Advanced25 min

JA4TScan - TCP Scan Detection

JA4TScan extends JA4T to detect and classify network scanning tools like Nmap, Masscan, and Zmap by analyzing their distinctive TCP SYN packet characteristics.

Prerequisites

JA4T and JA4TS labs completed
Familiarity with network scanning concepts

How Scanners Differ

Network scanners generate TCP SYN packets with distinctive characteristics that differ from normal operating system behavior. Scanners like Nmap, Masscan, and Zmap each have unique TCP window sizes, option sets, and MSS values that serve as reliable signatures.

Why Scanners Have Unique Fingerprints

Scanning tools implement their own TCP stacks or use raw sockets, bypassing the OS kernel. This means their SYN packets have characteristics that no legitimate OS would produce.

Known Scanner Fingerprints

1024_2_1460

Nmap SYN ScanDefault Nmap settings

1024_2_1460_0

Nmap -sS (stealth)No window scaling

1_0_1460

MasscanWindow size of 1, no options

65535_0_0

ZmapMax window, no MSS

0_0_0

Custom scannerZero-value SYN

Detection Commands

Detect scanners in pcap

# Find SYN packets with scanner-like characteristics
tshark -r capture.pcap \
  -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size_value <= 1024" \
  -T fields -e ip.src -e tcp.window_size_value -e ja4t.hash

# Flag Masscan (window size = 1)
tshark -r capture.pcap \
  -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size_value == 1" \
  -T fields -e ip.src -e ip.dst.port | sort | uniq -c

# Detect port scanning by SYN rate per source
tshark -r capture.pcap \
  -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
  -T fields -e ip.src | sort | uniq -c | sort -rn | head -20

High-Rate SYN Detection

Scanners send hundreds or thousands of SYN packets per second. Combining JA4TScan fingerprint matching with rate analysis provides the most reliable scanner detection.

Hands-On Exercise

Step 1: Generate Scan Traffic (lab environment only)

# In a controlled lab environment:
nmap -sS -T4 target_ip
masscan target_ip -p 1-1000 --rate 100

Step 2: Capture and Analyze

tshark -r scan_traffic.pcap \
  -Y "tcp.flags.syn == 1 && tcp.flags.ack == 0" \
  -T fields -e ip.src -e tcp.window_size_value -e tcp.options.mss_val -e ja4t.hash | head -20

Step 3: Classify the Scanner

Match the extracted JA4T fingerprints against the known scanner signatures above. Can you identify which tool was used for each scan?

Lab Complete

You can now detect network scanners passively. Next, explore JA4SSH for SSH traffic analysis.