Sunday, October 2, 2011

About Port Scanning

Introduction to port scanning :

Port scanning is an attack in which the attacker tries to gain information about the different open ports or services running on the target machine. The main aim of an attacker to port scan is to find the list of available services that are running on the target machine and use this information to attack the target.There can various types of port scanning operations performed on the target machine. Port scanners simply work by sending data packets randomly to all ports and analyse the return packets to decide weather a port is open or not.

The result of a scan on a port is usually generalized into one of three categories:

  • Open or Accepted: The host sent a reply indicating that a service is listening on the port.
  • Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
  • Filtered, Dropped or Blocked: There was no reply from the host.
Based on the above three postulates the scanner decides about the availability of a port number on the target machine.
Types of Port Scanning :

TCP Scanning :  TCP scanning is the most common type of scanning which uses the operating system's network functions. The attacker send a SYN packet to the victim and in case the port is oprn then an ACK packet is sent back to the attacker by the victim thus notifying that the port is open. This process is termed as 3-way handshaking.

The advantage of this scanning is that you do not need any special privilege on the attackers machine to perform the attack. The connection is closed as soon as the port is discovered open so as to avoid Denial of service type of attack. This port scanning method has benifits but is is considered "noisy" and can easily raise alarm in Intrusion detection systems.

SYN Scanning :  SYN scan is another form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection while some services can be crashed with a connect scan. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers. There are no conclusive arguments either way.

UDP Scanning :  UDP is a connection-less protocol. This means that there is no notification sent back to the attacker weather the packet has been received or dropped by the victim, machine.

If a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open.

 However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. So there is a major limitation of this type of scanning. So it is generally used as a hybrid scan which means it is used in combination with other scan processes in order to improve the efficiency of the scanning process.

ACK Scanning :  This is generally referred as the ACE of port scanning because of its special ability. IT doesn't tell us whether a port is open or not. In fact, it tells us whether a port is filtered or unfiltered.

Since the ACK scan doesn't open any application sessions, the conversation between scanner and the remote device is relatively simple. This scan of a single port is unobtrusive and almost invisible when combined with the other network traffic.

FIN Scanning : FIN packets are able to pass by firewalls with no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall. It is called the stralth scanning technique.


[via]If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged

No comments:
Write comments