1 Scanning
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View 1 Scanning as PDF for free.
More details
- Words: 2,348
- Pages: 12
SCANNING: Scanning is defined as the gathering intelligence from the system/network, it is mainly used for network auditing, system maintenance, also for performing attacks by the hackers. The purpose of scanning is to identify live hosts, open ports, IP addresses in a target network and to discover operating systems, services running on hosts and vulnerabilities in live hosts. Three types of scanning are involved:
Port scanning: This phase involves scanning the target for the information like open ports, Live systems, various services running on the host.
Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools
Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host information and drawing a network diagram with the available information. This map may serve as a valuable piece of information throughout the hacking process.
Here before going to do scanning, you need to know backend functionality of a connection establishment in between Source and Destination, and how a scan will perform. Note: In this concept some time meaning of words will be change as given below. Source Host = Attackers Computer Destination Host = Target Computer Zombie Host = Innocent Computer
TCP (Transmission Control Protocol) TCP is one of the main protocols in TCP/IP networks. It helps to transmit data, before that TCP creates a connection between the source and destination and keeps it live until the communication is active. This connection is possible through the process of the three-way handshake. TCP breaks large data into smaller packets and ensures that the data integrity is intact once it is reassembled at the destination. TCP uses where you have to get all transmitted data like HTTP, HTTPs, FTP, SMTP, Telnet, etc.,
Process of three-way handshake
> the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK packet back to the source. > finally, the source sends an ACK packet for the SYN+ACK packet sent by the destination. > This ACK packet confirms the arrival of the first SYN packet to the source. > This process allowing to establish communication in between the source and destination.
TCP Communication Flags: TCP flags are used within TCP packet is can be used to transfers to indicate a particular connection state in between the source and destination Therefore, they can be used for troubleshooting purposes. The following are the TCP communication flags: > SYN (Synchronize): Initiates a connection between source and destination. > ACK (Acknowledgement): ACK acknowledges the receipt of a packet. > PSH (Push): System accepting requests and sends all buffered data immediately. > URG (Urgent): Instructs data contained in packets to be processed as soon as possible. > FIN (Finish): Announces there will be no more transmissions. > RST (Reset): Aborts a connection in response to an error.
UDP (User Datagram Protocol): UDP is one of the oldest network protocol in existence. It's a simple OSI transport layer protocol for client/server network applications, it is based on Internet Protocol (IP), also this is the main alternative to TCP. UDP is a connection less protocol, it has no way of creating a connection like TCP. For this reason, UDP is faster than TCP. When using UDP, packets are just sent to the destination. The source will not wait to make sure the destination received the packet, it will just continue sending the next packet. If destination miss some UDP packets, it cannot ask for those packets again. There is no guarantee destination are getting all the packets but losing all this overhead means the computers can communicate more quickly. UDP uses where you don't care too much if you get all data always like DNS, DHCP, TFTP, SNMP, RIP, VOIP. Also, some examples with explanation: Tunneling/VPN (lost packets are ok - the tunneled protocol takes care of it). Media streaming (lost frames are ok). Games that don't care if you get every update. Local broadcast mechanisms (same application running on different machines "discovering" each other).
Scanning Methodologies: TCP Connect scan: TCP Connect Scan are also called as full open scan and it is the original form of port scan which attempts to establish a complete connection with a range of ports. This connection is establishing with three-way handshake. so, the source host logs will store in destination host and it was easily detected by most firewalls and IDS’s.
PORT IS OPEN > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK packet back to the source. > finally, the source sends an ACK packet to the destination. > This ACK packet confirms the arrival of the first SYN packet to the source, means the port is open. PORT IS CLOSE > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
Stealth Scan (SYN Scan): The Stealth Scan are also called as half open scan, this scan is mostly used by the bad hackers. because it does not complete the full TCP three-way handshake. when the source receives a SYN/ACK from the destination host, implying an open port on the destination, the source immediately tears down the connection with an RST. This type of scan used to be considered a stealth scan because the connection was not completed and therefore not logged by the destination host; however, it is easily detected by the IDS’s. This scan uses various flag settings, fragmentation, and other types of evasion techniques to go undetected. Such as FIN scan, NULL scan, and a XMAS scan.
PORT IS OPEN > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK packet back to the source. > finally, the source sends an RST packet to the destination. means the port is open. PORT IS CLOSE > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
Xmas Scans: The Xmas scan are also called as Christmas tree scan, it is a more stealth and faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection. XMAS packets should never be seen on your network, so if you see any XMAS packet, it means someone is scanning your network. Also, this scan is illegal and it was easily detected by IDS’s and more advanced firewall. According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN > the source sends FIN, URG, PUSH packet to the destination. > If there is no response from the Destination, means port is open. PORT IS CLOSE > the source sends FIN, URG, PUSH packet to the destination. > The destination, on receiving the FIN, URG, PUSH packets, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
FIN Scan: FIN Scan is like an Xmas scan but it sends a packet with just the FIN flag set. it is a more stealth and faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection. FIN packets should never be seen on your network, so if you see any FIN packet, it means someone is scanning your network. Also, this scan is illegal and it was easily detected by IDS’s and more advanced firewall. According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN > the source sends FIN packet to the destination. > If there is no response from the Destination, the port is open.
PORT IS CLOSE > the source sends FIN packet to the destination. > The destination, on receiving the FIN packet, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
NULL Scan: NULL scan is also like XMAS and FIN scan, also it is a more stealth and faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment because it sends an TCP with no flags at the start of the connection. NULL packets should never be seen on your network, so if you see any NULL packets, it means someone is scanning your network. Also, this scan is illegal and it was easily detected by IDS’s and more advanced firewall. According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN > the source sends TCP packet without no flag to the destination. > If there is no response from the Destination, the port is open. PORT IS CLOSE > the source sends TCP packet without no flag to the destination. > The destination, on receiving the TCP packet without no flag, i.e., sent by the source, responds by sending an RST packet back to the source, means the port is close.
UDP Scan:
Here UDP scan will locate open ports and provide the security manager with valuable information that can be used to identify these invasions achieved by the attacker on open UDP port caused by malware software’s.
PORT IS OPEN > the source sends UDP to the destination. > If there is no response from the Destination, the port is open. PORT IS CLOSE > the source sends UDP to the destination. > The destination, on receiving the UDP, i.e., sent by the source, responds by getting an ICMP Port unreachable error back to the source, means the port is close.
Inverse TCP Flag Scan: In this scan source sends TCP probe packets with a (FIN, URG, PSH) flag set, or without flags. Generally, firewalls and IDS blocks the SYN packets. But this probe packets can pass through filters. Inverted Technique is probing a target using a half-open SYN flag because the closed ports can only send the response back. This scan avoids many IDS and logging systems, highly undetectable. But According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN
> The source sends TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags to the destination. > If there is no response from the Destination, the port is open. PORT IS CLOSE > The source sends TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags to the destination. > The destination, on receiving the TCP probe packets, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
ACK scanning: TCP ACK scan is not used for port scanning purposes. Generally, it is used to determine whether the firewall is existing or not.
PORT IS OPEN > the source sends ACK Probe Packet with random sequence number to the destination. > If there is no response from the Destination, means the port is filtered so the stateful firewall is present.
PORT IS CLOSE > the source sends ACK Probe Packet to the destination. > The destination, on receiving the ACK Probe Packet, i.e., sent by the source, responds by sending an RST packet back to the source, means the port is not filtered so the firewall is not present.
IDLE Scan: IDLE is a highly clever and undetectable scan, here an attacker can actually scan a target without any interaction to the target. Instead attacker use an innocent remote host such computers generally called as zombie for scanning the target, because of this Intrusion detection system reports will finger the innocent zombie as the attacker. But the thing is attacks done by zombie without their knowledge. However, this scanning technique is used to know that IP-based trust relationships between hosts. Before going to learn this scanning technique, you need to know two things. 1. Response of host to the TCP flags: already you learned how TCP flags works in previous scans. 2. IP ID: Every IP packet on the Internet has a fragment identification number called IP ID. This IP ID value will be incremented by one for each IP packet arrived to a host, probing for the IPID can tell an attacker how many packets have been sent since the last probe. Note: For easy understanding we denoted some IP ID value as X, in below IDLE Scan diagrams, if the IP ID value is increases the additional number will added to the value of X, like X+1, X+2, etc.,
IDLE Scan: Step 1/2/3 Step 1:
Send SYN+ACK packet to the zombie machine to probe its IPID number. Every IP packet on the Internet has a fragment identification number (IPID), which increase every time a host sends IP packet. Zombie not expecting a SYN+ACK packet will send RST packet, disclosing the IPID. Analyze the RST packet from zombie machine to extract IPID.
Step 2:
Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie". If the port is open, the target will send SYN+ACK Packet to the zombie and in reponse zombie sends RST to the target. If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back.
Step 3:
Probe "zombie" IPID again
Port scanning: This phase involves scanning the target for the information like open ports, Live systems, various services running on the host.
Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools
Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host information and drawing a network diagram with the available information. This map may serve as a valuable piece of information throughout the hacking process.
Here before going to do scanning, you need to know backend functionality of a connection establishment in between Source and Destination, and how a scan will perform. Note: In this concept some time meaning of words will be change as given below. Source Host = Attackers Computer Destination Host = Target Computer Zombie Host = Innocent Computer
TCP (Transmission Control Protocol) TCP is one of the main protocols in TCP/IP networks. It helps to transmit data, before that TCP creates a connection between the source and destination and keeps it live until the communication is active. This connection is possible through the process of the three-way handshake. TCP breaks large data into smaller packets and ensures that the data integrity is intact once it is reassembled at the destination. TCP uses where you have to get all transmitted data like HTTP, HTTPs, FTP, SMTP, Telnet, etc.,
Process of three-way handshake
> the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK packet back to the source. > finally, the source sends an ACK packet for the SYN+ACK packet sent by the destination. > This ACK packet confirms the arrival of the first SYN packet to the source. > This process allowing to establish communication in between the source and destination.
TCP Communication Flags: TCP flags are used within TCP packet is can be used to transfers to indicate a particular connection state in between the source and destination Therefore, they can be used for troubleshooting purposes. The following are the TCP communication flags: > SYN (Synchronize): Initiates a connection between source and destination. > ACK (Acknowledgement): ACK acknowledges the receipt of a packet. > PSH (Push): System accepting requests and sends all buffered data immediately. > URG (Urgent): Instructs data contained in packets to be processed as soon as possible. > FIN (Finish): Announces there will be no more transmissions. > RST (Reset): Aborts a connection in response to an error.
UDP (User Datagram Protocol): UDP is one of the oldest network protocol in existence. It's a simple OSI transport layer protocol for client/server network applications, it is based on Internet Protocol (IP), also this is the main alternative to TCP. UDP is a connection less protocol, it has no way of creating a connection like TCP. For this reason, UDP is faster than TCP. When using UDP, packets are just sent to the destination. The source will not wait to make sure the destination received the packet, it will just continue sending the next packet. If destination miss some UDP packets, it cannot ask for those packets again. There is no guarantee destination are getting all the packets but losing all this overhead means the computers can communicate more quickly. UDP uses where you don't care too much if you get all data always like DNS, DHCP, TFTP, SNMP, RIP, VOIP. Also, some examples with explanation: Tunneling/VPN (lost packets are ok - the tunneled protocol takes care of it). Media streaming (lost frames are ok). Games that don't care if you get every update. Local broadcast mechanisms (same application running on different machines "discovering" each other).
Scanning Methodologies: TCP Connect scan: TCP Connect Scan are also called as full open scan and it is the original form of port scan which attempts to establish a complete connection with a range of ports. This connection is establishing with three-way handshake. so, the source host logs will store in destination host and it was easily detected by most firewalls and IDS’s.
PORT IS OPEN > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK packet back to the source. > finally, the source sends an ACK packet to the destination. > This ACK packet confirms the arrival of the first SYN packet to the source, means the port is open. PORT IS CLOSE > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
Stealth Scan (SYN Scan): The Stealth Scan are also called as half open scan, this scan is mostly used by the bad hackers. because it does not complete the full TCP three-way handshake. when the source receives a SYN/ACK from the destination host, implying an open port on the destination, the source immediately tears down the connection with an RST. This type of scan used to be considered a stealth scan because the connection was not completed and therefore not logged by the destination host; however, it is easily detected by the IDS’s. This scan uses various flag settings, fragmentation, and other types of evasion techniques to go undetected. Such as FIN scan, NULL scan, and a XMAS scan.
PORT IS OPEN > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK packet back to the source. > finally, the source sends an RST packet to the destination. means the port is open. PORT IS CLOSE > the source sends a SYN packet to the destination. > The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
Xmas Scans: The Xmas scan are also called as Christmas tree scan, it is a more stealth and faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection. XMAS packets should never be seen on your network, so if you see any XMAS packet, it means someone is scanning your network. Also, this scan is illegal and it was easily detected by IDS’s and more advanced firewall. According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN > the source sends FIN, URG, PUSH packet to the destination. > If there is no response from the Destination, means port is open. PORT IS CLOSE > the source sends FIN, URG, PUSH packet to the destination. > The destination, on receiving the FIN, URG, PUSH packets, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
FIN Scan: FIN Scan is like an Xmas scan but it sends a packet with just the FIN flag set. it is a more stealth and faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection. FIN packets should never be seen on your network, so if you see any FIN packet, it means someone is scanning your network. Also, this scan is illegal and it was easily detected by IDS’s and more advanced firewall. According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN > the source sends FIN packet to the destination. > If there is no response from the Destination, the port is open.
PORT IS CLOSE > the source sends FIN packet to the destination. > The destination, on receiving the FIN packet, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
NULL Scan: NULL scan is also like XMAS and FIN scan, also it is a more stealth and faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment because it sends an TCP with no flags at the start of the connection. NULL packets should never be seen on your network, so if you see any NULL packets, it means someone is scanning your network. Also, this scan is illegal and it was easily detected by IDS’s and more advanced firewall. According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN > the source sends TCP packet without no flag to the destination. > If there is no response from the Destination, the port is open. PORT IS CLOSE > the source sends TCP packet without no flag to the destination. > The destination, on receiving the TCP packet without no flag, i.e., sent by the source, responds by sending an RST packet back to the source, means the port is close.
UDP Scan:
Here UDP scan will locate open ports and provide the security manager with valuable information that can be used to identify these invasions achieved by the attacker on open UDP port caused by malware software’s.
PORT IS OPEN > the source sends UDP to the destination. > If there is no response from the Destination, the port is open. PORT IS CLOSE > the source sends UDP to the destination. > The destination, on receiving the UDP, i.e., sent by the source, responds by getting an ICMP Port unreachable error back to the source, means the port is close.
Inverse TCP Flag Scan: In this scan source sends TCP probe packets with a (FIN, URG, PSH) flag set, or without flags. Generally, firewalls and IDS blocks the SYN packets. But this probe packets can pass through filters. Inverted Technique is probing a target using a half-open SYN flag because the closed ports can only send the response back. This scan avoids many IDS and logging systems, highly undetectable. But According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present version of Windows.
PORT IS OPEN
> The source sends TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags to the destination. > If there is no response from the Destination, the port is open. PORT IS CLOSE > The source sends TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags to the destination. > The destination, on receiving the TCP probe packets, i.e., sent by the source, responds by sending a RST packet back to the source, means the port is close.
ACK scanning: TCP ACK scan is not used for port scanning purposes. Generally, it is used to determine whether the firewall is existing or not.
PORT IS OPEN > the source sends ACK Probe Packet with random sequence number to the destination. > If there is no response from the Destination, means the port is filtered so the stateful firewall is present.
PORT IS CLOSE > the source sends ACK Probe Packet to the destination. > The destination, on receiving the ACK Probe Packet, i.e., sent by the source, responds by sending an RST packet back to the source, means the port is not filtered so the firewall is not present.
IDLE Scan: IDLE is a highly clever and undetectable scan, here an attacker can actually scan a target without any interaction to the target. Instead attacker use an innocent remote host such computers generally called as zombie for scanning the target, because of this Intrusion detection system reports will finger the innocent zombie as the attacker. But the thing is attacks done by zombie without their knowledge. However, this scanning technique is used to know that IP-based trust relationships between hosts. Before going to learn this scanning technique, you need to know two things. 1. Response of host to the TCP flags: already you learned how TCP flags works in previous scans. 2. IP ID: Every IP packet on the Internet has a fragment identification number called IP ID. This IP ID value will be incremented by one for each IP packet arrived to a host, probing for the IPID can tell an attacker how many packets have been sent since the last probe. Note: For easy understanding we denoted some IP ID value as X, in below IDLE Scan diagrams, if the IP ID value is increases the additional number will added to the value of X, like X+1, X+2, etc.,
IDLE Scan: Step 1/2/3 Step 1:
Send SYN+ACK packet to the zombie machine to probe its IPID number. Every IP packet on the Internet has a fragment identification number (IPID), which increase every time a host sends IP packet. Zombie not expecting a SYN+ACK packet will send RST packet, disclosing the IPID. Analyze the RST packet from zombie machine to extract IPID.
Step 2:
Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie". If the port is open, the target will send SYN+ACK Packet to the zombie and in reponse zombie sends RST to the target. If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back.
Step 3:
Probe "zombie" IPID again
Related Documents
1 Scanning
August 2019 12
1 - Laser Scanning Introduction
November 2019 7
Environmental Scanning
November 2019 36
Energy Scanning
May 2020 12
Pet Scanning
December 2019 14
Horizon Scanning In Government[1]
May 2020 3More Documents from ""
1 Scanning
August 2019 12
Report -2003
June 2020 5
Ergo October 29
November 2019 24
Ergo July 27
May 2020 7
Ergo January 19
December 2019 22