TCP Communication Flag Types | Scanning

TCP scan types are built on the TCP three-way handshake. TCP connections require a three-way handshake before a connection can be made and data transferred between the sender and receiver. Figure 1 details the steps of the TCP three-way handshake.

Figure 1: TCP three-way handshake
To complete the three-way handshake and make a successful connection between two hosts, the sender must send a TCP packet with the synchronize (SYN) bit set. Then, the receiving system responds with a TCP packet with the synchronize (SYN) and acknowledge (ACK) bit set to indicate the host is ready to receive data. The source system sends a final packet with the ACK bit set to indicate the connection is complete and data is ready to be sent.
Because TCP is a connection-oriented protocol, a process for establishing a connection (three-way handshake), restarting a failed connection, and finishing a connection is part of the protocol. These protocol notifications are called flags. TCP contains ACKRSTSYNURGPSH, and FIN flags. The following list identifies the function of the TCP flags:
  • SYN Synchronize. Initiates a connection between hosts.
  • ACK Acknowledge. Established connection between hosts.
  • PSH Push. System is forwarding buffered data.
  • URG Urgent. Data in packets must be processed quickly.
  • FIN Finish. No more transmissions.
  • RST Reset. Resets the connection.
A hacker can attempt to bypass detection by using flags instead of completing a normal TCP connection. The TCP scan types in Table 1 are used by some scanning tools to elicit a response from a system by setting one or more flags.
Table 1: TCP scan types 
XMAS scan
Flags sent by hacker
XMAS scan
FIN scan
NULL scan
No flags set
TCP connect/full-open scan
SYN, then ACK
SYN scan/half-open scan
SYN, then RST

Exercise 1 shows how to use AngryIP scanner to perform a port scan.
Exercise 1: Free IPTools Port Scan

To use a port scan tool to determine listening ports of active hosts:
  1. Download Angry IP Scanner from
  2. Enter the IP address of the target system in the Host or IP Address field or enter a range or IP address for your lab systems and click Start to perform a conventional (full connect) scan of standard ports.

No comments:

Post a Comment

Popular Posts