Explained - TCP 3-Way Handshake (Nmap TCP connect scan )

Hey guys Demeter here back again and I'm going to start a new series called "Explained" in this we will explain some Technical terms. 

So in this first part of this series and we are gonna talk about how exactly the TCP protocol established it's connection between two devises and the easiest way to demonstrate this is through an nmap scan called the TCP connect scan and the reason for this is because it actually involves completing of the entire TCP three-way handshake and in this particular case what happens is that you have your client and the server or the host and the target and the the host essentially initiates the connection through sending a SYN packet and then the server response with a SYN-ACK and then the client actually acknowledges this by sending ACK packet and the connection is established.

SYN

A ------------------------> B

SYN + ACK

 A<------------------------ B 

(Connection established at Sender)

ACK

A ------------------------> B

(Connection established at Receiver)

However with the TCP connect scan the connection is then reset because you're pretty much only using this with nmap to determine if a port is open or the port is closed and this is done by analyzing the results.

So to demonstrate this i'm gonna be using wireshark and my nmap scan is going to be quite simple we are gonna use -sT (TCP connect) I will be targeting my Windows server and it's currently on the local network.

Now before I execute that i already start Wireshark and setup my interface. So i'll just hit Enter. 

All right and now it has Competed the scan and wireshark capture some good amount of packet now we can start analyzing all of the requests and the various responses. 

This is where you can actually see the three-way handshake taking place, All right so before we start analyzing it let me clear some key terms here.

• Source - It's where the packet coming from.....
• Destination - It's where the packet is going......
• Protocol - Type of Protocol used Ex. TCP, UDP,ARP....etc

 As you can see it we have the source and we have the destination IP address again we look for the initial sin which is sent from my Kali Linux IP Addr which is 192.168.1.51 and sent to the Windows server 192.168.1.38.

So we send a SYN request

We get a SYN - ACK in response from the server 

Finally we have an ACK being sent back from Kali 

Now you can see within from Kali the connection is reset and you probably have this question why?

According to Nmap Official:  As soon as Nmap hears from its host OS that the connection was successful, it terminates the connection. TCP connections usually end with another handshake involving the FIN flag, but Nmap asks the host OS to terminate the connection immediately with a RST packet.

Hopefully you guys can actually recreate this and go through it. it's actually quite interesting to see how various nmap scans are conducted and based on the responses how nmap is actually able to come to conclusion about various results.