During a recent class, I received a question related to ACK scans. "What Sequence Number would you see on the response to an ACK scan?" Great question. Let's take a look at both RFC 9293 and a trace of an ACK scan.
ACK scans are TCP-based scans that do not intend to identify or open connections on a target. ACK scans are used to determine if a target system is up and running.
It doesn't matter what port ACK scans are sent to. Since the connection has not been established via the three-way handshake, the response to an ACK scan should be a TCP Reset.
Download an ACK Scan Trace File
Download sec-nmapregularscan24.pcapng and take a look at Frame 3. That is an ACK scan packet. Peer A (10.0.0.57) sent an ACK to port 80 on Peer B (45.33.32.156). We didn't miss capturing the three-way handshake because there was no three-way handshake to establish a connection on these ports before this packet. This is an Nmap regular scan.
Examine the ACK Scan Packet
In Frame 3, to the left of the TCP summary line, click > to expand the TCP header.
Check out this ACK packet - notice the Sequence and Acknowledgment Numbers in Frame 3.
Sequence Number (raw): 0
Acknowledgment Number (raw): 1688311794
Seeing the Sequence Number (raw) field set to 0 is suspicious.
So back to the student's question - "What Sequence Number would you see on the response to an ACK scan?"
What Does RFC 9293 State?
First, let's peek at RFC 9293. Section 3.5.2. Reset Generation of RFC 9293 states:
There are three groups of states:
If the connection does not exist (CLOSED), then a reset is sent in response to any incoming segment except another reset. A SYN segment that does not match an existing connection is rejected by this means.
If the incoming segment has the ACK bit set, the reset takes its sequence number from the ACK field of the segment; otherwise, the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the CLOSED state.
Examine the ACK Scan Response Packet
Based on RFC 9293 and the incoming ACK, the Reset should take the incoming Acknowledgment Number field value (in this case 0) and use that for its outbound sequence number.
And there it is - the Reset packet uses Sequence Number 1688311794 based on the incoming ACK field, just as RFC 9293 defined.
Cheers!