Different type of port scanning
Different types of port scanning techniques:
1. Open Scan : Also known as vanilla scan. In this type of scan hacker try to connect to all the ports of the victim. This scan uses a normal TCP connection to determine port availability and utilizes a TCP 3-way handshake connection that typically every other TCP application will use on a network . Because of this fact this technique has a drawback that it can be easily detected and blocked.
How open scan works?
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port. When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.
2. Half Open Scan : Half open scan is similar to Open or vanilla scan. The only difference is that it does not establishes a complete connection with the host so it becomes little bit typical for victim firewall to detect it but it still detectable as for receiving ICMP echos a connection has to be established between your PC and victim.
How Half Open Scan works?
In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.
However, some good IDS and firewall like zone alarm can detect a SYN packet from the void and prevent half open scan. Besides, this scan require attacker to make a customer IP packet, which in turn requires the access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires admin privilege access.
3. Strobe Scan – In strobe scan, hackers try to scan only a selected number of port connections.(usually under 20) and rest of the working is similar to open scan. The only difference is that its light weight scan where hackers scan specific ports on the host and analyze the results. A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. Almost 90% of crackers uses this technique as its fastest and accurate.
Drawback: Limited scan may not produce expected results but its too fast. Free Port scanner works on strobe scan technique only. It only scan the internet and web application services ports.
4. Stealth Scan – In this type of scanning technique, scanning is done in stealth manner, which aims to prevent the “request for connection” being logged.
Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.
Different type of Stealth scans:
SYN|ACK Scan
Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.
FIN Scan
Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
ACK Scan
The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
NULL Scan
In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
Xmas Scan
In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
5. FTP Bounce Scan – The ability to hide their tracks is important task for hackers. And in port scanning this is achieved using FTP bounce scan technique.
FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.
Different types of port scanning techniques:
1. Open Scan : Also known as vanilla scan. In this type of scan hacker try to connect to all the ports of the victim. This scan uses a normal TCP connection to determine port availability and utilizes a TCP 3-way handshake connection that typically every other TCP application will use on a network . Because of this fact this technique has a drawback that it can be easily detected and blocked.
How open scan works?
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port. When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.
2. Half Open Scan : Half open scan is similar to Open or vanilla scan. The only difference is that it does not establishes a complete connection with the host so it becomes little bit typical for victim firewall to detect it but it still detectable as for receiving ICMP echos a connection has to be established between your PC and victim.
How Half Open Scan works?
In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.
However, some good IDS and firewall like zone alarm can detect a SYN packet from the void and prevent half open scan. Besides, this scan require attacker to make a customer IP packet, which in turn requires the access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires admin privilege access.
3. Strobe Scan – In strobe scan, hackers try to scan only a selected number of port connections.(usually under 20) and rest of the working is similar to open scan. The only difference is that its light weight scan where hackers scan specific ports on the host and analyze the results. A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. Almost 90% of crackers uses this technique as its fastest and accurate.
Drawback: Limited scan may not produce expected results but its too fast. Free Port scanner works on strobe scan technique only. It only scan the internet and web application services ports.
4. Stealth Scan – In this type of scanning technique, scanning is done in stealth manner, which aims to prevent the “request for connection” being logged.
Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.
Different type of Stealth scans:
SYN|ACK Scan
Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.
FIN Scan
Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
ACK Scan
The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
NULL Scan
In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
Xmas Scan
In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
5. FTP Bounce Scan – The ability to hide their tracks is important task for hackers. And in port scanning this is achieved using FTP bounce scan technique.
FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.