HostedDB - Dedicated UNIX Servers
nst_7 7 3.1 Port Scanning Types   3.1.1 TCP connect() scan   With this type of scan we use the basic TCP connection establishment mechanism. To open a connection to an interesting port on the targeted machine: 1. A SYN packet is sent to the target’s system interesting port. 2. Now we wait to see what type of packet is sent back from the target. · If a SYN/ACK packet is received it usually means the port is in a LISTENING   state. · If a RST/ACK packet is received, it usually means the port is not LISTENING and    the connection will RESET. 3. We finish the three-way handshake (if SYN/ACK packet was received) by sending   an ACK. 4. A connection is terminated after the full connection establishment process has been completed. This kind of scan is easily detected. Inspecting the target system log will show a number of connections and error messages immediately after each one of them was initiated.   3.1.2 TCP SYN Scan (half open scanning)   This type of scan differs from TCP connect() scan because we do not open a full TCP connection. You send a SYN packet to initiate the three-way handshake and wait for a response. If we receive an SYN/ACK it indicates the port is LISTENING. If we receive an RST/ACK it indicates a non-LISTENING port. If we do receive a SYN/ACK packet we immediately tear down the connection by sending a RESET.   Because the TCP three-way handshake was not completed some of the sites will probably not log these scanning attempts. 3.1.3 Stealth Scan 8 Chris Klaus was one of the first people to write a paper about stealth scans. In a paper called “stealth scanning – Bypassing Firewalls/SATAN Detectors” 9, he describes a technique which intentionally violates the TCP three-way handshake. This technique is what people refer to today as “half-open” scanning.   Today, some people use the “stealth” term to mean NULL flags (no flags or code bits set). “Stealth” can also be defined as a scanning technique family, doing one of the following: · Pass through filtering rules. · Not to be logged by the targeted system logging mechanisms.   · Try to hide themselves at the usual site / network traffic. 8 Stephen Northcutt, Network Intrusion Detection an Analyst’s Handbook, New – Riders, 1999. 9 http://www.netsys.com/firewalls /firewalls-9512/0085.html