TCP scanning
The
simplest port scanners use the operating system's network functions and is
generally the next option to go to when SYN is not a feasible option (described
next). Nmap calls this mode
connect scan, named after the Unix connect() system call. If a port is open,
the operating system completes the TCP three-way handshake, and the port scanner immediately
closes the connection to avoid performing a kind of Denial-of-service attack. Otherwise an error code is returned. This scan mode has
the advantage that the user does not require special privileges. However, using
the OS network functions prevents low-level control, so this scan type is less
common. This method is "noisy", particularly if it is a "portsweep": the services can log
the sender IP address and Intrusion detection systems can raise an alarm.
SYN scanning
SYN scan is another form
of TCP scanning. Rather than use the operating system's network functions, the
port scanner generates raw IP packets itself, and monitors for responses. This
scan type is also known as "half-open scanning", because it never
actually opens a full TCP connection. The port scanner generates a SYN packet.
If the target port is open, it will respond with a SYN-ACK packet. The scanner
host responds with a RST packet, closing the connection before the handshake is
completed.
The
use of raw networking has several advantages, giving the scanner full control
of the packets sent and the timeout for responses, and allowing detailed
reporting of the responses. There is debate over which scan is less intrusive
on the target host. SYN scan has the advantage that the individual services
never actually receive a connection. However, the RST during the handshake can
cause problems for some network stacks, in particular simple devices like
printers. There are no conclusive arguments either way.
UDP scanning
UDP
scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is
no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port
that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this
scanning method, and use the absence of a response to infer that a port is
open. However, if a port is blocked by a firewall, this method will
falsely report that the port is open. If the port unreachable message is
blocked, all ports will appear open. This method is also affected by
An
alternative approach is to send application-specific UDP packets, hoping to
generate an application layer response. For example, sending a DNS query to
port 53 will result in a response, if a DNS server is present. This method is
much more reliable at identifying open ports. However, it is limited to
scanning ports for which an application specific probe packet is available.
Some tools (e.g., nmap) generally have
probes for less than 20 UDP services, while some commercial tools (e.g., nessus) have as many as 70.
In some cases, a service may be listening on the port, but configured not to
respond to the particular probe packet.
To
cope with the different limitations of each approach, some scanners offer a
hybrid method. For example, using nmap with the -sUV option will start by using
the ICMP port unreachable method, marking all ports as either
"closed" or "open|filtered". The open|filtered ports are
then probed for application responses and marked as "open" if one is
received.
Window scanning
Rarely
used because of its outdated nature, window scanning is fairly untrustworthy in
determining whether a port is opened or closed. It generates the same packet as
an ACK scan, but checks whether the window field of the packet has been
modified. When the packet reaches its destination, a design flaw attempts to
create a window size for the packet if the port is open, flagging the window
field of the packet with 1's before it returns to the sender. Using this
scanning technique with systems that no longer support this implementation
returns 0's for the window field, labeling open ports as closed.
No comments:
Post a Comment