nst_8
8
3.1.3.1 Explicit Stealth Mapping Techniques
The frequently used explicit mapping techniques are:
·
SYN/ACK scan.
·
FIN scans.
·
XMAS scans.
·
NULL scans.
According to RFC 79310 closed ports are required to reply with a RESET packet to our probe
packets, while open ports must ignore any packet in question.
This applies to all scanning methods described here.
3.1.3.1.1 SYN/ACK
This scan intentionally disregards the TCP three-way handshake. We send a SYN/ACK
packet, which is step two in the TCP three-way handshake, while there is no SYN packet sent
for step one.
Sending SYN/ACK packet to a closed port:
Because TCP is stateful, it knows no SYN has been sent, which is the first step in the three-
way TCP handshake. TCP figures this packet must be a mistake and sends a RESET to tear
down the connection. This is what we wished for any kind of response to give away the
existence of the system and the fact that the probed port is closed.
If we send the SYN/ACK to an open port, it will ignore any such packet.
3.1.3.1.2 FIN
The FIN scan uses the FIN packet as the probe. The hacker sends a FIN packet to a targeted
port on a probed system and waits for a response11.
3.1.3.1.3 XMAS (Christmas Tree)
XMAS is a scanning type, which sends a TCP packet with the URG, ACK, PST, RST, SYN
and FIN flags set. All the TCP flags are set.
3.1.3.1.4 NULL
Null scan is a scanning type, which sends a TCP packet that turns off all flags. The probed
system should send back a RESET to all closed ports.
According to RFC 793 this should work against every implementation of TCP regardless of
the operating system it runs on. Life is not always simple. Windows, CISCO, BSDI, HP/UX,
MVS & IRIX have a broken TCP implementation they send RESETs to open ports as well.
One method suggested by Fyodor12 (nmap tool programmer) is if you scan using FIN,
XMAS or NULL and the results show all ports are closed, and then you SYN scan and find out
10
http://www.ietf.org/rfc/rfc0793.txt
11
Uriel Maimon, Port Scanning without the SYN flag, Phrack 49, Volume Seven, Issue Forty Nine.
12
Fyodor, The art of port scanning, Phrack 51