Xmas scan is a port scan technique with ACK, RST, SYN, URG, PSH and FIN flage set to send a TCP frame to a remote device. If the target port is closed, then you will receive a remote system reply with a RST. You can use this port scan technique to scan large networks and find which host is ip and what services it is offering. It is a technique to describe all TCP flag sets. When all flags are set, some systems hang; so the flags most often set are the nonsense pattern URG-PSH-FIN. This scan only works when system are compliant with TCP/IP(RFC793).
command ex). nmap -sX -v 192.168.0.2
Advantage : ① It avoids the IDS and TCP three-way handshake.
② It works on the UNIX platform only.
2. FIN scan
FIN scan is a type of port scan. the client sends a FIN packet to the target port, and if the service is not running or if the port is closed it replies to you with the probe packet with an RST.
command ex). nmap -sF -v 192.168.0.2
3. NULL scan
NULL scan send TCP packets with all flags turned off. It is assumed that closed ports will return a TCP RST. Packets received by open ports are discarded as invalid.
It sets all flags of TCP headers, such as ACK, FIN, RST, SYN, URG and PSH, to NULL or unassigned. When any packets arrive at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is close. This scan uses flags in the reverse fashion as the Xmas scan, but gives the same output as FIN and Xmas tree scans.
Many network codes of major operating systems can behave differently in terms of responding to the packet. This method does not work for Microsoft operating system.
command ex). nmap -SN -v 192.168.0.2
Advantage : It avoids IDS and TCP three-way handshake.
Disadvantage : It works only for UNIX.
4. IDLE scan
The idle scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available and offers complete blind scanning of a remote host. This is accomplished by impersonating another computer. No packet is send from your own IP address; instead, another host is used(often called a "zombie") to scan the remote host and determine the open ports. This is done by expecting the sequence number of the zombie host and if the remote host checks the IP of the scanning party, the IP of the zombie machine will show up.
5. ICMP Echo scanning/List scan
ICMP echo scanning is used to discover live machines by pinging all the machines in the target network. Attackers send ICMP probes to the broadcast or network address which is relayed to all the host addresses in the subnet. The live systems will send ICMP echo reply message to the source of ICMP echo probe.
ICMP echo scanning is not referred to as port scanning since it does not have a port abstraction. ICMP echo scanning is useful to determine which host in a network are active by pinging them all.
command ex). nmap -P 192.168.0.0/24
nmap -sn 192.168.0.2
nmap -sL -v 192.168.2.5
Advantage : ① A list scan can perform a good sanity check.
② The incorrectly defined IP addresses on the command line or in an potion file are detected b the list scan. Te detected errors should be repaired prior to running any "active" scan.
6. UDP scanning
UDP port scanners use the UDP protocol instead of TCP, and can be more difficult than TCP scanning. You can send a packet, but you cannot determine that the host is alive or dead or filtered. However, there is one ICMP that you can use to determine whether ports are open or closed. If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. If any port returns an ICMP error, then it's closed, while the ports that didn't answer are either open or filtered by the firewall.
This happens because open ports do not have to send an acknowledgement in response to a probe, and closed ports are not even required to send an error packet.
command ex). nmap -sU -v 192.168.0.2
Advantage : The UDP scan is less informal regarding an open port, since there's no overhead of a TCP handshake. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan. Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.
Disadvantage : The UDP scan provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan optaion(-sV) or the oprtation system fingerprinting option(-O).
7. Inverse TCP Flag scanning
Attackers send the TCP probe packets by enabling various TCP flag(FIN, URG, PSH) or with no flags. When the port is open, the attacker doesn't get any response from the host, whereas when the port is closed, Attacker receive the RST/ACK from the target host.
The SYN packets that are sent to the sensitive ports of the targeted hosts are detected by using security mechanisms such as firewalls and IDS. Programs such as sys-logger and Courtney are available to log half-open SYN flag scan attempts. At times, the probe packets enabled with TCP flags can pass through filters undetected, depending on the security mechanisms installed.
Probing a target using a half-open SYN flag is known as an inverted technique. It is called this because the closed ports can only send the response back. According to RFC 793, An RST/ACK packet must be sent for connection reset, when the port is closed on host side. Attackers take advantage of this feature to send TCP probe packets to each port of the target host with various TCP flags set.
Common flag ocnfigurations used for probe packet include:
- A FIN probe with the FIN TCP flag set.
- An XMAS probe with the FIN, URG, and PUSH TCP flags set.
- A NULL probe with no TCP flags set.
- A SYN/ACK probe
All the closed ports on the targeted host will send an RST/ACK response. Since the TCP protocol(RFC 793) standard is completely ignored in the operation system such as Windows, you cannot see the RST/ACK response when connected to the closed port on the target host. This technique is effective when used with UNIX-based operation system.
Advantages : Avoid many IDS and logging systems, highly stealthy.
Disadvantages : ① Needs raw access to network sockets, thus requiring superuser(root) privileges.
② Mostly effective against hosts using a BSD-derived TCP/IP stack(Not effective against microsoft windows hosts in particular)
8. ACK Flag scanning
A stealthy technique is used for identifying open TCP ports. In this technique a TCP packet with ACK flag ON is sent to the remote host and then the header information of the RST packets sent by remote host are analyzed. Using this technique one can exploit the potential vulnerabilities of BSD derived TCP/IP stack. This technique gives good results when used with certain operation systems and platforms.
command ex). nmap -sA -v 192.168.0.2
9. Firewalls
Some firewalls may have rule sets that block IP fragmentation queues in the kernel(like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented due to the adverse effect on performance. Since several intrusions detection systems employ signature-based methods to indicate scanning attempts based on IP and/or the TCP headers, fragmentation is often able to evade this type of packet filtering and detection. There is a probability of network problems on the target network.
command ex). nmap -sS -T4(time delay) -A -f -v 192.168.0.2
댓글 없음:
댓글 쓰기