HostedDB - Dedicated UNIX Servers
nst_8 8 3.1.3.1 Explicit Stealth Mapping Techniques   The frequently used explicit mapping techniques are: · SYN/ACK scan. · FIN scans. · XMAS scans. · NULL scans. According to RFC 79310 closed ports are required to reply with a RESET packet to our probe packets, while open ports must ignore any packet in question. This applies to all scanning methods described here. 3.1.3.1.1 SYN/ACK   This scan intentionally disregards the TCP three-way handshake. We send a SYN/ACK packet, which is step two in the TCP three-way handshake, while there is no SYN packet sent for step one. Sending SYN/ACK packet to a closed port: Because TCP is stateful, it knows no SYN has been sent, which is the first step in the three- way TCP handshake. TCP figures this packet must be a mistake and sends a RESET to tear down the connection. This is what we wished for – any kind of response to give away the existence of the system and the fact that the probed port is closed. If we send the SYN/ACK to an open port, it will ignore any such packet. 3.1.3.1.2 FIN   The FIN scan uses the FIN packet as the probe. The hacker sends a FIN packet to a targeted port on a probed system and waits for a response11.   3.1.3.1.3 XMAS (Christmas Tree) XMAS is a scanning type, which sends a TCP packet with the URG, ACK, PST, RST, SYN and FIN flags set. All the TCP flags are set. 3.1.3.1.4 NULL Null scan is a scanning type, which sends a TCP packet that turns off all flags. The probed system should send back a RESET to all closed ports. According to RFC 793 this should work against every implementation of TCP regardless of the operating system it runs on. Life is not always simple. Windows, CISCO, BSDI, HP/UX, MVS & IRIX have a broken TCP implementation – they send RESETs to open ports as well. One method suggested by Fyodor12 (nmap tool programmer) is – if you scan using FIN, XMAS or NULL and the results show all ports are closed, and then you SYN scan and find out 10 http://www.ietf.org/rfc/rfc0793.txt 11 Uriel Maimon, Port Scanning without the SYN flag, Phrack 49, Volume Seven, Issue Forty Nine. 12 Fyodor, The art of port scanning, Phrack 51