Port scanning is the process of sending packets to TCP and UDP ports on the target
system to determine what services are running or are in a LISTENING state. Identifying
listening ports is critical to determining the services running, and consequently the
vulnerabilities present from your remote system. Additionally, you can determine the
type and version of the operating system and applications in use. Active services that are
listening are akin to the doors and windows of your house. They are ways into the
domicile. Depending on the type of path in (a window or door), it may allow an
unauthorized user to gain access to systems that are misconfigured or running a version
of software known to have security vulnerabilities.
• TCP connect scan This type of scan connects to the target port and completes
a full three-way handshake (SYN, SYN/ACK, and ACK), as the TCP RFC
(Request for Comments) states. It is easily detected by the target system. Figure
2-4 provides a diagram of the TCP three-way handshake.
• TCP SYN scan This technique is called half-open scanning because a full TCP
connection is not made. Instead, only a SYN packet is sent to the target port.
If a SYN/ACK is received from the target port, we can deduce that it is in the
LISTENING state. If an RST/ACK is received, it usually indicates that the
port is not listening. An RST/ACK will be sent by the system performing the
port scan so that a full connection is never established. This technique has the
advantage of being stealthier than a full TCP connect, and it may not be logged
by the target system. However, one of the downsides of this technique is that
this form of scanning can produce a denial of service condition on the target by
opening a large number of half-open connections. But unless you are scanning
the same system with a high number of these connections, this technique is
relatively safe.
• TCP FIN scan This technique sends a FIN packet to the target port. Based on
RFC 793 (http://www.ietf.org/rfc/rfc0793.txt), the target system should send
back an RST for all closed ports. This technique usually only works on UNIXbased
TCP/IP stacks.• TCP Xmas Tree scan This technique sends a FIN, URG, and PUSH packet to
the target port. Based on RFC 793, the target system should send back an RST
for all closed ports.
• TCP Null scan This technique turns off all fl ags. Based on RFC 793, the target
system should send back an RST for all closed ports.
• TCP ACK scan This technique is used to map out fi rewall rulesets. It can
help determine if the fi rewall is a simple packet fi lter allowing only established
connections (connections with the ACK bit set) or a stateful fi rewall performing
advance packet fi ltering.
• TCP Windows scan This technique may detect open as well as fi ltered/
nonfi ltered ports on some systems (for example, AIX and FreeBSD) due to an
anomaly in the way the TCP windows size is reported.
• TCP RPC scan This technique is specifi c to UNIX systems and is used to
detect and identify Remote Procedure Call (RPC) ports and their associated
program and version number.
• UDP scan This technique sends a UDP packet to the target port. If the target
port responds with an “ICMP port unreachable” message, the port is closed.
Conversely, if you don’t receive an “ICMP port unreachable” message, you can
deduce the port is open. Because UDP is known as a connectionless protocol,
the accuracy of this technique is highly dependent on many factors related to
the utilization and fi ltering of the target network. In addition, UDP scanning is
a very slow process if you are trying to scan a device that employs heavy packet
fi ltering. If you plan on doing UDP scans over the Internet, be prepared for
unreliable results.
Certain IP implementations have the unfortunate distinction of sending back reset
(RST) packets for all
ports scanned, regardless of whether or not they are listening.
Therefore, your results may vary when performing these scans; however, SYN and
connect() scans should work against all hosts.