2. INTRODUCTION TO PORT SCANNING
• Port Scanning is one of the most popular reconnaissance techniques used by hackers to
discover services that can be compromised.
NMAP SCANNING
• A typical system has 2^16 -1 port numbers and one TCP port and one UDP port for each
number.
• A potential target computer runs many 'services' that listen at „well-known‟ 'ports'.
• By scanning which ports are available on the victim, the hacker finds potential
vulnerabilities that can be exploited.
3. NMAP
• Nmap is the most popular scanning tool used on the Internet.
• Created by Fyodar (http://www.insecure.org) , it was featured in
NMAP SCANNING
the Matrix Reloaded movie.
A Project By:
Shrikant Antre
Shobhit Gautam
4. TCP COMMUNICATION FLAGS
• Standard TCP communications are controlled by flags in the TCP packet header.
• The flags are as follows: Synchronize - also called "SYN”
• Used to initiate a connection between hosts.
– Acknowledgement - also called "ACK”
• Used in establishing a connection between hosts
– Push - "PSH”
• Instructs receiving system to send all buffered data immediately
– Urgent - "URG”
• States that the data contained in the packet should be processed immediately
– Finish - also called "FIN"
• Tells remote system that there will be no more transmissions
– Reset - also called "RST”
A Project By:
• Also used to reset a connection.
Shrikant Antre
Shobhit Gautam
5. THREE WAY HANDSHAKE
Computer A Computer B
192.168.10.2:2312 ------------syn--------->192.168.1.3:80
192.168.1.2:2312 <---------syn/ack----------192.168.1.3:80
192.168.1.2:2312-------------ack----------->192.168.1.3:80
Connection Established
• The Computer A ( 192.168.1.2 ) initiates a connection to the server ( 192.168.1.3 ) via a packet
with only the SYN flag set.
• The server replies with a packet with both the SYN and the ACK flag set.
• For the final step, the client responds back the server with a single ACK packet.
A Project•By: If these three steps are completed without complication, then a TCP connection has been
established between the client and server.
Shrikant Antre
Shobhit Gautam
6. NMAP SCANNING TECHNIQUE
• Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on
port 25. A port is considered "open" if an application is listening on the port, otherwise it is
closed.
• One way to determine whether a port is open is to send a "SYN" (session establishment) packet
to the port. The target machine will send back a "SYN|ACK" (session request acknowledgment)
packet if the port is open, and a "RST" (Reset) packet if the port is closed.
A Project By:
Shrikant Antre
Shobhit Gautam
8. SYN SCANNING
• Syn scanning, a technique that is widely across the Internet today.
• The syn scan, also called the "half open" scan, is the ability to determine a ports state without
making a full connection to the host.
• Many systems do not log the attempt, and discard it as a communications error.
A Project By:
Shrikant Antre
Shobhit Gautam
9. STEALTH SCAN
Computer A Computer B
192.168.1.12:2722 ------------syn----------->192.168.1.23:80
192.168.1.12:2722 <---------syn/ack----------192.168.1.23:80
192.168.1.12:2722-------------RST----------->192.168.1.23:80
• Client sends a single SYN packet to the server on the appropriate port.
• If the port is open then the server responds with a SYN/ACK packet.
• If the server responds with an RST packet, then the remote port is in state "closed”
• The client sends RST packet to close the initiation before a connection can ever be
A Project By: established.
Shrikant AntreThis scan also known as “half-open” scan.
•
Shobhit Gautam
10. XMAS SCAN
Computer A Computer B
Xmas scan directed at open port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
Xmas scan directed at closed port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
• Note: XMAS scan only works on OS system's TCP/IP implementation which is developed
according to RFC 793
• Xmas Scan will not work against any current version of Microsoft Windows.
A Project By:
• Xmas scans directed at any Microsoft system will show all ports on the host as being
closed.
Shrikant Antre
Shobhit Gautam
11. FIN SCAN
Computer A Computer B
FIN scan directed at open port:
192.5.5.92:2031 -----------FIN------------------->192.5.5.110:23
192.5.5.92:2031 <----------NO RESPONSE------------192.5.5.110:23
FIN scan directed at closed port:
192.5.5.92:2031 -------------FIN------------------192.5.5.110:23
192.5.5.92:2031<-------------RST/ACK--------------192.5.5.110:23
• Note: FIN scan only works OS system's TCP/IP implementation is developed according to
RFC 793
• FIN Scan will not work against any current version of Microsoft Windows.
A Project By:
• FIN scans directed at any Microsoft system will show all ports on the host as being closed.
Shrikant Antre
Shobhit Gautam
12. NULL SCAN
Computer A Computer B
NULL scan directed at open port:
192.7.8.91:4231 -----------NO FLAGS SET---------->192.6.7.110:23
192.7.8.91:4231 <----------NO RESPONSE------------192.6.7.110:23
NULL scan directed at closed port:
192.7.8.91:4231 -------------NO FLAGS SET---------192.6.7.110:23
192.7.8.91:4231<-------------RST/ACK--------------192.6.7.110:23
• Note: NULL scan only works OS system's TCP/IP implementation is developed according
to RFC 793
• NULL Scan will not work against any current version of Microsoft Windows.
A Project By:
• NULL scans directed at any Microsoft system will show all ports on the host as being
closed.
Shrikant Antre
Shobhit Gautam
13. IDLE SCAN
• A few years ago, security researcher „Antirez‟ posted an innovative new TCP port
scanning technique.
• Idle scan, as it has become known, allows for completely blind port scanning.
• Attackers can actually scan a target without sending a single packet to the target from
their own IP address.
A Project By:
Shrikant Antre
Shobhit Gautam
14. IDLE SCAN: BASICS
• One way to determine whether a port is open is to send a "SYN" (session establishment) packet
to the port.
• The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the
port is open, and a "RST" (Reset) packet if the port is closed.
• A machine which receives an unsolicited SYN|ACK packet will respond with a RST. An unsolicited
RST will be ignored.
• Every IP packet on the Internet has a "fragment identification" number.
• Many operating systems simply increment this number for every packet they send.
• So probing for this number can tell an attacker how many packets have been sent since the last
probe.
A Project By:
Shrikant Antre
Shobhit Gautam
15. IDLE SCAN: STEP 1
Choose a "zombie" and problem for its current IPID number
A Project By:
Shrikant Antre
Shobhit Gautam
16. IDLE SCAN: STEP 2
Send forged packet "from" Zombie to target.
A Project By:
Shrikant Antre
Shobhit Gautam
17. IDLE SCAN: STEP 3
Probe Zombie IPID again
A Project By:
Shrikant Antre
Shobhit Gautam
18. FRAGMENTATION SCANNING
• Instead of just sending the probe packet, you break it into a couple of small IP fragments.
• You are splitting up the TCP header over several packets to make it harder for packet filters and
so forth to detect what you are doing.
• The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets.
A Project By:
Shrikant Antre
Shobhit Gautam
19. ICMP ECHO SCANNING
• This isn't really port scanning, since ICMP doesn't have a port abstraction.
• But it is sometimes useful to determine what hosts in a network are up by pinging them all.
• nmap -P
A Project By:
Shrikant Antre
Shobhit Gautam