Graphics Programs Reference
In-Depth Information
0x470
Port Scanning
Port scanning is a way of figuring out which ports are listening and accepting
connections. Since most services run on standard, documented ports, this
information can be used to determine which services are running. The simpl-
est form of port scanning involves trying to open TCP connections to every
possible port on the target system. While this is effective, it's also noisy and
detectable. Also, when connections are established, services will normally log
the IP address. To avoid this, several clever techniques have been invented.
A port scanning tool called nmap, written by Fyodor, implements all of
the following port-scanning techniques. This tool has become one of the most
popular open source port-scanning tools.
0x471
Stealth SYN Scan
A SYN scan is also sometimes called a
half-open
scan. This is because it doesn't
actually open a full TCP connection. Recall the TCP/IP handshake: When a
full connection is made, first a SYN packet is sent, then a SYN/ACK packet is
sent back, and finally an ACK packet is returned to complete the handshake
and open the connection. A SYN scan doesn't complete the handshake, so a
full connection is never opened. Instead, only the initial SYN packet is sent,
and the response is examined. If a SYN/ACK packet is received in response,
that port must be accepting connections. This is recorded, and an RST packet
is sent to tear down the connection to prevent the service from accidentally
being DoSed.
Using nmap, a SYN scan can be performed using the command-line
option
-sS
. The program must be run as root, since the program isn't using
standard sockets and needs raw network access.
reader@hacking:~/booksrc $ sudo nmap -sS 192.168.42.72
Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-29 09:19 PDT
Interesting ports on 192.168.42.72:
Not shown: 1696 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 0.094 seconds
0x472
FIN, X-mas, and Null Scans
In response to SYN scanning, new tools to detect and log half-open connections
were created. So yet another collection of techniques for stealth port scanning
evolved: FIN, X-mas, and Null scans. These all involve sending a nonsensical
packet to every port on the target system. If a port is listening, these packets
just get ignored. However, if the port is closed and the implementation follows
protocol (RFC 793), an RST packet will be sent. This difference can be used
to detect which ports are accepting connections, without actually opening
any connections.
The FIN scan sends a FIN packet, the X-mas scan sends a packet with
FIN, URG, and PUSH turned on (so named because the flags are lit up like a
