New age port scan - Stealth scan

Discussion in 'Ethical hacking Tips' started by vishal sharma, Aug 9, 2005.

  1. vishal sharma

    vishal sharma New Member

    Joined:
    Jul 23, 2004
    Messages:
    106
    Likes Received:
    6
    Trophy Points:
    0
    while going through the error logs in our system main frame I saw a good number of RST (Reset; drop a connection ) which is a TCP flag for anonymous packet received.....On researching further into it I came across a considerably new phenomenon of stealth scan....


    With port scanning is that it is easily logged by the services listening at the ports. They see an incoming connection, but no data, so they log an error. There exist a number of stealth scan techniques to avoid this. A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Obviously, this is a race -- what are considered stealth scans now may not be so a few months later.
    Port scanners scan a host rapidly by firing off packets at different ports. So, scanning very slowly (taking a day or more) becomes a stealth technique.. Another stealth scanning technique is "inverse mapping", where you try to find out all hosts on a network by generating "host unreachable" ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets (e.g. RST packets sent without any previous packet).

    Fragmented packets The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing.
    SYN scanning: This technique is also called half-open scanning, because a TCP connection is not completed. A SYN packet is sent (as if we are going to open a connection), and the target host responds with a SYN+ACK, this indicates the port is listening, and an RST indicates a non- listener. The server process is never informed by the TCP layer because the connection did not complete.

    FIN scanning: The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. This is required TCP behavior. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn't a very effective scan.

    Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.
     
  2. lubna

    lubna New Member

    Joined:
    Mar 18, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    Nice bit of researching done.
     
  3. zylyz

    zylyz New Member

    Joined:
    Dec 26, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    nmap scan shows this very correctly..
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice