2.3.6 Three Way Handshake and TCP Flags
2.3.6 Three Way Handshake and TCP Flags
Click one of the buttons to take you to that part of the video.
We've talked about data encapsulation, packets and frames. Now we're going to spend some time talking about TCP. If you recall, TCP is a
connection-oriented protocol that uses a three-way handshake to establish a connection with a system port.
TCP packets have flag indicators. Two of these indicators are SYN and ACK. SYN starts a connection between two systems. ACK
acknowledges that a packet has been received. There are other flag options as well. Any of these indicators can be turned on or off using a
packet crafter.
The three-way handshake occurs when you're trying to use TCP to connect to a port. As indicated by the name, the handshake has three steps.
Example 0:46-1:04
Let's say, for example, Computer 1 wants to connect with Computer 2. Computer 1 sends a SYN packet to Computer 2. Computer 2 receives
the packet and sends a SYN/ACK packet to Computer 1. Computer 1 receives the SYN/ACK packet and replies back with an ACK packet,
and the connection is complete.
A full connect, or a full open scan, completes a full three-way handshake on all ports. Open ports respond with a SYN/ACK, and closed ports
respond with an RST flag, ending the attempt. This can be a good scan for IT administrator who's trying to see what ports are open or closed
but, for hackers and other malicious intruders this scan isn't very helpful, so it's not frequently used. Basically, you knocked on the door, they
answered, and you introduced yourself.
A stealth scan, also known as a half-open scan, sends a SYN packet to a port. The three-way handshake doesn't occur because the original
system doesn't reply with the final ACK. At this point, you've discovered an open port. But because an ACK packet wasn't sent, a connection
wasn't actually made, and there is no security log. Remember when you were a kid, and you knocked on the neighbor's door, ran away, and
watched to see if he answered? That's pretty much what you just did here. This scan is more appealing to hackers so you as a cyber defense
analyst need to be aware of it and safeguard against it.
A Xmas tree scan gets its name because all of the flags are turned on, and the packet is basically lit up like a Christmas tree. The recipient has
no idea what to do with this packet, so it's either ignored or dropped. If you get an RST packet, you know the port is closed. If you don't get a
response, the port may be open.
The last port scan we'll talk about is the idle scan. This scan is a lot more complicated, but it's stealthy and effective.
https://labsimapp.testout.com/v6_0_537/index.html/productviewer/1190/2.3.6/0647aac4-09c0-4702-8023-842d9729c1a4 1/2
2/10/23, 9:36 AM TestOut LabSim
The hacker finds a target machine, but wants to avoid getting caught, so she finds another system to take the blame. This is frequently called
a zombie machine because, to the hacker, it's disposable, and it creates a good distraction. The scan directs all requests through the zombie
machine. If that zombie machine is flagged, the hacker can simply create another zombie machine and continue working. As a security
analyst you should know about this scan and safeguard your ports against any possible attacks.
Summary 3:02-3:20
That's it for this lesson. In this video we talked about the TCP protocol. We talked about three-way handshakes, TCP flags, and different
scans you can conduct using those flags. We described the open scan, stealth scan, Xmas tree scan, and the idle scan. Now you've learned
how flag manipulation can help you find open ports.
https://labsimapp.testout.com/v6_0_537/index.html/productviewer/1190/2.3.6/0647aac4-09c0-4702-8023-842d9729c1a4 2/2