Port Scan analysis Port Scan path

Port Scan path:
What is a scanner?
A scanner automatically detects remote or local host security vulnerabilities.ProgramBy using a scanner, you can discover the distribution of various TCP ports on the remote server and the services provided and their software versions! This allows us to indirectly or intuitively understand the security problems of remote hosts.

Working Principle
The scanner collects a lot of useful information about the target host (for example: can I log on anonymously! Whether there is a writable FTP directory, whether Telnet can be used, whether httpd is running with root or nobady !)

What can a scanner do?
The scanner is not a program that directly attacks Network Vulnerabilities. It can only help us find some inherent vulnerabilities on the target machine. A good scanner can analyze the data it receives and help us find vulnerabilities on the target host. However, it does not provide detailed steps for entering a system.
The scanner should have three functions: the ability to discover a host or a network; the ability to discover what services are running on a host once discovered; by testing these services, the ability to discover vulnerabilities.
Compiling a scanner requires a lot of TCP/IP programming and knowledge of C, Perl, and shell languages. It requires some background of socket programming, a method for developing customer/service applications. Developing a scanner is an ambitious project that usually satisfies programmers.
The following describes common port scanning technologies.
TCP connect () scan
This is the most basic TCP scan. The CONNECT () System Call provided by the operating system is used to connect to the port of each target computer of interest. If the port is in the listening status, connect () will be successful. Otherwise, this port is unavailable, that is, it does not provide services. One of the biggest advantages of this technology is that you do not need any permissions. Any user in the system has the right to use this call. Another benefit is speed. If you use a separate connect () call to each target port in a linear way, it will take a long time. You can open multiple sockets at the same time to accelerate scanning. The use of non-blocking I/O allows you to set a low time consumption cycle, while observing multiple sockets. However, the disadvantage of this method is that it is easy to detect and filtered out. The logs file of the target computer displays a series of connection and connection error service messages, and can be quickly disabled.

Tcp syn Scan
This technology is generally considered as "semi-open" scanning because the scanner does not need to open a full TCP connection. The scanner sends a SYN Packet as if it was about to open an actual connection and wait for a response (refer to the three-way handshake of TCP to establish a TCP connection ). The return information of a SYN | ACK indicates that the port is listening. An rst returns, indicating that the port is not in the listening state. If you receive a SYN | ACK, the scanner must send another rst signal to close the connection process. The advantage of this scanning technology is that it generally does not leave records on the target computer. However, one disadvantage of this method is that you must have the root permission to create your own Syn packet.

Tcp fin Scan
Sometimes it is possible that SYN scanning is not confidential. Some firewalls and packet filters monitor some specified ports, and some programs can detect these scans. On the contrary, Fin data packets may pass without any trouble. The idea of this scanning method is that the closed port will use the appropriate RST to reply to the FIN packet. On the other hand, the opened port ignores the reply to the FIN packet. This method has a certain relationship with the implementation of the system. Some systems reply to the RST regardless of whether the port is opened or not. In this way, this scanning method is not applicable. This method is useful in distinguishing between Unix and NT.

IP segment Scan
This is not a new method, but a change in other technologies. It does not directly send TCP detection data packets, but divides the data packets into two smaller IP segments. In this way, a TCP header is divided into several data packets, which makes it difficult for the filter to detect. But be careful. Some programs may be a little difficult to process these small packets.

TCP reverse ident scan
The IDENT protocol allows (rfc1413) to see the user name of the owner of any process connected through TCP, even if the connection is not started by this process. So you can, for example, connect to the http port and use identd to check whether the server is running as root. This method can only be seen after a complete TCP connection is established with the target port.

FTP return attack
An interesting feature of the FTP protocol is that it supports proxy FTP connections. That is, intruders can establish a control communication connection from their computer a.com to the FTP server-Pi (Protocol interpreter) of the target machine target.com. Then, request this server-pi to activate a valid server-DTP (data transmission process) to send files anywhere on the Internet. For a user-DTP, This is a speculation, although RFC clearly defines that it is possible to request a server to send a file to another server. But now this method does not seem to work. The disadvantage of this protocol is that it can be used to send emails and news that cannot be tracked, which can cause a blow to many servers and use up disks to try to bypass the firewall ".
we use this to scan the TCP port from a proxy's FTP server. In this way, you can connect to an FTP server behind a firewall and then scan the port (which may have been blocked ). If the FTP server allows reading and writing data from a directory, you can send arbitrary data to the opened port.
for port scanning, the PORT command is used to indicate that the passive user DTP is listening on a port on the target computer. The intruder then tried to use the LIST command to list the current directory and sent the result through server-DTP. If the target host is listening on a port, the transfer succeeds (a 150 or 226 response is generated ). Otherwise, "425 can't build data connection: Connection refused." will appear .". Then, use another PORT command to try the next port on the target computer. This method has obvious advantages and is difficult to track and can pass through the firewall. The main drawback is that the speed is slow. Some FTP servers can finally get some clues and disable the proxy function.

This method can be successful:
220 xxxxxxx.com FTP Server (version wu-2.4 (3) wed dec 14...) ready.
220 xxx.xxx.xxx.edu FTP server ready.
220 XX. Telcom. xxxx. edu FTP Server (version wu-2.4 (3) Tue Jun 11...) ready.
220 Lem FTP Server (SunOS 4.1) ready.
220 XXX. XXX. Es FTP Server (version wu-2.4 (11) sat Apr 27...) ready.
220 elios FTP Server (SunOS 4.1) Ready

This method cannot be successful:
220 wcarchive.cdrom.com FTP Server (version DG-2.0.39 sun May 4...) ready.
220 XXX. XX. XXXXX. edu version wu-2.4.2-academ [beta-12] (1) Fri Feb 7
220 ftp Microsoft FTP service (Version 3.0 ).
220 xxx ftp Server (version wu-2.4.2-academ [beta-11] (1) Tue Sep 3...) ready.
220 xxx.unc.edu FTP Server (version wu-2.4.2-academ [beta-13] (6)...) ready.

Udp icmp port cannot reach Scan
This method differs from the preceding methods in that UDP is used. As this protocol is simple, scanning becomes more difficult. This is because the opened port does not send a confirmation for scan detection, and the closed port does not need to send an error packet. Fortunately, many hosts return an icmp_port_unreach error when you send a packet to an unopened UDP port. In this way, you can find out which port is closed. UDP and ICMP errors cannot be reached. Therefore, this scanner must be capable of re-transmission when a packet appears to be lost. This scanning method is very slow because RFC specifies the generation rate of ICMP error messages. Similarly, this scan method requires the root permission.

UDP recvfrom () and write () scans
When a non-root user cannot directly read the port and cannot reach an error, Linux can indirectly notify the user when they arrive. For example, the second write () call to a closed port will fail. When recvfrom () is called on a non-blocking UDP socket, eagain-retry is returned if an ICMP error has not yet arrived. If ICMP arrives, the econnrefused-connection is rejected. This is the technology used to check whether the port is opened.

ICMP echo scan
This is not a real scan. However, sometimes Ping can be used to determine whether a host is started on a network.