With the multitude of modern firewalls and IDS’ now looking out for SYN scans,these three scan types may be useful to varying degrees. Each scan type refersto the flags set in the TCP header. The idea behind these type of scans is thata closed port should respond with an RST upon receiving packets, whereas anopen port should just drop them (it’s listening for packets with SYN set). Thisway, you never make even part of a connection, and never send a SYN packet;which is what most IDS’ look out for.
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scansets the FIN, URG and PUSH flags (see a good TCP/IP book for more details)and the Null scan sends a packet with no flags switched on.These scan types will work against any system where the TCP/IP implementationfollows RFC 793. Microsoft Windows does not follow the RFC, and willignore these packets even on closed ports. This technicality allows you to detectan MS Windows system by running SYN along with one of these scans. If theSYN scan shows open ports, and the FIN/NUL/XMAS does not, chances areyou’re looking at a Windows box (though OS Fingerprinting is a much morereliable way of determining the OS running on a target!)The sample below shows a SYN scan and a FIN scan, performed against aLinux system. The results are, predictably, the same, but the FIN scan is lesslikely to show up in a logging system.
1 [chaos]# nmap -sS 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state:
6 closed)
7 PORT STATE SERVICE
8 21/tcp open ftp6
9 22/tcp open ssh
10 631/tcp open ipp
11 6000/tcp open X11
12
13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
14 seconds
15 [chaos]# nmap -sF 127.0.0.1
16
17 Starting Nmap 4.01 at 2006-07-06 17:23 BST
18 Interesting ports on chaos (127.0.0.1):
19 (The 1668 ports scanned but not shown below are in state:
20 closed)
21 PORT STATE SERVICE
22 21/tcp open|filtered ftp
23 22/tcp open|filtered ssh
24 631/tcp open|filtered ipp
25 6000/tcp open|filtered X11
26
27 Nmap finished: 1 IP address (1 host up) scanned in 1.28428 seconds
1 [chaos]# nmap -sS 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state:
6 closed)
7 PORT STATE SERVICE
8 21/tcp open ftp6
9 22/tcp open ssh
10 631/tcp open ipp
11 6000/tcp open X11
12
13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
14 seconds
15 [chaos]# nmap -sF 127.0.0.1
16
17 Starting Nmap 4.01 at 2006-07-06 17:23 BST
18 Interesting ports on chaos (127.0.0.1):
19 (The 1668 ports scanned but not shown below are in state:
20 closed)
21 PORT STATE SERVICE
22 21/tcp open|filtered ftp
23 22/tcp open|filtered ssh
24 631/tcp open|filtered ipp
25 6000/tcp open|filtered X11
26
27 Nmap finished: 1 IP address (1 host up) scanned in 1.28428 seconds
Comments :
Post a Comment