A Complete Users Guide To Port Scanning By: C0ldPhaTe Introduction: Many people over look the importance of a port scanner. Although almost ever hacker and script kiddy has one in there tool box many don’t understand the different types of port scanning. So I’m writing this tutorial on port scanning to give a complete listing of the different types of scans and a listing of exactly how the type of scanning is used. Its always important to remember you can also use port scanning to for banner grabbing so its good to have good knowledge of exactly what types of port scans does what. Port Scanning: Port scanning is the process of connecting to TCP and UDP ports on a target system to determined what services are running or in a LISTENING state. Identifying listening ports is critical to determine the type of operating system and applications in use. Active services that are listening may allow an unauthorized user to gain access to systems that are misconfigured or running a version of software known to have security vulnerabilities. Different Port Scanning Types: TCP Connect Scan – This type of scan connects to the target port and completes a full three way handshake (SYN, SYN / ACK, and ACK). It’s easily detected by the target system. TCP SYN Scan – This technique is called half one scanning because a full TCP connection is not made. Instead a SYN packet is sent to the target port. If a (SYN / ACK) is received from the target port, we can deduce that it is in the LISTENING state. If an (RST / ACK) is received, it usually means that the port is not in the LISTENING state. An (RST / ACK) will be sent by the systems performing port scans so that a full connection is never established. This technique has the advantage of being stealthier than a Full TCP Connect is, and may not be logged by the target systems. TCP FIN Scan – This technique send a FIN packet to the target port. The target system should send back an RST for all closed ports. This technique usually only works on a UNIX based (TCP / IP) stack. TCP Xmas Tree Scan – This technique send a FIN, URG, and PUSH packet to the target port. Based on RFC 793, the target system should send back an RST for all closed ports. TCP Null Scan – This technique turns off all flags. Based on RFC 793, the target system should send back an RST for all closed Ports. TCP ACK Scan – This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections (Connections with an ACK bit site) or a stateful firewall that is performing advance packet filtering. TCP Window Scan – This technique may detect open as well as filtered nonfiltered ports on some systems (AIX and FreeBSD) due to an anomaly in the way the TCP window size is reported. TCP RPC Scan – This technique is specific for UNIX systems and is used to detect and identify Report Procedure (RPC) ports and their associated program and version numbers. UDP Scan – This technique sends a UDP packet to the target port. If the target port responds with an “ICMP port unreachable” message, the port is closed. Conversely, if we don’t receive an “ICMP port unreachable” message, we can deduce the port is open. Since UDP is known as a connectionless protocol, the accuracy of this technique is highly depend on many factors related to the utilization’s of network and system resources. In addition UDP scanning is a very slow process if you are trying to scan a device that employs heavy packet filtering. If you plan on doing UDP scans over the Internet be ready for unreliable results. Active Stack Fingerprinting: Stack fingerprinting is an extremely powerful technology that allows you to quickly ascertains each host operation system with a high degree of probability. Essentially, there are many nuances that very between one venders Internet protocol (IP) stack implementation and another’s. Vendors often interpret specific RFC guidance differently when writing there TCP / IP stack. Thus by probing for these differences, we can begin to make an educated guess about the operating system in use. For maximum reliability, stack fingerprinting generally requires at least one listen port. Passive Stack Fingerprinting: Passive stack fingerprinting is similar in concept to active stack fingerprinting. Instead of sending packets to the target system, however, an attacker passively monitors the network traffic to determine the operating system in use. Thus, by monitoring network traffic between various systems, we can determine the operating systems on a network Passive Signatures: Various signatures can be used to identify an operating system. Below are several associated with a TCP / IP session. TTL – What does the operating system set as time to live on outbound packets? Window Size – What does the operating system set as the Window Size? DF – Does the operating system set the Don’t Fragment Bit? Probes Used To Figure Out Target Operating Systems: FIN Probe – A Find packet is sent to an open port. As mentioned RFC 793 states that the correct behavior is not to respond. However many stack implements (Such As Windows NT) will respond with as FIN/ACK. Bogus Flag Probe – An undefined TCP flag is set in the TCP Header of a SYN packet. Some operating systems such as (Linux) will respond with the flag set in there respond packet. Initial Sequence Number (ISN) Sampling – The basics premise is to find a pattern in the initial sequence chose by the TCP implementation when responding to a connection request. Don’t Fragment Bit Monitoring – Some operation systems will set the “Don’t Fragment Bit” to enhance performance. This bit can be monitored to determine what types of operation systems exhibit this behavior. TCP Initial Window Size – Initial window size on returned packets is tracked. For some stack implementations, this size is unique and can be greatly added tot he accuracy of the fingering mechanism. ACK Value – Internet Protocols (IP) stacks differ in the sequence value used for the ACK field, so some implementations will send back the sequences number you sent, and others will send back a sequence number +1. ICMP Error Message Quenching – Operating system may follow RFC 1812 and limit rate at which error messages are sent. By sending UDP packets to some random high numbered ports, you can count the number of unreachable messages received within a given amount of time. ICMP Message Quoting – Operating systems differ in the amount of information that is quoted when ICMP errors are encountered. By examining the quoted message, you might be able to make some assumptions on the target operating system. Type Of Service (TOS) – For “ICMP port unreachable” messages, the TOS is examined. Most stack implementations use 0,but this can vary. Fragmentation Handling – Different stacks handle overlapping fragments differently. Some stacks will overwrite the old data with new data and vice versa. TCP Options – By sending a packet with multiple options set, such as no operation, maximum segment size, window scale factor and timestamps, it is possible to make some assumptions about the target system. Conclusion: I hope you found this tutorial on port scanning hopeful. It’s always important to have a good understanding of techniques used to gain vital information on target hosts or operating systems. If you the attacker don’t have a good understanding of the tools your using, then you shouldn’t be using them. Remember some Intrusion Detection Systems (IDS) might pick up port scanning attempts so its important to always block your host Internet Protocol (IP). This will help you stay anonymous on the Internet. If you have any questions or would like to contact me you can do so by contacting one of the following listed below. MIRC: irc.dal.net #Antilamer, #cctc, #h4ckerz, #crystalz, #hackalot, #Hackfest, #Hack-i, #Hacku E.Mail: gbrooks@mcintoshstudent.com AOL IM: Myst1kal One Other Documents I Have Written: In depth Guide Too Hacking Windows Using NetBIOS – February 7, 2003 A complete users guide to port scanning – February 06, 2003 A Quick Unix Command Guide – January 30, 2003 A Definitive Trojan Port Listing – January 30, 2003 Basics On How To Identify A Firewall – January 23, 2003 The Common Gateway Interface (CGI) – November 28, 2002 Microsoft IIS Unicode Exploit Explained - November 13, 2002