Source: http://wmjie.51.net/swords/
Keywords:
TCP/IP, UDP, three-phase handshake, SYN scan, FIN scan, Secret scan, indirect scan, deception scan, fingerprint, collaborative scan.
--------------------------------------------------------------------------------
Body:
Port Scanning Technology
Preface
In the first part, we will describe the TCP connection establishment process (usually called a three-stage handshake) and discuss some implementation details related to the scanning program.
Next, we will briefly introduce the classic scanner (full connection) and the so-called SYN (semi-connection) scanner.
The third part focuses on indirect and secret scanning, as well as techniques for hiding attack sources.
Use of private Scan Based on FIN segments. In most implementations, the closed port returns an RST for a FIN segment, but the opened port usually discards this segment without any answer. Indirect scanning, like its name, uses a spoofing host to help with implementation. This host is generally not voluntary.
The fourth part introduces a scan related to the application protocol. These scanners usually use some defects or errors in protocol implementation. Ident scanning is also used as a proxy scan ).
The last part introduces some other scanning technologies. Some scanning tools (such as SATAN) that are not based on TCP ports and are mainly used for security scanning are considered ). In addition, the stack fingerprints using scanners are analyzed. Stack fingerprint solves the problem of identifying the operating system by detecting host TCP and comparing the response with the TCP/IP protocol stack response of a known operating system.
I. TCP/IP Problems
Connection end and Mark
The IP address and port are called sockets, which represent a connection end of a TCP connection. To obtain the TCP Service, a connection must be established between the sender port and the receiver port. TCP connections are differentiated by two connection ends, namely (connection end 1 and connection end 2 ). The connection end sends data packets to each other.
A tcp packet includes a TCP header followed by options and data. A TCP header contains six flag bits. Their meanings are as follows:
SYN: the flag is used to establish a connection and synchronize the serial number between the two parties. If SYN = 1 and ACK = 0, the packet is a connection request. If SYN = 1 and ACK = 1, the connection is accepted.
FIN: indicates that the sender has no data requirements for transmission and wants to release the connection.
RST: Used to reset a connection. The RST flag is called a reset packet. Generally, if a segment received by TCP obviously does not belong to any connection on the host, a reset packet is sent to the remote end.
URG: indicates the emergency data. If it is 1, the package contains emergency data. In this case, the emergency Data Pointer is valid.
ACK: indicates the flag. If the value is 1, it indicates that the validation number in the package is valid. Otherwise, the confirmation number in the package is invalid.
PSH: if it is set, the receiving end should transmit the data to the application layer as soon as possible.
TCP connection Establishment
TCP is a reliable connection-oriented transmission protocol. Connection orientation indicates that two applications must establish a TCP connection before transmitting data using TCP. TCP reliability is provided by checksum, timer, data sequence number, and response. By assigning an serial number to each sent byte, the receiving end sends a response after receiving the data. TCP ensures reliable data transmission. The data sequence number is used to ensure the data order and remove duplicate data. In a TCP session, there are two data streams (each connection side receives data from the other end and sends data to the other end at the same time). Therefore, when establishing a connection, ISN (initial serial number) must be assigned to each data stream ). To understand the implementation process, assume that client C wants to establish a connection with server S, and then analyze the connection establishment process (usually called a three-stage handshake ):
1: C -- syn xx à S
2: C? -Syn yy/ack xx + 1 ------- S
3: C ---- ack yy + 1 -- à S
1: C sends a TCP packet (SYN request) to S, in which the SYN (synchronous serial number) is to be opened. The SYN request specifies the server port number that the client wants to connect to and the ISN of the client (XX is an example ).
2: the server sends back the response, including its own SYN information ISN (YY) and the SYN response to C. The next desired byte number (YY + 1) is returned during the response ).
3: C responds to SYN from S and starts sending data.
Implementation Details
Most TCP/IP implementations follow the following principles:
1: When a SYN or FIN packet reaches a closed port, TCP discards the packet and sends an RST packet at the same time.
2: When an RST packet reaches a listening port, RST is discarded.
3: When an RST packet reaches a closed port, the RST is discarded.
4: When a packet containing ACK arrives at a listening port, the packet is discarded and an RST packet is sent.
5: When a SYN-bit closed packet arrives at a listening port, the packet is discarded.
6: When a SYN packet reaches a listening port, the normal three-stage handshake continues and answers a SYN | ACK packet.
7: When a FIN packet reaches a listening port, the packet is discarded. "FIN behavior" (when the port is closed, RST is returned, and the listening port discards the packet), which also happens when the URG and PSH mark locations. All URG, PSH, and FIN, or TCP packets without any mark, will cause "FIN behavior ".
Ii. Full TCP connection and SYN scanner
Full TCP Connection
Full TCP connection is the basis for TCP port scanning for a long time. Scan the host to establish a regular connection with the specified port of the target machine (using a three-way handshake. The connection starts when the system calls connect. For each listening port, connect () is successful. Otherwise,-1 is returned, indicating that the port is not accessible. Generally, this technology does not require any privileges, so almost all users (including in multi-user environments) can implement this technology through connect.
This scanning method is easy to detect (there are a large number of intensive connections and error records in log files ). Courtney, Gabriel, and TCP Wrapper monitoring programs are usually used for monitoring. In addition, TCP Wrapper can control connection requests, so it can be used to prevent full connection scanning from unknown hosts.
Tcp syn Scan
In this technology, the scan host sends SYN data segments to the selected port of the target host. If the response is RST, it indicates that the port is closed. Listen to other ports according to the settings. If the response contains SYN and ACK, it indicates that the target port is in the listening status. Because all scanning hosts need to know this information, send an RST to the target machine to stop establishing a connection. Because the full connection has not yet been established during SYN scanning, this technology is usually called semi-open scan. The advantage of SYN scanning is that even if the scan is recorded in the log, the number of connections attempted is much less than the total scan. The disadvantage is that in most operating systems, the sending host needs to construct an IP packet suitable for such scanning. Generally, constructing a SYN Packet requires a Super User or authorizing the user to access a dedicated system call.
3. Classified scan and indirect Scan
Secret Scanning Technology
Because this technology does not include any part of the standard TCP three-way handshake protocol, it cannot be recorded, So SYN scanning is much more concealed. In addition, FIN packets can only be monitored by packet filters of SYN packets.
The Secret scan technology uses FIN data packets to snoop ports. When a FIN packet arrives at a closed port, the packet is discarded and an RST packet is returned. Otherwise, when a FIN packet reaches an open port, the packet is simply discarded (RST is not returned ).
Xmas and Null scan are two variants of the Secret scan. Xmas scan opens the FIN, URG, and PUSH tags, while Null scan closes all tags. These combinations are intended to filter through the so-called FIN tag monitor.
Confidential scanning is usually applicable to UNIX target hosts, except for a small number of operating systems (including CISCO, BSDI, HP/UX, MVS, and IRIX) that should discard data packets but send reset signals ). In Windows 95/NT, this method is invalid because the operating system sends RST regardless of whether the target port is opened or not.
Similar to SYN scanning, you also need to construct an IP package for private scanning.
Indirect Scan
The idea of indirect scanning is to use a third-party IP address (spoof host) to hide the IP address of the real scanner. Because the scan host sends a response to the spoofed host, you must monitor the IP behavior of the spoofed host to obtain the original scan result. The process of indirect scanning is as follows:
Assume that the host involved in the scanning process is a scanner, hidden host, and target host. The role of the scanner and the target log is very obvious. A hidden machine is a very special role. When scanning the target machine, the scanner cannot send any data packets (except the packets associated with the scan ).
Iv. Authentication scanning and proxy Scanning
Authentication Scan
So far, the scanner we analyzed has only one purpose during design: To determine which port of a host has a process listening. However, several new scanners have added other functions to obtain the characteristics and behavior of processes listening to ports.
Authentication scanning is an interesting example. Using the authentication protocol, this scanner can obtain the userid of the process running on a port ). Authentication scan attempts to establish a connection with a TCP port. If the connection is successful, the scanner sends an authentication request to the 113TCP port of the target host. Authentication scanning is also a reverse authentication scan, because even if the original RFC recommends a protocol to help the server authenticate the client, however, reverse applications (client-side authentication server) are also considered in actual implementation ).
Proxy Scan
File Transfer Protocol (FTP) supports a very interesting option: proxy ftp connection. The initial purpose of this option (RFC959) is to allow a client to establish a connection with two FTP servers at the same time, and then directly transmit data between servers. However, in most implementations, the FTP server can actually send files to any place on the Internet. Many attacks exploit this vulnerability. Many recent scanners exploit this vulnerability to perform ftp Proxy scanning.
Ftp port scanning mainly uses the ftp Proxy Server to scan the tcp port. The scan procedure is as follows:
1: Assume that S is the scanning machine, T is the scanning target, and F is an ftp server. This server supports the proxy option and can establish a connection with S and T.
2: S creates an ftp session with F and uses the PORT command to declare a selected PORT (called p-T) as the passive PORT required for proxy transmission.
3: Then S uses a LIST command to start a data transmission to p-T.
4: If the p-T port is indeed listening, the transmission will succeed (the return Codes 150 and 226 are sent back to S ). Otherwise, the response is returned to "425 cannot open data connection.
5: S continues to use the PORT and LIST commands until all the selected ports on T are scanned.
FTP Proxy scanning is not only difficult to track, but also when the ftp server is behind the _ blank "> Firewall
V. Other scanning methods
Ping Scan
If you need to scan thousands of ports on a host or even on the whole subnet, it is very important to determine whether a host is powered on. This is the purpose of the Ping scanner. Two methods are used for Ping scanning.
1: Real scanning: for example, sending an ICMP request packet to the target IP Address indicates that the host is started on.
2: TCP Ping: for example, send a special TCP packet