September 13th, 2003, 11:51 AM
To the search of the open door
To the search of the open door
As all you will already know, the port scanning allows us to know what doors are open, and accordingly what services are active. Nmap uses different methods of scanning, among which, for example, the SYN scan, TCP connect (), FIN scan, and so on. each of these methods needs powers of root, except the TCP connect ().
TCP CONNECT ()
This is the technique of simpler scanning, feasible with any program that tries a connection toward a host. if the connection goes to good end, it means that the door is open. this tecnique is based on the "THREE WAY HANDSHAKE", that is illustrated funziunder.
this technique is the more easy to find, any non blind administrator and every circumferentor of intrusions that is defined such it would make suspicious itself to see the same host that connects itself to a lot of doors.
# nmap -St host
SYN SCAN (or Half-open scan)
This type of scan effects a " half connection ".
a packet is sent with the flag SYN active: if the server responds with a flag SYN and ACK active it means that the door is open; the attacker now will send a packet with the flag RST, so it won't complete the connection. if the server responds with the flags ACK and RST, the door it is closed. in comparison to the preceding one, for the attacker this technique has the advantage that not all the servers record the attempts of connection not gone to good end.
# nmap - sS host
With this technique an attacker is able to know what handed UDPs are open. the operation is enough simple. the attacker sends a packet UDP of 0 byte; if the door is open he will not have any answer, otherwise it will receive a packet ICMP port unreacheble. this type of scanning is very slow since many systems use a contained suggestion in the RFC 1812 that it limits the amount of the error messages ICMP. on the systems Windows this problem doesn't introduce him since Microsoft has not followed the suggestion, allowing the attacker a faster scanning.
# nmap -sU host
the Window scan serves to determine if a door is filtered or less and even if it is open.
this type of scanning founds itself on an anomaly of the dimension of the window TCP. among the systems vulnerabilities to this leak we find many by-products of BSD but not only: FreeBSD, NetBSD, OpenBSD, OS/2, MacOS, SunOS 4.x, Amiga, BeOS.
# nmap - sW host
Now we will analyze the methods of more insidious scan or the FIN scan, the Xmas Tree and the Null scan. I say more insidious because it is more difficult that these could be logged. as the preceding Window scan these techniques don't work on systems Microsoft.
the attacker sends a packet with the Flag Fin active, if the door is open the attacker will recive nothing , if instead the door were closed the attacker will receive a packet with the active Flag RST.
# nmap - sF host
This time the active flags are 3: FIN, URG, PUSH. if the attacker doesn't receive anything the door is open. if he receives a RST the door is closed.
# nmap - sX host
The operation is identical to the two precedents (nothing = open; RST = closed).
the packet that the attacker sends won't have any active flag
# nmap -sN host