Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

A Complete Users Guide To Port Scanning

advertisement 
A Complete Users Guide To Port Scanning
By: C0ldPhaTe
Introduction:
Many people over look the importance of a port scanner. Although almost ever hacker and script kiddy has
one in there tool box many don’t understand the different types of port scanning. So I’m writing this
tutorial on port scanning to give a complete listing of the different types of scans and a listing of exactly
how the type of scanning is used. Its always important to remember you can also use port scanning to for
banner grabbing so its good to have good knowledge of exactly what types of port scans does what.
Port Scanning: Port scanning is the process of connecting to TCP and UDP ports on a target system to
determined what services are running or in a LISTENING state. Identifying listening ports is critical to
determine the type of operating system and applications in use. Active services that are listening may allow
an unauthorized user to gain access to systems that are misconfigured or running a version of software
known to have security vulnerabilities.
Different Port Scanning Types:
TCP Connect Scan – This type of scan connects to the target port and completes a full three way
handshake (SYN, SYN / ACK, and ACK). It’s easily detected by the target system.
TCP SYN Scan – This technique is called half one scanning because a full TCP connection is not made.
Instead a SYN packet is sent to the target port. If a (SYN / ACK) is received from the target port, we can
deduce that it is in the LISTENING state. If an (RST / ACK) is received, it usually means that the port is
not in the LISTENING state. An (RST / ACK) will be sent by the systems performing port scans so that a
full connection is never established. This technique has the advantage of being stealthier than a Full TCP
Connect is, and may not be logged by the target systems.
TCP FIN Scan – This technique send a FIN packet to the target port. The target system should send back
an RST for all closed ports. This technique usually only works on a UNIX based (TCP / IP) stack.
TCP Xmas Tree Scan – This technique send a FIN, URG, and PUSH packet to the target port. Based on
RFC 793, the target system should send back an RST for all closed ports.
TCP Null Scan – This technique turns off all flags. Based on RFC 793, the target system should send back
an RST for all closed Ports.
TCP ACK Scan – This technique is used to map out firewall rulesets. It can help determine if the firewall
is a simple packet filter allowing only established connections (Connections with an ACK bit site) or a
stateful firewall that is performing advance packet filtering.
TCP Window Scan – This technique may detect open as well as filtered nonfiltered ports on some systems
(AIX and FreeBSD) due to an anomaly in the way the TCP window size is reported.
TCP RPC Scan – This technique is specific for UNIX systems and is used to detect and identify Report
Procedure (RPC) ports and their associated program and version numbers.
UDP Scan – This technique sends a UDP packet to the target port. If the target port responds with an
“ICMP port unreachable” message, the port is closed. Conversely, if we don’t receive an “ICMP port
unreachable” message, we can deduce the port is open. Since UDP is known as a connectionless protocol,
the accuracy of this technique is highly depend on many factors related to the utilization’s of network and
system resources. In addition UDP scanning is a very slow process if you are trying to scan a device that
employs heavy packet filtering. If you plan on doing UDP scans over the Internet be ready for unreliable
results.
Active Stack Fingerprinting: Stack fingerprinting is an extremely powerful technology that allows you to
quickly ascertains each host operation system with a high degree of probability. Essentially, there are many
nuances that very between one venders Internet protocol (IP) stack implementation and another’s. Vendors
often interpret specific RFC guidance differently when writing there TCP / IP stack. Thus by probing for
these differences, we can begin to make an educated guess about the operating system in use. For
maximum reliability, stack fingerprinting generally requires at least one listen port.
Passive Stack Fingerprinting: Passive stack fingerprinting is similar in concept to active stack
fingerprinting. Instead of sending packets to the target system, however, an attacker passively monitors the
network traffic to determine the operating system in use. Thus, by monitoring network traffic between
various systems, we can determine the operating systems on a network
Passive Signatures: Various signatures can be used to identify an operating system. Below are several
associated with a TCP / IP session.
TTL – What does the operating system set as time to live on outbound packets?
Window Size – What does the operating system set as the Window Size?
DF – Does the operating system set the Don’t Fragment Bit?
Probes Used To Figure Out Target Operating Systems:
FIN Probe – A Find packet is sent to an open port. As mentioned RFC 793 states that the correct behavior
is not to respond. However many stack implements (Such As Windows NT) will respond with as
FIN/ACK.
Bogus Flag Probe – An undefined TCP flag is set in the TCP Header of a SYN packet. Some operating
systems such as (Linux) will respond with the flag set in there respond packet.
Initial Sequence Number (ISN) Sampling – The basics premise is to find a pattern in the initial sequence
chose by the TCP implementation when responding to a connection request.
Don’t Fragment Bit Monitoring – Some operation systems will set the “Don’t Fragment Bit” to enhance
performance. This bit can be monitored to determine what types of operation systems exhibit this behavior.
TCP Initial Window Size – Initial window size on returned packets is tracked. For some stack
implementations, this size is unique and can be greatly added tot he accuracy of the fingering mechanism.
ACK Value – Internet Protocols (IP) stacks differ in the sequence value used for the ACK field, so some
implementations will send back the sequences number you sent, and others will send back a sequence
number +1.
ICMP Error Message Quenching – Operating system may follow RFC 1812 and limit rate at which error
messages are sent. By sending UDP packets to some random high numbered ports, you can count the
number of unreachable messages received within a given amount of time.
ICMP Message Quoting – Operating systems differ in the amount of information that is quoted when
ICMP errors are encountered. By examining the quoted message, you might be able to make some
assumptions on the target operating system.
Type Of Service (TOS) – For “ICMP port unreachable” messages, the TOS is examined. Most stack
implementations use 0,but this can vary.
Fragmentation Handling – Different stacks handle overlapping fragments differently. Some stacks will
overwrite the old data with new data and vice versa.
TCP Options – By sending a packet with multiple options set, such as no operation, maximum segment
size, window scale factor and timestamps, it is possible to make some assumptions about the target system.
Conclusion:
I hope you found this tutorial on port scanning hopeful. It’s always important to have a good understanding
of techniques used to gain vital information on target hosts or operating systems. If you the attacker don’t
have a good understanding of the tools your using, then you shouldn’t be using them. Remember some
Intrusion Detection Systems (IDS) might pick up port scanning attempts so its important to always block
your host Internet Protocol (IP). This will help you stay anonymous on the Internet. If you have any
questions or would like to contact me you can do so by contacting one of the following listed below.
MIRC: irc.dal.net #Antilamer, #cctc, #h4ckerz, #crystalz, #hackalot, #Hackfest, #Hack-i, #Hacku
E.Mail: gbrooks@mcintoshstudent.com
AOL IM: Myst1kal One
Other Documents I Have Written:
In depth Guide Too Hacking Windows Using NetBIOS – February 7, 2003
A complete users guide to port scanning – February 06, 2003
A Quick Unix Command Guide – January 30, 2003
A Definitive Trojan Port Listing – January 30, 2003
Basics On How To Identify A Firewall – January 23, 2003
The Common Gateway Interface (CGI) – November 28, 2002
Microsoft IIS Unicode Exploit Explained - November 13, 2002
Related documents
Old MIDTERM EXAM for 154
Old MIDTERM EXAM for 154
Chapter 3
Chapter 3
Chapter 9 - 2profs.net
Chapter 9 - 2profs.net
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
How to Send e-mail
How to Send e-mail
Base Words - Tuesday night spelling
Base Words - Tuesday night spelling
The Design Pholosophy of the DARPA Internet Protocols
The Design Pholosophy of the DARPA Internet Protocols
KRRC MSPowerPoint Prop Template 2008
KRRC MSPowerPoint Prop Template 2008
Parallel Port Commands In Turing
Parallel Port Commands In Turing
choose one Well-Known TCP Port Numbers
choose one Well-Known TCP Port Numbers
Download
advertisement