What is Port Scanning? – Port Scanning is the name for the technique used to identify open ports and services available on a network host. It is sometimes utilized by security technicians to audit computers for vulnerabilities, however, it is also used by hackers to target victims. It can be used to send requests to connect to the targeted computers, and then keep track of the ports which appear to be opened, or those that respond to the request.
TCP Connect / Full Open Scan
TCP Connect scan detects when a port is open by completing the three-way handshake.
TCP Connect scan esatblishes a full connection and tears it down by sending a RST packet.
It does not require super user privileges.
Stealth Scan ( Half-Open Scan)
Stealth scan involves resetting the TCP connection between client and server abruptly before completion of three-way handshake signals making the connection half open.
Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
Stealth Scan Process
- The client sends a single SYN packet to the server on the appropriate port.
- If the port is open then the server responds with a SYN/ACK packet.
- If the server responds with an RST packet, then the remote port is in the “closed” state.
- The client sends the RST packet to close the initiation before a connection can ever be established.
Inverse TCP Flag Scanning
Attacker send TCP Probe packets with a TCP flag (FIN,URG,PSH) set or with no flags , no response means port is open and RST means the port is closed.
In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG and PUSH flags set.
Fin Scan works only with OSes with RFC 793-based TCP/IP Implementation.
It will not work against any current version of Microsoft Windows.
ACK Flag Probe Scanning
Attackers send TCP Probe packets with ACK flag set to a remote device and then analyzes the header information (TTL and Window field) of received RST packets to find whether the port is Open or Closed.
ACK flag probe scanning can also be used to check the filtering system of target.
Attackers send an ACK probe packet with random sequence number, no response means port is filtered (statefull firewall is present) and RST response means the port scanning is not filtered.
IDLE /IPID Header Scan
Most Network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered “Open” if an application is listening on the port.
One way to determine whether a port is open is to send a “SYN”(session establishment) packet to the port.
The target machine will send back a “SYN/ACK” (session request acknowledgement) packet if the port is open, and an “RST” (Reset) packet if the port is closed.
A machine that recieves an unsolicited SYN/ACK paket will respond with an RST. An unsolicited RST will be ignored.
Every IP packet on the internet has a “fragment identification” number (IPID).
OS increments the IPID for each packet sent, thus probing an IPID gives an attacker the Number of packets sent since last probe.
UDP Port Open
There is no three-way TCP handshake for UDP scan.
The system does not respond with a message when the port is open.
UDP Port Closed
If a UDP packet is sent to closed port, the system responds with ICMP port unreachable messages.
Spywares, Trojan horses, and other malicious application use UDP ports.
ICMP Echo Scanning
This is not really port scanning, since ICMP does not have a port abstraction.
But it is sometimes useful to determine which hosts in a network are up by pinging them all.
nmap -P [target]
ICMP List Scan
This type of scan simply generates and prints a list of IPs/Names without actually pinging them.
A reverse DNS Resolution is carried out to identify the host names.
Also Read this :- Hacking