The two basic scan types used most in Nmap are TCP connect() scanning [-sT]and SYN scanning (also known as half-open, or stealth scanning) [-sS].These two types are explained in detail below.
3.1 TCP connect() Scan [-sT]
These scans are so called because UNIX sockets programming uses a system callnamed connect() to begin a TCP connection to a remote site. If connect()succeeds, a connection was made. If it fails, the connection could not be made(the remote system is offline, the port is closed, or some other error occurredalong the way). This allows a basic type of port scan, which attempts to connect4to every port in turn, and notes whether or not the connection succeeded. Oncethe scan is completed, ports to which a connection could be established are listedas open, the rest are said to be closed.This method of scanning is very effective, and provides a clear picture of theports you can and cannot access. If a connect() scan lists a port as open, youcan definitely connect to it - that is what the scanning computer just did! Thereis, however, a major drawback to this kind of scan; it is very easy to detect onthe system being scanned. If a firewall or intrusion detection system is runningon the victim, attempts to connect() to every port on the system will almostalways trigger a warning. Indeed, with modern firewalls, an attempt to connectto a single port which has been blocked or has not been specifically ”opened” willusually result in the connection attempt being logged. Additionally, most serverswill log connections and their source IP, so it would be easy to detect the sourceof a TCP connect() scan.For this reason, the TCP Stealth Scan was developed.
3.2 SYN Stealth Scan [-sS]
I’ll begin this section with an overview of the TCP connection process. Thosefamiliar with TCP/IP can skip the first few paragraphs.When a TCP connection is made between two systems, a process known as a”three way handshake” occurs. This involves the exchange of three packets, andsynchronises the systems with each other (necessary for the error correction builtinto TCP. Refer to a good TCP/IP book for more details.The system initiating the connection sends a packet to the system it wantsto connect to. TCP packets have a header section with a flags field. Flags tellthe receiving end something about the type of packet, and thus what the correctresponse is.Here, I will talk about only four of the possible flags. These are SYN (Synchronise),ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packetsinclude a TCP sequence number, which lets the remote system know what sequencenumbers to expect in subsequent communication. ACK acknowledges receiptof a packet or set of packets, FIN is sent when a communication is finished,requesting that the connection be closed, and RST is sent when the connectionis to be reset (closed immediately).To initiate a TCP connection, the initiating system sends a SYN packet tothe destination, which will respond with a SYN of its own, and an ACK, acknowledgingthe receipt of the first packet (these are combined into a single SYN/ACKpacket). The first system then sends an ACK packet to acknowledge receipt ofthe SYN/ACK, and data transfer can then begin.SYN or Stealth scanning makes use of this procedure by sending a SYN packetand looking at the response. If SYN/ACK is sent back, the port is open and theremote end is trying to open a TCP connection. The scanner then sends an RST5to tear down the connection before it can be established fully; often preventingthe connection attempt appearing in application logs. If the port is closed, anRST will be sent. If it is filtered, the SYN packet will have been dropped andno response will be sent. In this way, Nmap can detect three port states - open,closed and filtered. Filtered ports may require further probing since they couldbe subject to firewall rules which render them open to some IPs or conditions,and closed to others.Modern firewalls and Intrusion Detection Systems can detect SYN scans, butin combination with other features of Nmap, it is possible to create a virtuallyundetectable SYN scan by altering timing and other options (explained later).
These scans are so called because UNIX sockets programming uses a system callnamed connect() to begin a TCP connection to a remote site. If connect()succeeds, a connection was made. If it fails, the connection could not be made(the remote system is offline, the port is closed, or some other error occurredalong the way). This allows a basic type of port scan, which attempts to connect4to every port in turn, and notes whether or not the connection succeeded. Oncethe scan is completed, ports to which a connection could be established are listedas open, the rest are said to be closed.This method of scanning is very effective, and provides a clear picture of theports you can and cannot access. If a connect() scan lists a port as open, youcan definitely connect to it - that is what the scanning computer just did! Thereis, however, a major drawback to this kind of scan; it is very easy to detect onthe system being scanned. If a firewall or intrusion detection system is runningon the victim, attempts to connect() to every port on the system will almostalways trigger a warning. Indeed, with modern firewalls, an attempt to connectto a single port which has been blocked or has not been specifically ”opened” willusually result in the connection attempt being logged. Additionally, most serverswill log connections and their source IP, so it would be easy to detect the sourceof a TCP connect() scan.For this reason, the TCP Stealth Scan was developed.
3.2 SYN Stealth Scan [-sS]
I’ll begin this section with an overview of the TCP connection process. Thosefamiliar with TCP/IP can skip the first few paragraphs.When a TCP connection is made between two systems, a process known as a”three way handshake” occurs. This involves the exchange of three packets, andsynchronises the systems with each other (necessary for the error correction builtinto TCP. Refer to a good TCP/IP book for more details.The system initiating the connection sends a packet to the system it wantsto connect to. TCP packets have a header section with a flags field. Flags tellthe receiving end something about the type of packet, and thus what the correctresponse is.Here, I will talk about only four of the possible flags. These are SYN (Synchronise),ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packetsinclude a TCP sequence number, which lets the remote system know what sequencenumbers to expect in subsequent communication. ACK acknowledges receiptof a packet or set of packets, FIN is sent when a communication is finished,requesting that the connection be closed, and RST is sent when the connectionis to be reset (closed immediately).To initiate a TCP connection, the initiating system sends a SYN packet tothe destination, which will respond with a SYN of its own, and an ACK, acknowledgingthe receipt of the first packet (these are combined into a single SYN/ACKpacket). The first system then sends an ACK packet to acknowledge receipt ofthe SYN/ACK, and data transfer can then begin.SYN or Stealth scanning makes use of this procedure by sending a SYN packetand looking at the response. If SYN/ACK is sent back, the port is open and theremote end is trying to open a TCP connection. The scanner then sends an RST5to tear down the connection before it can be established fully; often preventingthe connection attempt appearing in application logs. If the port is closed, anRST will be sent. If it is filtered, the SYN packet will have been dropped andno response will be sent. In this way, Nmap can detect three port states - open,closed and filtered. Filtered ports may require further probing since they couldbe subject to firewall rules which render them open to some IPs or conditions,and closed to others.Modern firewalls and Intrusion Detection Systems can detect SYN scans, butin combination with other features of Nmap, it is possible to create a virtuallyundetectable SYN scan by altering timing and other options (explained later).
Comments :
Post a Comment