Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…
Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:
[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]
This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)
SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):
C:\\>hping -p 81 -S lx.ro HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0 data bytes len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0 win=0 rtt=70.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1 win=0 rtt=20.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2 win=0 rtt=30.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3 win=0 rtt=40.0 ms
As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:
C:\\>hping -p 80 -S lx.ro HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0 data bytes len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=30.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=50.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.0 ms
As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…
Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…
More info about TCP
(first useful link that I have found with google)
Next >> Xmas/Fin/Null
0 comments:
Post a Comment