nst_7
7
3.1 Port Scanning Types
3.1.1 TCP connect() scan
With this type of scan we use the basic TCP connection establishment mechanism. To open a
connection to an interesting port on the targeted machine:
1.
A SYN packet is sent to the targets system interesting port.
2.
Now we wait to see what type of packet is sent back from the target.
·
If a SYN/ACK packet is received it usually means the port is in a LISTENING
state.
·
If a RST/ACK packet is received, it usually means the port is not LISTENING and
the connection will RESET.
3.
We finish the three-way handshake (if SYN/ACK packet was received) by sending
an ACK.
4.
A connection is terminated after the full connection establishment process has
been completed.
This kind of scan is easily detected. Inspecting the target system log will show a number of
connections and error messages immediately after each one of them was initiated.
3.1.2 TCP SYN Scan (half open scanning)
This type of scan differs from TCP connect() scan because we do not open a full TCP
connection. You send a SYN packet to initiate the three-way handshake and wait for a
response. If we receive an SYN/ACK it indicates the port is LISTENING. If we receive an
RST/ACK it indicates a non-LISTENING port. If we do receive a SYN/ACK packet we
immediately tear down the connection by sending a RESET.
Because the TCP three-way handshake was not completed some of the sites will probably
not log these scanning attempts.
3.1.3 Stealth Scan 8
Chris Klaus was one of the first people to write a paper about stealth scans. In a paper called
stealth scanning Bypassing Firewalls/SATAN Detectors 9, he describes a technique which
intentionally violates the TCP three-way handshake. This technique is what people refer to
today as half-open scanning.
Today, some people use the stealth term to mean NULL flags (no flags or code bits set).
Stealth can also be defined as a scanning technique family, doing one of the following:
·
Pass through filtering rules.
·
Not to be logged by the targeted system logging mechanisms.
·
Try to hide themselves at the usual site / network traffic.
8
Stephen Northcutt, Network Intrusion Detection an Analysts Handbook, New Riders, 1999.
9
http://www.netsys.com/firewalls /firewalls-9512/0085.html