Scribd Logo
Upload

Welcome to Scribd!

  • 0 views

    4. Scan (EN)

    Uploaded by

    Kushner Serge
    The document outlines various port scanning techniques used to identify active systems and open ports on computer networks, including ARP Ping, ICMP Ping, TCP Connect Scan, TCP SYN Scan, and UDP Scan. It also discusses OS fingerprinting methods, both passive and active, to determine the operating system of devices on a network. Additionally, it lists tools such as nmap and hping3 that can be utilized for these scanning processes.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    4. Scan (EN)

    Uploaded by

    Kushner Serge
    0 views16 pages
    The document outlines various port scanning techniques used to identify active systems and open ports on computer networks, including ARP Ping, ICMP Ping, TCP Connect Scan, TCP SYN Scan, and UDP Scan. It also discusses OS fingerprinting methods, both passive and active, to determine the operating system of devices on a network. Additionally, it lists tools such as nmap and hping3 that can be utilized for these scanning processes.

    Original Description:

    Curs

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document outlines various port scanning techniques used to identify active systems and open ports on computer networks, including ARP Ping, ICMP Ping, TCP Connect Scan, TCP SYN Scan, and UDP Scan. It also discusses OS fingerprinting methods, both passive and active, to determine the operating system of devices on a network. Additionally, it lists tools such as nmap and hping3 that can be utilized for these scanning processes.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    0 views16 pages

    4. Scan (EN)

    Uploaded by

    Kushner Serge
    The document outlines various port scanning techniques used to identify active systems and open ports on computer networks, including ARP Ping, ICMP Ping, TCP Connect Scan, TCP SYN Scan, and UDP Scan. It also discusses OS fingerprinting methods, both passive and active, to determine the operating system of devices on a network. Additionally, it lists tools such as nmap and hping3 that can be utilized for these scanning processes.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 16

    4.

    Port Scanning
    Role of port scanning
     Identification of active systems, open communication ports
    and services running on computer networks
     Port scanning techniques:
    – ARP Ping
    – ICMP Ping
    – TCP connect() Scan
    – TCP SYN Scan
    – TCP FIN, Xmas Tree, Null Scan
    – UDP Scan

    2
    ARP Ping

     May be used to discover active systems in the local network only


     Does not work if Proxy ARP is enabled on routers
     Tools:
    – arping
    – nmap –PR

    3
    ICMP Ping

     Uses ICMP queries


    – ICMP ECHO_REQUEST (Type 8)
    – ICMP ECHO_REPLY (Type 0)
     Usually, ping is blocked at firewall
     Tools:
    – ping / fping
    – nmap –sP –PE
    – hping3 --icmp

    4
    TCP Connect() Scan

     Uses the connect() system call to establish a TCP connection


    with the remote host
     Full three-way handshake for open ports
     Usually, this event is logged by the remote host
     Tools:
    – telnet
    – netcat
    – nmap –sT

    5
    TCP SYN Scan

     Half open connections


    – a SYN packet is sent to ask for a new connection
    – after receiving SYN/ACK, the connection is dropped by sending a RST
    packet
     Hard to detect
    – usually, IDS and firewall systems does not log SYN packets
     Tools:
    – nmap –sS
    – hping3 --syn
    6
    TCP FIN, Xmas Tree, Null Scan
     Stealth scans
     The working principle is the same for all these scans
    – manipulation of control flags in the TCP packet header
     According to RFC 793, when a system receives a packet on a
    closed port, it must answer with a RST
    – if no RST is sent back it means that the port is opened or the
    communication is filtered by the firewall
     It does not work for Windows systems
    – a RST is returned even if the port is opened
     In order to run these scans the user must have administrative
    privileges

    7
    TCP FIN Scan

    Closed Port

    Opened Port

     Sends a FIN packet to the targeted port then waits for a


    response
     Tools:
    – nmap –sF
    – hping3 --fin

    8
    TCP Xmas Tree Scan

    Closed Port

    Opened Port

     Sends a TCP packet with the FIN, URG, and PUSH flags set
    then waits for a response
     Tools:
    – nmap –sX
    – hping3 --fin --urg --push

    9
    TCP Null Scan

    Closed Port

    Opened Port

     Sends a TCP packet with no flags set then waits for a response
     Tools:
    – nmap –sN
    – hping3

    10
    UDP Scan

     Similar to TCP scan but using UDP packets


     Send a UDP packet and wait for a response; if an ICMP Port
    Unreachable is received, then the port is closed otherwise the
    port is opened
     Scanning process takes time
    – response delay of 1-4 sec
     Tools:
    – nmap –sU
    – hping3 --udp

    11
    OS Fingerprinting
     RFCs do not contain complete specifications
     There are differences in TCP/IP stack implementation
    – TTL (time-to-live)
    – Initial sequence numbers
    – Window size
    – DF (Don't fragment bit)

     Passive fingerprinting
    – sniffing to examine packets for certain characteristics
    – low precision
     Active fingerprinting
    – send packets to the target in order to analyze it's behavior
    – high precision

    12
    Passive OS fingerprinting
     p0f (http://lcamtuf.coredump.cx/p0f.shtml)
     p0f can identify the operating system of:
    – machines that connect to you (SYN mode)
    – machines you connect to (SYN+ACK mode)
    – machines you cannot connect to (RST mode)
    – machines whose communications you can observe
     p0f output
    <Wed Feb 27 18:26:58 2008> 213.215.x.x:45291 - Linux 2.6
    (newer, 2) (up: 1421 hrs) -> 208.83.x.x:2703 (distance 0,
    link: ethernet/modem)

    <Wed Feb 27 18:27:02 2008> 212.24.x.x:62994 - FreeBSD 5.3-


    5.4 (up: 4556 hrs) -> 213.215.x.x:80 (distance 9, link:
    ethernet/modem)

    <Wed Feb 27 18:27:16 2008> 90.2.x.x:1322 - Windows 2000 SP4,


    XP SP1+ -> 213.215.x.x:80 (distance 9, link: pppoe (DSL))

    13
    Active OS fingerprinting
     nmap –O <target>

     7 TCP probes, 1 ICMP, 1 UDP. TCP probes are sent exactly 110 milliseconds
    apart

    14
    Other scanning tools
     nmap (http://www.insecure.org/nmap/)
     hping3 (http://www.hping.org)
     IPEye (http://ntsecurity.nu/toolbox/)
     NetScan Tools Pro (http://www.netscantools.com/)
     SuperScan (http://www.foundstone.com )
     Cheops-ng (http://cheops-ng.sourceforge.net/)

    15
    16

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy