CAPEC-301 Metadata
Likelihood of Attack
Low
Typical Severity
Low
Overview
Summary
An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack.
Prerequisites
The adversary requires logical access to the target network. The TCP connect Scan requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.
Execution Flow
| Step | Phase | Description | Techniques |
|---|---|---|---|
| 1 | Experiment | An adversary attempts to initialize a TCP connection with with the target port. |
|
| 2 | Experiment | An adversary uses the result of their TCP connection to determine the state of the target port. A successful connection indicates a port is open with a service listening on it while a failed connection indicates the port is not open. |
|
Potential Solutions / Mitigations
Employ a robust network defense posture that includes an IDS/IPS system.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-300 | An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.