tcp
As what I know, an open TCP scan is just a normal TCP 3-way handshake followed by RST. It is detectable because the target will log this connection.
For the half-open TCP scan, it is defined as "stealth". The explanation is that only a SYN packet is sent, which is also a 3-way handshake.
But these two seems same. I do not find what are the true difference?
It isn't necessarily the case that the third segment contains no data. From Data Communications and Networking (Forouzan):
Note that the ACK segment does not consume any sequence numbers if it does not carry data, but some implementations allow this third segment in the connection phase to carry the first chunk of data from the client (emphasis mine). In this case, the segment consumes as many sequence numbers as the number of data bytes. An ACK segment, if carrying no data, consumes no sequence number.
I found the answer to your question in Computer Networking: A Top-Down Approach (Kurose and Ross):
Upon receiving the SYNACK segment, the client also allocates buffers and variables to the connection. The client host then sends the server yet another segment; this lasts segment acknowledges the server's connection-granted segment (the client does so by putting the value
server_isn+1in the acknowledgement field of the TCP segment header). The SYN bit is set to zero, since the connection is established. This third stage of the three-way handshake may carry client-to-server data in the segment payload.
There's a diagram on the following page that the explanation refers to (the one below isn't from the book, but the idea is the same):
That is not realistic because it does not have an acknowledgement number to acknowledge with the ACK flag. What number would it put into the field? It would be made up, so the receiving host would respond with a RST.
RFC 793, Transmission Control Protocol explains (I highlighted the relevant text):
Reset Generation
As a general rule, reset (RST) must be sent whenever a segment arrives which apparently is not intended for the current connection. A reset must not be sent if it is not clear that this is the case.
There are three groups of states:
If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means. If the incoming segment has an ACK field, the reset takes its sequence number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the CLOSED state.
If the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), and the incoming segment acknowledges something not yet sent (the segment carries an unacceptable ACK), or if an incoming segment has a security level or compartment which does not exactly match the level and compartment requested for the connection, a reset is sent.
If our SYN has not been acknowledged and the precedence level of the incoming segment is higher than the precedence level requested then either raise the local precedence level (if allowed by the user and the system) or send a reset; or if the precedence level of the incoming segment is lower than the precedence level requested then continue as if the precedence matched exactly (if the remote TCP cannot raise the precedence level to match ours this will be detected in the next segment it sends, and the connection will be terminated then). If our SYN has been acknowledged (perhaps in this incoming segment) the precedence level of the incoming segment must match the local precedence level exactly, if it does not a reset must be sent.
If the incoming segment has an ACK field, the reset takes its sequence number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the same state.
If the connection is in a synchronized state (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT), any unacceptable segment (out of window sequence number or unacceptible acknowledgment number) must elicit only an empty acknowledgment segment containing the current send-sequence number and an acknowledgment indicating the next sequence number expected to be received, and the connection remains in the same state.
If an incoming segment has a security level, or compartment, or precedence which does not exactly match the level, and compartment, and precedence requested for the connection,a reset is sent and connection goes to the CLOSED state. The reset takes its sequence number from the ACK field of the incoming segment.
Best Answer
This is the initiation of the 3-way handshake. but the scanner has no intend to complete it. This means it receives the SYN+ACK from the target (now knowing it's there), but never sends the final ACK itself (maintaining stealth).