How does Portscanning works? That is not a question asked wery often, but still it is important to know if you want to really understand what's happening when you launch a portscan. In this document i will explain how to stealth scan and how it works. The first thing you must know is how the "three way handshake" works, here is an example: * 192.168.0.1 = Attacker * 184.108.40.206 = Victim The attacker first sends a SYN packet to the victim, in this case to port 25: 192.168.0.1-------SYN------>220.127.116.11:25 Then if the victimÅ› port 25 is open this will happen: 192.168.0.1<-------SYN/ACK------18.104.22.168:25 The victim sends a SYN/ACK packet in return to show that port 25 i open and listening. If the port was closed and not behind a firewall the answer would be a RA packet insted. If the victim was behind a firewall that didn't allowed traffic to port 25 the answer would look like this: 192.168.0.1<---------------------22.214.171.124:25 As you see, there is no packet sent in return. And as i explained before, If the port was open or closed it will always respond to a SYN packet. Therefore you can be relative sure that the victim is behind a firewall if you don't get any response. The last thing that will happen before the connection is established(if the port is open and not behind a firewall) is shown below: 192.168.0.1---------ACK-------->126.96.36.199:25 The attacker send a ACK packet and then there is a connection between the Attacker and the Victim. That is how the "three way handshake" works for normal users, for a hacker it should work like this: 192.168.0.1-----------SYN--------->188.8.131.52:25 192.168.0.1<----------SYN/ACK------184.108.40.206:25 192.168.0.1-----------RST--------->220.127.116.11:25 What the attacker do here is that he first send a SYN packet to port 25 on the victim. The Victim respond with a SYN/ACK to show that the port is open and listening. Then the attacker send a RST packet to end the "conversation". The good thing about this scan is that there will be no connection and there is almost nobody that will log these situation, the victim will think it just a connection that has failed. This tecnique is called "half-open" scanning, or stealth scanning. So what you can figure out of this example is that the port 25 is open, and still you didn't established a conection. So how do I send SYN packets? First of all, get the easy to use, still powerfull tool: Hping2 (http://www.hping.org). Then install it and give the command: Hping2 --help This will give you a list of commands. Here is the first you should learn: hping -S <yourVictims_IP> -p <PORT_TO_SCAN> This will send a SYN-packet(-S) to the victim(youVictims_IP) to port <PORT_TO_SCAN>. This is a example of how to use this command: hping2 -S 127.0.0.1 -p 22 HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=32767 rtt=0.2 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=32767 rtt=0.1 ms --- 127.0.0.1 hping statistic --- 2 packets tramitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.2/0.2 ms This send the SYN packet to port 22 and as you see the port 22 answer with a SYN/ACK packet which give you the answer on the question: "Is port 22 open?" answer: "Yes" Let us look at a result of scanning a closed port: hping2 -S 127.0.0.1 -p 23 HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id=66 sport=23 flags=RA seq=0 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=67 sport=23 flags=RA seq=1 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=68 sport=23 flags=RA seq=2 win=0 rtt=0.1 ms --- 127.0.0.1 hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.1 ms As you see, the port answerd RA which tell you that the port is closed and NOT behind a firewall. If you don't understand how i know that it isn't behind a firewall, which i already explained, here comes the answer: If the port where behind a firewall then it wouldn't respond to a SYN packet, look at this example when i try scan a port being protected by a firewall: hping2 -S 127.0.0.1 -p 25 HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes --- 127.0.0.1 hping statistic --- 3 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms The SYN packet hit the firewall which block the port and therefore there is no response at all. No if you noticed that your victim has a firewall, then I'm sure that you would want to know if it is a simpel firewall or a more advanced, right? This is how to do it We have only used SYN packets in our previous examples, and if the victim has blocked that packet you should just try to send a ACK packet. Lets say that we noticed that the firewall is blocking port 25: hping -A 127.0.0.1 -p 25 What we do is to send a ACK packet(-A) to port 25. The normal behavior when getting a lonesome ACK packet, is to respond with a RST packet. If you get a RST packet in respond, then you know that it is a wery simpel firewall that only blocks SYN packets. If you don't get any answer then it is probly not one of does simpel firewalls.