Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   New age port scan - Stealth scan (http://www.go4expert.com/articles/age-port-scan-stealth-scan-t408/)

vishal sharma 9Aug2005 07:46

New age port scan - Stealth scan
while going through the error logs in our system main frame I saw a good number of RST (Reset; drop a connection ) which is a TCP flag for anonymous packet received.....On researching further into it I came across a considerably new phenomenon of stealth scan....

With port scanning is that it is easily logged by the services listening at the ports. They see an incoming connection, but no data, so they log an error. There exist a number of stealth scan techniques to avoid this. A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Obviously, this is a race -- what are considered stealth scans now may not be so a few months later.
Port scanners scan a host rapidly by firing off packets at different ports. So, scanning very slowly (taking a day or more) becomes a stealth technique.. Another stealth scanning technique is "inverse mapping", where you try to find out all hosts on a network by generating "host unreachable" ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets (e.g. RST packets sent without any previous packet).

Fragmented packets The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing.
SYN scanning: This technique is also called half-open scanning, because a TCP connection is not completed. A SYN packet is sent (as if we are going to open a connection), and the target host responds with a SYN+ACK, this indicates the port is listening, and an RST indicates a non- listener. The server process is never informed by the TCP layer because the connection did not complete.

FIN scanning: The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. This is required TCP behavior. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn't a very effective scan.

Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.

lubna 18Mar2006 22:17

Re: New age port scan - Stealth scan
Nice bit of researching done.

zylyz 27Dec2006 03:48

Re: New age port scan - Stealth scan
nmap scan shows this very correctly..

All times are GMT +5.5. The time now is 09:01.