Linux lower port scan implementation (TCP Connect, TCP SYN, TCP FIN, UDP four ways) 1 principle article __linux

Source: Internet
Author: User
Tags ack

First, TCP

Commonly used port scanning methods are the following three: 1.connect scanning

We know that the common TCP socket implementation process is

The more essential connection and end process is the following:


From the above two figures we can see that the target host of a port if the monitoring state (listening or linsten), then when I connect the target host can be successful, otherwise the port is closed.

Advantages: Simple programming, is the need for an API connect (), more reliable, because TCP is a reliable protocol, when the packet is lost, will retransmit syn frame.

Disadvantages: Because of the reliability of TCP, so when the port does not exist, the source will continue to try to send a SYN frame attempt to get ack of the answer, many attempts to give up, resulting in a long scan time. Furthermore, the scanning mode of connect may be more easily discovered by the target host. 2.SYN Scan

The above said to go out of the open port, is waiting for other hosts to send SYN frame, so the principle of SYN scan is to send sun data frames, if the source host received Syn+ack packets, the life of this port open, if you received a RST description of the port closed. Because the SYN scan does not complete the TCP three handshake process, it is also called a semi-open scan.

Advantages: Fast, if not filtered by the firewall, the basic can receive the answer packet.

Disadvantages: Scanning behavior is easy to find, because it is to save their own hair, is in the IP layer, so unreliable, you may lose the package, to achieve a slightly more complex than connect. 3.FIN Scan

According to the above four wave process, the active end of the party will send fin frame. When we send a fin frame to a non listening port, there is a RST response, and instead, there is no response when sending a port that is listening.

Advantages: Good concealment, fast speed.

Disadvantages: Only for Linux systems, Windows system is not valid under Windows, regardless of whether the port is listening, will respond to RST frame, resulting in no judgment; unreliable, when the answer package is not received, is not sure that the port is listening, or lost the packet.

Second, UDP

Common way to have UDP recvfrom scan, UDP ICMP Port unreachable scan, I used the latter, that is, to a port to send UDP packets, if the port is open, then there is no response, if the port is closed, The other side will reply to an ICMP Port unreachable message (corresponding to the first two fields of ICMP header: Type 3 code 3,icmp see ping that article),

Advantages: Linux windows can use

Disadvantage: It is also unreliable, because the error message is returned, so the speed of the Fin,syn scan relative to TCP slower, if the UDP packet sent too fast, the response of the ICMP packet will be a large number of lost phenomenon. third, casually play

Before you start programming, you can have a perceptual understanding of whether the port is open or not.

You can use the Netstat command to view open ports for the current host.

View TCP's listening port under Linux: Netstat-na-t TCP | grep LISTEN (test environment Ubuntu 11.04)

Viewing TCP's Listening port under Windows: Netstat-na-p TCP | FINDSTR Listening (test environment WinXP)

Linux under the scan port can use the port scanning Tool nmap, there are a variety of scanning methods, here are several commonly used:

Ping scan only, print out the host that responds to scan, do not do further testing (such as port scan or OS probe):

NMAP-SP 192.168.1.0/24

The most Frequently used scan option: SYN Scan, also known as semi-open scan, does not open a full TCP connection and executes quickly:

Nmap-ss 192.168.1.0/24

When the SYN scan is unavailable, the TCP Connect () scan is the default TCP scan:

Nmap-st 192.168.1.0/24

Reference: http://blog.163.com/lixiangdong2510@126/blog/static/3499482120106128430429/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.