Port scanning guide #2 TCP Techniques
In most cases, you will probably use
SYN scan, however there are circumstances where other types of scanning may be needed. Unfortunately, modern firewalls detect different port scanning techniques. And there comes well known tool called
nmap, which supports few of them which will help you to bypass firewalls. When full scan is chosen, there will be 65 536 ports checked.
As mentioned, this is the most common (and default for nmap) of
TCP port scans. Firstly, it needs root privileges to run it, because raw sockets are used to send packet with
SYN flag. If
SYN/ACK is received, the port is open. If
RST/ACK – closed. In case of no response, we can set how many times scanner should resend request (
nmap). If still does not receives a response – it will be marked as filtered.
SYN scan never establishes a
TCP connection, it is relatively stealthy.
This type of scan is used to check if firewall is tracking the state of existing
TCP connections. A
TCP ACK scan sends a packet with the
ACK flag set. When request is received by the server, it will probably assume that the second party is attempting to continue three way handshake, so it will send back a packet with RST flag.
If firewall do not track opened connections, it will allow to send back
RST response, hence we can assume that port is unfiltered.
If it tracks
TCP connections – there will be no matches in internal
TCP sessions – it will drop the packet or send response via
ICMP with type 3 (code may vary depending on OS).
Lastly, when firewall is configured in a proper way, we will do not receive any response, because all of the
ACK requests will be dropped.
TCP connect scan establishes
TCP connection using
connect() function and then tears it down. It is used as default when user has no root privileges or
IPv6 network is being scanned. Disadvantage of this type of scan is probing may be logged in server and therefore easily detected. Hence it needs more requests to complete, it is also more time-consuming process. Furthermore, it can lead to overload and sometimes produce
NULL | FIN | Xmas
NULL scan has no flags set.
FIN scan has
Xmas scan has
URG flags – packet lighted like a christmas tree.
All of those are almost the same – the only difference is in flags set. If in response we will receive
RST packet – port is considered closed. No response means open|filtered. If there is
ICMP message – filtered.
Main advantage of above three scans are low detectability – just a little bigger than in
SYN scan. The biggest disadvantage – not every system is compatible with RFC793, so responses may be independent from actual port state.
Very similar to above three – it uses
FIN/ACK packet. In all cases
RST flag should be received, but OS based on`BSD will respond only when a port is closed.
This is slightly modified version of the
ACK scan. It uses
TCP Window field to determine whether port is open. This field is a part of
TCP's flow control, it helps to manage data transmission volumes. Some OSes positive
TCP Window size will indicate that port is open (even though a
RST packet is being sent). Conversely – when a
TCP Window size is 0 – means that port is closed.
This type of scan is not very common and it’s quite unreliable – it needs deep understanding what is going on to draw some conclusions.