The earliest and the oldest version of Port Scanners used the same technique. They connected to each port and established a full three way handshake for a complete TCP connection. The downside of such port scanners was the fact that as a full TCP connection was being established, the system administrator could easily detect that someone is trying to port scan his systems to find a vulnerability. However such port scanning methods also had a bright side, as an actual TCP connection was being established, the port scanning software did not have to build a Fake Internet Protocol Packet. (This IP Packet is used to scan the remote systems.) Such TCP scanners too relied on the three-way TCP handshake to detect if a port is open or not. The Basic process of detecting whether a port is open or not has been described below:
1.) You send a TCP Packet containing the SYN flag to remote host.
2.) Now the remote host checks whether the port is open or not. If the port is open then it replies with a TCP packet containing both an ACK message confirming that the port is open and a SYN flag. On the other hand if the port is closed then the remote host sends the RST flag which resets the connection, in short closes the connection. 3.) This third phase is optional and involves the sending of an ACK message by the client.
As TCP Scanners were detectable, programmers around the world developed a new kind of port scanner, the SYN Scanner, which did not establish a complete TCP connection. These kinds of port scanners remain undetectable by only sending the first single TCP Packet containing the SYN flag and establishing a half TCP Connection. T understand the working of a SYN or Half SYN Port Scanner simply read its 4 step working-:
1. SYN Port Scanner sends the first TCP packet containing the SYN flag to the remote host. 2. The remote system replies with, either a SYN plus ACK or a RST. 3. When the SYN Port scanner receives one of the above responses, it knows whether the respective port is open or not and whether a daemon is ready listening for connections.
The SYN Port Scanners were undetectable by most normal system port scan detectors, however newer post scan detectors like netstat and also some firewalls can filter out such scans. Another downside to such scanning is that the method in which the scanner makes the IP packet varies from system to system.
UDP Scanning
It is yet another port scanning technique which can be used to scan a UDP port to see if it is listening. To response, if it is not, then ICMP takes over and displays the error message, " Destination Port
Unreachable".
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment