three-way handshake in some detail. The three messages establish three important pieces of information that both sides of the connection need to know.

The ISNs to use for outgoing data (in order to deter hackers, these should not be predictable).

The buffer space (window) available locally for data, in bytes.

The Maximum Segment Size (MSS) is a TCP Option and sets the largest segment that the local host will accept. The MSS is usually the link MTU size minus the 40 bytes of the TCP and IP headers, but many implementations use segments of 512 or 536 bytes (it’s a maximum, not a demand).

A server issues a passive open and waits for a client’s active open SYN, which in this case has an ISN of 2000, a window of 5840 bytes and an MSS of 1460 (common because most hosts are on Ethernet LANs). The window is almost always a multiple of the MSS (1460×4=5840 bytes). The server responds with a SYN and declares the connection open, setting its own ISN to 4000, and “acknowledging” sequence number 2001 (it really means “the next byte I get from you in a segment should be numbered 2001”). The server also established a window of 8760 bytes and an MSS of 1460 (1460×6=8760 bytes).

Finally, the client declares the connection open and returns an ACK (a segment with the ACK bit set in the header) with the sequence number expected (2001) and the acknowledgment field set to 4001 (which the server expects). TCP sequence numbers count every byte on the data stream, and the 32-bit sequence field allows more than 4 billion bytes to be outstanding (nevertheless, high-speed transports such as Gigabit Ethernet roll this field over too quickly for comfort, so special “scaling” mechanisms are available for these link speeds).

TCP’s three-way handshake has two important functions. It makes sure that both sides know that they are ready to transfer data and it also allows both sides to agree on the initial sequence numbers, which are sent and acknowledged (so there is no mistake about them) during the handshake. Why are the initial sequence numbers so important? If the sequence numbers are not randomized and set properly, it is possible for malicious users to hijack the TCP session (which can be reliable connections to a bank, a store, or some other commercial entity). Each device chooses a random initial sequence number to begin counting every byte in the stream sent. How can the two devices agree on both sequence number values in about only three messages? Each segment contains a separate sequence number field and acknowledgment field. In Figure 12.3, the client chooses an initial sequence number (ISN) in the first SYN sent to the server. The server ACKs the ISN by adding one to the proposed ISN (ACKs always inform the sender of the next byte expected) and sending it in the SYN sent to the client to propose its own ISN. The client’s ISN could be rejected, if, for example, the number is the same as used for the previous connection, but that is not considered here. Usually, the ACK from the client both acknowledges the ISN from the server (with server’s ISN + 1 in the acknowledgment field) and the connection is established with both sides agreeing on ISN. Note that no information is sent in the three-way handshake; it should be held until the connection is established.

This three-way handshake is the universal mechanism for opening a TCP connection. Oddly, the RFC does not insist that connections begin this way, especially with regard to setting other control bits in the TCP header (there are three others in addition to SYN and ACK and FIN). Because TCP really expects some control bits to be used during connection establishment and release, and others only during data transfer, hackers can cause a lot of damage simply by messing around with wild combinations of the six control bits, especially SYN/ACK/FIN, which asks for, uses, and releases a connection all at the same time. For example, forging a SYN within the window of an existing SYN would cause a reset. For this reason, developers have become more rigorous in their interpretation of RFC 793.

Three-Way Handshake

The algorithm used by TCP to establish and terminate a connection is called a three-way handshake. We first describe the basic algorithm and then show how it is used by TCP. The three-way handshake involves the exchange of three messages between the client and the server, as illustrated by the timeline given in Figure 5.6.

The idea is that two parties want to agree on a set of parameters, which, in the case of opening a TCP connection, are the starting sequence numbers the two sides plan to use for their respective byte streams. In general, the parameters might be any facts that each side wants the other to know about. First, the client (the active participant) sends a segment to the server (the passive participant) stating the initial sequence number it plans to use (Flags = SYN, SequenceNum = x). The server then responds with a single segment that both acknowledges the client's sequence number (Flags = ACK, Ack = x + 1) and states its own beginning sequence number (Flags = SYN, SequenceNum = y). That is, both the SYN and ACK bits are set in the Flags field of this second message. Finally, the client responds with a third segment that acknowledges the server's sequence number (Flags = ACK, Ack = y + 1). The reason why each side acknowledges a sequence number that is one larger than the one sent is that the Acknowledgment field actually identifies the “next sequence number expected,” thereby implicitly acknowledging all earlier sequence numbers. Although not shown in this timeline, a timer is scheduled for each of the first two segments, and if the expected response is not received the segment is retransmitted.

You may be asking yourself why the client and server have to exchange starting sequence numbers with each other at connection setup time. It would be simpler if each side simply started at some “well-known” sequence number, such as 0. In fact, the TCP specification requires that each side of a connection select an initial starting sequence number at random. The reason for this is to protect against two incarnations of the same connection reusing the same sequence numbers too soon—that is, while there is still a chance that a segment from an earlier incarnation of a connection might interfere with a later incarnation of the connection.

3.2.2.3 TCP versus UDP scanning

A TCP connection involves the use of all of the steps involved in the standard TCP three-way handshake. In a standard three-way handshake, that is the following sequence:

Source sends SYN to target

Target responds with SYN-ACK

Source responds with ACK

After that sequence, a connection is considered established. As we've discussed already, stealth TCP scanning makes use of part of the handshake, but never completes the connection. In a stealth scan, the final ACK is never sent back to the target thus the connection is not established.

Scanning UDP is more difficult as it is a connectionless protocol and does not use a handshake like TCP. With UDP, the following sequence is used:

Source sends UDP packet to target

Target checks to see if the port/protocol is active then takes action accordingly

This makes scanning UDP ports especially challenging. If you receive a response, it will be one of three types: an ICMP type 3 message if the port is closed and the firewall allows the traffic, a disallowed message from the firewall, or a response from the service itself. Otherwise, no response could mean that the port is open, but it could also mean that the traffic was blocked or simply didn't make it to the target.

While it's typically faster and more productive to perform TCP scans, it can sometimes be worth the time and effort to perform a UDP scan as well. Many administrators tend to focus more on securing TCP-based services and often don't consider UDP-based services when determining their security policies. With this in mind, you can sometimes find (and exploit) vulnerabilities in UDP-based services, giving you another potential entry point to your target system.

The Three-Way Handshake

When two machines on any given network want to communicate using TCP, they do so by completing the three-way handshake. This process is very similar to a phone conversation (at least before everyone had caller ID!). When you want to talk to someone, you pick up the phone and dial the number, the receiver picks up the ringing phone not knowing who the caller is and says “Hello?”, the original caller then introduces himself by saying “Hi, this is Dave Kennedy!” In response to this, the receiver will often acknowledge the caller by saying “Oh, hi Dave!” At this point both people have enough information for the conversation to continue as normal.

Computers work much the same way. When two computers want to talk, they go through a similar process. The first computer connects to the second computer by sending an SYN packet to a specified port number. If the second computer is listening, it will respond with an SYN/ACK. When the first computer receives the SYN/ACK, it replies with an ACK packet. At this point, the two machines can communicate normally. In our phone example above, the original dialer is like sending the SYN packet. The receiver picking up the phone and saying “Hello?” is like the SYN/ACK packet and the original caller introducing himself is like the ACK packet.

What type of network discovery scan only uses the first two steps of the TCP handshake?

What is a topology discovery scan?

What type of network discovery scan attempts to simulate an already open network connection?

What two techniques are commonly used by port and vulnerability scanners to perform?