September 17th, 2003, 01:16 AM
Port Scanner Tut
The PORTSCANNERS are of TOOLS used for individualizing the presence of a service in listening on a specific port. The protocol TCP (Transport Control Protocol) and the UDP (User Datagram Protocol) use some numbers of port to identify the services of more elevated level in listening.
The ports are characterized by an inclusive number among 0 and 1023 (called well know port) they are well noted to the administrators of the systems and they are often used only for system's processes or for the programs used by privileged consumers.
If the intruders attack one of these well known ports, they potentially able to get the control of a SERVER.
PORTSCAN IN TCP .
4 formalities of scanning of a port TCPs exist for individualizing if there is a service in listening. The everything is facilitated by fact that the protocol TCP is Directed to the Connection and it's suited to realize a Virtual Circuit (it simulates a direct connection among two machines).
To fully understand the Types of PORTSCAN, let me introduce the FLAG used by the TCP/IP for it's own transmissions:
URG Used to point out Urgent data (Bug of WinNuke).
ACK Confirms of the RECIVED PACKET.
RST RESET of the connection.
SYN Sincronization of the sequence with which the packets are sent.
PSH The dates for the application are urgent
FIN Conclusion of the sequence of packets.
The scanning TCP connect ().
Your PC sends a system's call connect () to all the interesting ports of the machine of destination. If the door is in listening, the primitive connect () it is successful; in contrary case, the door doesn't result attainable and the service is not available. This type of portscanner is easily individuable and leaves therefore trace of its attempt.
The method consists to realize a virtual connection of it called TCP HANDSHAKE to Three Ways:
See The Picture Port 01
Your PC sends a TCP packet containing the SYN FLAG setted together with the address IP and Door of the REMOTE SERVER.
The REMOTE SERVER verifies if the in demand port is Open. If it is Open (there is a program in "Listening") it replies sending a containing packet the ACK FLAG setted. If it is closed (any Service in "Listening") it sends a containing packet the FIN FLAG setted.
If the SERVICE is in listening, the sender sends an ACK and is lent to begin a transmission (Encircled Virtual).
Such type of PORTSCAN is easily TO INDIVIDUALIZE.
The scanning TCP SYN .
In the scanning TCP SYN is established a NON COMPLETE TCP CONNECTION (HANDSHAKE non complete).
Your PC sends a packet SYN FLAG setted.
The server responds with a packet SYN-ACK or RST-ACK.
If your PC receives the packet SYN-ACK then the service is available; if instead it receives a packet RST-ACK (Reset), the service doesn't result available.
Your PC doesn't send any packet anymore: it has already determined the state of the port (closed or Open).
This type of PORTSCAN is easily individualized also.
The scanning TCP FIN .
Your PC " jumps " the handshake to three ways and sends a packet FIN FLAG setted to the Remote SERVER. In normal circumstances, the dispatch of a packet FIN provokes the closing of a connection opened TCP. If nevertheless the port results Open (or it is in Listening), the system should ignore the packet since the moment that doesn't exist any connection; if instead the port is Closed (or Not In Listening), the Remote SERVER sends a packet RST FLAG setted.
Accordingly, the lack of answer identifies an active door for your PC. This attack constitutes an intelligent way to avoid the problems of the scanning SYN and is a lot difficult to trace.
This method doesn't work well on the most greater part of the systems Windows, considered that the implementation TCP of Microsoft always sends a RST in answer to a FIN.
The scanning TCP ACK.
Your PC sends an ACK to a Remote SERVER. If the SERVER responds with a containing RST a very low TTL or the field WINDOW contains then greater values of zero the port is " probably " in listening. This type of attack is a lot difficult to realize and can be considered a PORTSCAN STEALTH.
The scanning TCP NULL.
In such scanning, your PC sends an Anomalous packet to the Remote SERVER. Such packet contains all the FLAG brought in precedence Not SETTED (they have all value NULL). If such packet is sent to an Open port, the SERVER replies with an error message (it doesn't know the function of such packet). If instead it is sent to a Closed door, the SERVER responds with a RST.
PORTSCAN IN UDP.
Different it is the case of the Protocol UDP, it is CONNECTIONLESS (Not Oriented to the Connection) and it results more difficult to submit to scanning in comparison to that TCP from the moment that it is not obligatory that the UDP ports respond to the attempts of connection.
The scanning UDP.
The most greater part of the implementations produce an error ICMP port_unreachable when a consumer (or an intruder) sends a packet to a port closed UDP. In consequence, the missed answer points out the presence of an active port.
Your PC sends a packet UDP to a port of the Remote SERVER.
If the port is Closed the SERVER answers with a packet ICMP "PORT UNREACHABLE."
If the door is Open any packet is sent as answered from the SERVER.
DIRECTED TO THE CONNECTION : A protocol Directed to the Connection is a method in which two Computers decide methods and ways of communications before beginning the data transmission. The protocol worries about to receive confirmation of the sent frames.
The protocol TCP (Directed) before establishing the transmission it verifies the if the two computers are prepared to effect a communication and contracted some parameters to be used:
· The physical dimension of the frames (MTU).
· The dimension of the window of transmission (Window: quantity of frame sent without asking for confirmation).
NOT ORIENTED TO THE CONNECTION : The protocol Not Oriented to the Connection (example UDP) it doesn't verify if the receiving computer is ready for the communication and bargains parameters of transmission. It doesn't even worry about having the confirmation of the sent frames.
Such protocol is used for the transmission in MULTICAST or BROADCAST.
VIRTUAL CIRCUIT : For instance the protocol TCP realizes a Virtual circuit, that realizes a connection with two machines to enormous distance making to appear as if the two were to some meter.
COPYRIGHT ANATRA AKA Sitting Duck for Antionline Only
September 18th, 2003, 08:42 PM
Re: Port Scanner Tut
[QUOTE] Originally posted here by Anatra
Awsome tut, but I could swear TCP is Transmission Control Protocol?
The protocol TCP (Transport Control Protocol)
September 18th, 2003, 08:47 PM
TCP many things but I think you're right on this one.
September 18th, 2003, 11:29 PM
Damn u're right I've made a real error for impassioned like me.....
October 4th, 2003, 08:55 PM
Four pounds of penis and a bucket of testes and you still call me boy!
Yet another Plagiarized page from this dude. translating a page from italian to english does not qualify as a tutorial. the sorry part is i doubt you've ever read any of them.
this guy has taken more than one page from bismark.caltanet.it and ive called him on it. this page no longer exists but google has it cashed.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
October 4th, 2003, 09:06 PM
*Moved from Tutorials*
Nice find, Tedob1
October 8th, 2003, 07:21 PM
October 8th, 2003, 08:15 PM
Four pounds of penis and a bucket of testes and you still call me boy!