Logo
RSS Feed

👈🏞 Back to
Network Traffic

Port Scanning

Created: 28.07.2022

There are several techniques for port scanning. Some of them work for one OS only.

Full Connect

OS: Windows, Linux Pros: The most reliable Cons: Noisy CMD: nmap -sT

Mechanics

It’s the simpliest scanning technique. It established a full TCP connection (see the TCP overview article). SYN flag is sent by the client, SYN/ACK received, client then ends the handshake with an ACK flag and the connection is established.

Responses

ðŸ“Ŧ Closed: RST 📭 Open: SYN + ACK

Stealth (Half-open)

OS: Windows, Linux Pros: Stealthy. Firewalls won’t see that since there is no connection established. Cons: IDS might spot it. CMD: nmap -sS

Responses

ðŸ“Ŧ Closed: RST 📭 Open: SYN + ACK

Inverse TCP Scan

OS: Linux Pros: Very stealthy. Cons: Windows will respond with “open” to all probes CMD: nmap -sF (FIN flag), nmap -sN (no flag), hping -F (FIN), hping -P, hping -U (URG flag) RFC: 793

Mechanics

Either of the following flags are sent: FIN, URG, PUSH, NULL

Responses

ðŸ“Ŧ Closed: RST + ACK 📭 Open: no response

Xmas Scan

OS: Linux Pros: Cons: Windows will respond with “open” to all probes. Since the pattern is unusual for normal connections, might be detected by IDS. CMD: nmap -sX, hping -X

Mechanics

Three flags set in the request: URG, PUSH and FIN. Xmas because several unual flag are “lit” as if the lights on a Christmas tree.

Responses

ðŸ“Ŧ Closed: RST + ACK 📭 Open: No response

ACK Flag Scan

OS: Old BSD Pros: To avoid IDS Cons: Slow. CMD: nmap -sA -P0 <IP>, hping -A , nmap -sW

Mechanics

Usually, TCP connections starts with a SYN flag sent. In this case ACK flag is sent first instead. If the port is filtered, no response will be received. If not - RST flag will be returned. Based on the TTL or window size set in the resopnse, you can deduce if the port is open or closed.

Responses

ðŸ“Ŧ Closed: RST, TTL > 64 or window size == 0 📭 Open: RST, TTL < 64 or window size != 0 📎 Filtered: No response

IDLE Scan

OS: Windows, Linux Pros: Stealthy. Firewalls won’t see that since there is no connection established. Cons: CMD: nmap -sI

Mechanics

It’s the scanning technique when you use another legit machine within the network to scan for you while observing certain artefacts afterwards to determine if the port was open or closed. It’s possible only when it’s possible to predict the next IPID value.

📭 Open:

img

ðŸ“Ŧ Closed:

img

Responses

ðŸ“Ŧ Closed: IPID is incremented by 1 📭 Open: IPID is incremented by 2

UDP Scan

OS: Windows, Linux Pros: Zero byte message and UDP protocol, IDS? Cons: CMD: nmap -sU

ðŸ“Ŧ Closed: ICMP, port unreliable (3.3) 📭 Open: No response

References

Expand… Something here