Dark Mode
Capec-299 Detail
TCP SYN Ping
Detailed Software Typical Severity: Low
Parents: 292
Threats: T60 T65 T80 T258 T273 T288 T291 T302 T334 T392 T407
An adversary uses TCP SYN packets as a means towards host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three- way handshake' - by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response.
Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present, SYN pings are preferable to ACK pings because a stateful firewall will typically drop all unsolicited ACK packets as they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. Often, an adversary will alternate between SYN and ACK pings to discover if a host is alive.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-299 | capec | https://capec.mitre.org/data/definitions/299.html | |
| CWE-200 | cwe | http://cwe.mitre.org/data/definitions/200.html | |
| REF-33 | reference_from_CAPEC | Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill | |
| REF-128 | reference_from_CAPEC | http://www.faqs.org/rfcs/rfc793.html | Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA) |
| REF-34 | reference_from_CAPEC | Gordon "Fyodor" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd "Zero Day" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7 | |
| REF-125 | reference_from_CAPEC | http://nmap.org/docs/discovery.pdf | Mark Wolfgang, Host Discovery with Nmap, 2002--11 |
Not present
- The ability to send a TCP SYN packet to a remote target. Depending upon the operating system, the ability to craft SYN packets may require elevated privileges.
- SYN pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.
| Low |
|---|
| The adversary needs to know how to craft and send protocol commands from the command line or within a tool. |
| Authorization | Access Control | Confidentiality |
|---|---|---|
| Bypass Protection Mechanism | Bypass Protection Mechanism | Other |
| Hide Activities | Hide Activities | Bypass Protection Mechanism |
| Hide Activities |
Not present