Mobile Linux
App Generation ROI
IBM® developerWorks

Download TestComplete
Forums Sitemap
Weekly Newsletter

Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

SERVER ADMINISTRATION

RSS

Methods of IP Network Scanning

By: O'Reilly Media	Search For More Articles! Disclaimer Author Terms
Rating: / 1
2008-05-29

Table of Contents:

Methods of IP Network Scanning

Standard Scanning Methods

Half-open SYN flag scanning

Stealth TCP Scanning Methods

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

Methods of IP Network Scanning

(Page 1 of 4 )

In this second part of a five-part article on IP network scanning, you will learn about OS fingerprinting using ICMP, TCP port scanning, and other scanning methods. This article is excerpted from chapter four of Network Security Assessment, Second Edition, written by Chris McNab (O'Reilly, 2007; ISBN: 0596510306). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

OS Fingerprinting Using ICMP

Ofir Arkin’s Xprobe2 utility performs OS fingerprinting by primarily analyzing responses to ICMP probes. See the Sys-Security Group web site ( http://www.sys- security.com) for further details, including white papers and presentations that describe the Xprobe2 fingerprinting technology and approach. Example 4-4 shows Xprobe2 being used to fingerprint a remote host.

Example 4-4. Operating system fingerprinting using Xprobe 2

$ xprobe2 -v 192.168.0.174

[+] Target is 192.168.0.174
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[+] Host: 192.168.0.174 is up (Guess probability: 100%)
[+] Target: 192.168.0.174 is alive. Round-Trip Time: 0.00015 sec
[+] Selected safe Round-Trip Time value is: 0.00030 sec
[+] Primary guess:
[+] Host 192.168.0.174 Running OS: "Sun Solaris 5 (SunOS 2.5)" (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.0.174 Running OS: "Sun Solaris 6 (SunOS 2.6)" (Guess probability: 100%)
[+] Host 192.168.0.174 Running OS: "Sun Solaris 7 (SunOS 2.7)" (Guess probability: 100%)
[+] Host 192.168.0.174 Running OS: "Sun Solaris 8 (SunOS 2.8)" (Guess probability: 100%)
[+] Host 192.168.0.174 Running OS: "Sun Solaris 9 (SunOS 2.9)" (Guess probability: 100%)
[+] Host 192.168.0.174 Running OS: "Mac OS 9.2.x" (Guess probability: 95%)
[+] Host 192.168.0.174 Running OS: "HPUX B.11.0 x" (Guess probability: 95%)
[+] Host 192.168.0.174 Running OS: "Mac OS X 10.1.5" (Guess probability: 87%)
[+] Host 192.168.0.174 Running OS: "FreeBSD 4.3" (Guess probability: 87%)
[+] Host 192.168.0.174 Running OS: "FreeBSD 4.2" (Guess probability: 87%)

TCP Port Scanning

Accessible TCP ports can be identified by port scanning target IP addresses. The following nine different types of TCP port scanning are used in the wild by both attackers and security consultants:

Standard scanning methods
Vanillaconnect()scanning
Half-open SYN flag scanning

Stealth TCP scanning methods
   Inverse TCP flag scanning
   ACK flag probe scanning
   TCP fragmentation scanning

Third-party and spoofed TCP scanning methods
   FTP bounce scanning
   Proxy bounce scanning
   Sniffer-based spoofed scanning
   IP ID header scanning

What follows is a technical breakdown for each TCP port scanning type, along with details of Windows- and Unix-based tools that can perform scanning.

Next: Standard Scanning Methods >>

More Server Administration Articles
More By O'Reilly Media

Comments On: Methods of IP Network Scanning
· This article is an excerpt from the book "Network Security Assessment, Second...

>>> Post your comment now!

Buy this book...
This article is excerpted from chapter four of Network Security Assessment, Second Edition, written by Chris McNab (O'Reilly, 2007; ISBN: 0596510306). Check it out today at your favorite bookstore. Buy this book now.

SERVER ADMINISTRATION ARTICLES

- Wine: Not Another Emulator
- Preventive Measures to Block SSH Attacks
- Monitoring Temperatures with Cacti
- Cacti: RRDTool-based Graphing Solution
- Network Magic 5.0 Review
- Netfilter and Iptables Overview
- Installing and Configuring Squid
- Clickfree PC Backup Systems Compared
- Squid, the Caching Proxy
- Regular Expressions in the Unix Shell
- Source Code Version Control Solutions
- OTRS: Open Source Ticket Request System
- Clonezilla: Free Mass Disk-Cloning Utility
- Bugzilla: Open Source Bug-Tracking System
- IT Inventory and Resource Management on Ster...
Find More Server Administration Articles