Finding a TCP Connect Scan on your Network
A tremendous amount of traffic passes through a network. For the most part most this traffic is expected, but what if it is not? How can we identify abnormalities? The topic for this article is how to identify that a network scan has occurred, specifically TCP Scan.
There are a wide variety of scans that can occur. The trick to identifying types of scans is pattern recognition. If I suspect a scan, there are steps I can take in Wireshark to confirm my suspicions.
Before we go hunting for a TCP scan, let's first take a look at how a TCP scan works. Take a look at the picture below.
Here we have a scan occurring from the left machine to the right machine. This scenario sees a successful scan of an OPEN port.
1. SYN + 80 (packet) sent to target
2. port 80 is open and a SYN,ACK(packet) is sent to first machine
2. first machine sends another packet with ACK flag set. (effectively completing the 3 way handshake)
4. Having successfully connected first machine closes connection with an additional packet with RST,ACK flags set.
5. Rinse and repeat through all specified ports on target machine
The TCP Scan is unique in that is actually completes the 3 way handshake. The pattern we see in the picture above is what we look for in Wireshark.
Identify Scanning Machine
There are a few ways to do this, I tend to start with two methods.
1. Drive By: With no filters I quickly scroll through all the packets too see if anything jumps out at me.
- Things to look for would be large groupings of ARP packets. Large groupings of RST ACK packets. Also it can be useful to filter on ARP packets. Filtering on ARP shows you all the ARPS and can be a method for differentiating if a scan has a lower timing interval. (T1....T5)
I like to look at Endpoints in a capture. With this functionality you can quickly see which hosts on the network are generating the most traffic(packets)