Port Scanning and types

INTRODUCTION

 Port Scanning is techniques to find out the open ports and services that are  running on them on target computer. This is the most important techniques and most widely used technique used by Hack3rs or an attacker to find out the ports that are opened and decide accordingly to which port to establish a connection wid target host.

 It can also be cosidered as an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service.

Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a LISTENING state.


TYPES OF PORT SCANNING

• TCP  Connect Scan :  The TCP connect() scan is named after the connect() call that's used by the operating system to initiate a TCP connection to a remote device. Unlike the TCP SYN scan (-sS), the TCP connect() scan uses a normal TCP connection to determine if a port is available. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.  The TCP connect() scan to a closed port looks exactly like the TCP SYN scan.          

1. For TCP  Connect request by sender if Response is RST (reset connection) it indicates PORTS are closed
2. For TCP Connect request by sender if response is 3 way handshake connection established between sender and receiver then port is Open .                                                                                                                                                                                                                                                      

   

•    TCP SYN SCAN :  This type of scan is half open because TCP 3 way handshake is not established . Open Ports reply wid SYN/ACK whereas closed ports respond with RST/ACK.   

1. Sender sends a TCP SYN  request to destination and if from destination RST  response is gained then it means connection is reset and port is Closed. 
2. Sender sends an TCP SYN request and gets an acknowledgement back then it means port is open   but  sends sends RST request to reset a connection so connection is never established.
   
   
   

• TCP FIN SCAN:  It sends a FIN packet to target port. closed port should send RST packet back.while open ports do not respond.  

                       
     If the port is opened then no response is gained back.

• TCP ACK SCAN: It attempts to determine access control List (ACL) rule set or identify if stateless inspection is beng used. If ICMP dstination unreachable , communication administrative prohibited message is raised port is considered to be filtered. 

Nmap's  unique ACK scan will never locate an open port. The ACK scan only provides a "filtered" or "unfiltered" disposition because it never connects to an application to confirm an "open" state. At face value this appears to be rather limiting, but in reality the ACK scan can characterize the ability of a packet to traverse firewalls or packet filtered links. 

1. An ACK scan sends a TCP ACK frame to destination , if no response  or ICMP destination unreachable message is raised  then PORT are FILTERED .                                                                              
   

 

2 .When an ACK scan sends a ACK frame to destination and RST packet is received in response then it means connection is unfiltered . After Nmap scan unfiltered ports are shown up.                                                                                                                                                    

• TCP IDLE SCAN:  To prevent scan from Trace we use IDLE scan . It uses an IDLE host to bounce the packet off and makes scan trace harder . FTP bounce scan uses FTP server to bounce packet off and make scan harder to trace.  

 While using an IDLE scan it will appear that port scanning is initiated from some 3rd party address instead of nmap station. It implements IP address spoofing and IP fragmentation identification sequences.
It Uses a Zombie   station which is basically act as 3rd party and can ensure consistent IP identification frames.  

•  To begin the idlescan  process, nmap first sends a SYN/ACK to the zombie workstation to induce a RST  in return. This RST  frame contains the initial IPID that nmap will remember for later.                                                           
  

• Nmap now sends a SYN frame to the destination address, but nmap spoofs the IP address to make it seem as if the SYN frame was sent from the zombie workstation. If this SYN frame is sent to one of the destination's open ports, the destination address will respond with a SYN/ACK to the previously-spoofed zombie workstation and not original workstation. The zombie workstation won't be expecting the SYN/ACK (because, it never really sent the SYN), so the zombie will respond to the destination station with a RST. The RST response will, as expected, increment the zombie's IPID.                                                          

• The final step in the idlescan is for nmap to repeat the original SYN/ACK probe of the zombie station. If the IPID has incremented, then the port that was spoofed in the original SYN frame is open on the destination device. If the IPID has not incremented, then the port is not open.                                                             
  

• Now at last Nmap station again sends SYN to Zombie and in response receives RST with IPID number increased then IT CONCLUDE PORT WAS OPEN . If IPID number does not increased then port was   closed.                                                                                                                                            

 
THANK U FRNDS till Next BLog