Methods of IP Network Scanning - Standard Scanning Methods
(Page 2 of 4 )
Standard scanning methods, such as vanilla and half-open SYN scanning, are extremely simple direct techniques used to accurately identify accessible TCP ports and services. These scanning methods are reliable but are easily logged and identified.
Vanilla connect() scanning
TCP connect() port scanning is the simplest type of probe to launch. There is no stealth whatsoever involved in this form of scanning, as a full TCP/IP connection is established with each port of the target host.
TCP Port Scanning
TCP/IP robustness means thatconnect()port scanning is an accurate way to determine which TCP services are accessible on a given host. However, due to the way that a full three-way handshake is performed, an aggressiveconnect()scan could antagonize or break poorly written network services. Figures 4-2 and 4-3 show the various TCP packets involved and their flags.
In Figure 4-2, the attacker first sends a SYN probe packet to the port he wishes to test. Upon receiving a packet from the port with the SYN and ACK flags set, he knows that the port is open. The attacker completes the three-way handshake by sending an ACK packet back.
Figure 4-2. A vanilla TCP scan result when a port is open
If, however, the target port is closed, the attacker receives an RST/ACK packet directly back, as shown in Figure 4-3.
Figure 4-3. A vanilla TCP scan result when a port is closed
Tools that perform connect() TCP scanning. Nmap can perform a TCPconnect()port scan using the –sTflag. A benefit of this scanning type is that superuser root access is not required, as raw network sockets are not used. Other very simple scanners exist, including pscan.c, which is available as source code from many sites including Packet Storm (http://www.packetstormsecurity.org).
When performing a full assessment exercise, every TCP port from 0 to 65535 should be checked. For speed reasons, port scanners such as Nmap have internal lists of only some 1,500 common ports to check; thus, they often miss all kinds of interesting services that can be found on high ports, for example, Check Point SVN web services on TCP port 18264.
