Port Scanning
Port scanning is a way of figuring out which ports are
listening and accepting connections. Because most services run on standard,
documented ports, this information can be used to determine which services are
running. The simplest form of port scanning involves trying to open TCP
connections to every possible port on the
target system. While this is effective, it's also noisy and detectable. Also,
when connections are established, services will normally log the IP address. To
avoid this, several clever techniques have been invented to avoid detection.
A SYN scan is also sometimes called a half-open scan. This is because it doesn't actually open a
full TCP connection. Recall the TCP/IP handshake: When a full connection is
made, first a SYN packet is sent, then a SYN/ACK packet is sent back, and
finally an ACK packet is returned to complete the handshake and open the
connection. A SYN scan doesn't complete the handshake, so a full connection is
never opened. Instead, only the initial SYN packet is sent, and the response is
examined. If a SYN/ACK packet is received in response, that port must be
accepting connections. This is recorded, and a RST packet is sent to tear down
the connection to prevent the service from accidentally being DoSed.
X-mas, and Null Scans
In response to SYN scanning, new tools to detect and log
half-open connections were created. So, yet another collection of techniques for
stealth port scanning evolved: FIN, X-mas, and Null scans. These all involve
sending a nonsensical packet to every port on the target system. If a port is
listening, these packets just get ignored. However, if the port is closed and
the implementation follows protocol (RFC 793), a RST packet will be sent. This
difference can be used to detect which ports are accepting connections, without
actually opening any connections.
The FIN scan sends a FIN packet, the X-mas scan sends a
packet with FIN, URG, and PUSH turned on (named because the flags are lit up
like a Christmas tree), and the Null scan sends a packet with no TCP flags set.
While these types of scans are stealthier, they can also be unreliable. For
instance, Microsoft's implementation of TCP doesn't send RST packets like it
should, making this form of scanning ineffective.
Another way to avoid detection is to hide among several
decoys. This technique simply spoofs connections from various decoy IP addresses
in between each real port-scanning connection. The responses from the spoofed
connections aren't needed, because they are simply misleads. However the spoofed
decoy addresses must use real IP addresses of live hosts; otherwise the target
may be accidentally be SYN flooded.