Scribd
Upload
13 views16 pages

Scan (EN)

The document outlines various port scanning techniques used to identify active systems and open ports on computer networks, including ARP Ping, ICMP Ping, TCP Connect Scan, TCP SYN Scan, and UDP Scan. It also discusses OS fingerprinting methods, both passive and active, to determine the operating system of devices on a network. Additionally, it lists tools such as nmap and hping3 that can be utilized for these scanning processes.

Uploaded by

Kushner Serge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views16 pages

Scan (EN)

The document outlines various port scanning techniques used to identify active systems and open ports on computer networks, including ARP Ping, ICMP Ping, TCP Connect Scan, TCP SYN Scan, and UDP Scan. It also discusses OS fingerprinting methods, both passive and active, to determine the operating system of devices on a network. Additionally, it lists tools such as nmap and hping3 that can be utilized for these scanning processes.

Uploaded by

Kushner Serge
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

4.

Port Scanning
Role of port scanning
 Identification of active systems, open communication ports
and services running on computer networks
 Port scanning techniques:
– ARP Ping
– ICMP Ping
– TCP connect() Scan
– TCP SYN Scan
– TCP FIN, Xmas Tree, Null Scan
– UDP Scan

2
ARP Ping

 May be used to discover active systems in the local network only


 Does not work if Proxy ARP is enabled on routers
 Tools:
– arping
– nmap –PR

3
ICMP Ping

 Uses ICMP queries


– ICMP ECHO_REQUEST (Type 8)
– ICMP ECHO_REPLY (Type 0)
 Usually, ping is blocked at firewall
 Tools:
– ping / fping
– nmap –sP –PE
– hping3 --icmp

4
TCP Connect() Scan

 Uses the connect() system call to establish a TCP connection


with the remote host
 Full three-way handshake for open ports
 Usually, this event is logged by the remote host
 Tools:
– telnet
– netcat
– nmap –sT

5
TCP SYN Scan

 Half open connections


– a SYN packet is sent to ask for a new connection
– after receiving SYN/ACK, the connection is dropped by sending a RST
packet
 Hard to detect
– usually, IDS and firewall systems does not log SYN packets
 Tools:
– nmap –sS
– hping3 --syn
6
TCP FIN, Xmas Tree, Null Scan
 Stealth scans
 The working principle is the same for all these scans
– manipulation of control flags in the TCP packet header
 According to RFC 793, when a system receives a packet on a
closed port, it must answer with a RST
– if no RST is sent back it means that the port is opened or the
communication is filtered by the firewall
 It does not work for Windows systems
– a RST is returned even if the port is opened
 In order to run these scans the user must have administrative
privileges

7
TCP FIN Scan

Closed Port

Opened Port

 Sends a FIN packet to the targeted port then waits for a


response
 Tools:
– nmap –sF
– hping3 --fin

8
TCP Xmas Tree Scan

Closed Port

Opened Port

 Sends a TCP packet with the FIN, URG, and PUSH flags set
then waits for a response
 Tools:
– nmap –sX
– hping3 --fin --urg --push

9
TCP Null Scan

Closed Port

Opened Port

 Sends a TCP packet with no flags set then waits for a response
 Tools:
– nmap –sN
– hping3

10
UDP Scan

 Similar to TCP scan but using UDP packets


 Send a UDP packet and wait for a response; if an ICMP Port
Unreachable is received, then the port is closed otherwise the
port is opened
 Scanning process takes time
– response delay of 1-4 sec
 Tools:
– nmap –sU
– hping3 --udp

11
OS Fingerprinting
 RFCs do not contain complete specifications
 There are differences in TCP/IP stack implementation
– TTL (time-to-live)
– Initial sequence numbers
– Window size
– DF (Don't fragment bit)

 Passive fingerprinting
– sniffing to examine packets for certain characteristics
– low precision
 Active fingerprinting
– send packets to the target in order to analyze it's behavior
– high precision

12
Passive OS fingerprinting
 p0f (http://lcamtuf.coredump.cx/p0f.shtml)
 p0f can identify the operating system of:
– machines that connect to you (SYN mode)
– machines you connect to (SYN+ACK mode)
– machines you cannot connect to (RST mode)
– machines whose communications you can observe
 p0f output
<Wed Feb 27 18:26:58 2008> 213.215.x.x:45291 - Linux 2.6
(newer, 2) (up: 1421 hrs) -> 208.83.x.x:2703 (distance 0,
link: ethernet/modem)

<Wed Feb 27 18:27:02 2008> 212.24.x.x:62994 - FreeBSD 5.3-


5.4 (up: 4556 hrs) -> 213.215.x.x:80 (distance 9, link:
ethernet/modem)

<Wed Feb 27 18:27:16 2008> 90.2.x.x:1322 - Windows 2000 SP4,


XP SP1+ -> 213.215.x.x:80 (distance 9, link: pppoe (DSL))

13
Active OS fingerprinting
 nmap –O <target>

 7 TCP probes, 1 ICMP, 1 UDP. TCP probes are sent exactly 110 milliseconds
apart

14
Other scanning tools
 nmap (http://www.insecure.org/nmap/)
 hping3 (http://www.hping.org)
 IPEye (http://ntsecurity.nu/toolbox/)
 NetScan Tools Pro (http://www.netscantools.com/)
 SuperScan (http://www.foundstone.com )
 Cheops-ng (http://cheops-ng.sourceforge.net/)

15
16

You might also like