Skip to main content
Version: Next

Scanning techniques

  • Used to
    • Identify open ports also i.e. port scanning
    • Identify which hosts or are alive i.e. host discovery
  • Same techniques can be used for both port scanning and host scanning

Techniques per protocol​

Scanning ICMP​

  • Also called ping scan or ICMP scan
  • Typically used for checking if a host is alive or has errors
  • πŸ’‘ πŸ“ It saves time before running a port scan
  • ❗ Often incoming ICMP requests are disabled by firewalls.
  • On Network Layer 3, so does not have port abstraction like TCP/UDP (Transport layer 4)
  • In Nmap, ping commands start with -P* e.g. -PE for ICMP Echo
  • Round-trip time
    • Time it takes for a packet to make a complete trip
  • If blocked, usually returns no response or sometimes ICMP errors such as type 3 code 13 (destination unreachable: communication administratively prohibited)

Broadcast ICMP ping​

  • Sends packet to every possible address on the network
  • E.g. ping -b 192.168.135.255 (subnet broadcast)
    • Pings to 192.168.129.19, 192.168.129.20, 192.168.129.21...
    • Or all broadcast through ping -b 192.168.129.255
      • Alive hosts will populate local arp table, can be seen using arp -a
  • Usually discarded and a useless method
  • See also Smurf attack |Β Denial of Service

ICMP ping packet types​

  • Echo
    • Sends ICMP ECHO (type 8) expecting ICMP ECHO reply
    • Also known as ICMP echo scanning or ICMP ping sweep
    • πŸ“ Tools
      • Nmap: -PE
      • hping: hping3 -1 <target>
  • Timestamp
    • Sends ICMP TIMESTAMP (type 13)
    • Tools
      • Nmap: -PP
      • hping: hping3 -1 <target> --icmptype 13
  • Address mask
    • Sends ICMP ADDRESS MASK (type 17)
    • Tools
      • Nmap: -PM
      • hping: hping3 -1 <target> --icmptype 17

ICMP ping sweep​

  • Also called ICMP sweep or ICMP echo scanning
  • πŸ“ Used to determine active hosts in target network range.
  • Tools include
    • Angry ip
    • Nmap: nmap -sn 192.168.0.*
      • or nmap -sn <ip-address>/<subnet-range>
      • or nmap -sn 192.168.0.1-30 to scan e.g. between 1-30 in last octet
      • -sn: (optional) skip port scan

Scanning TCP​

TCP connect​

  • Also known as full open scan or TCP Connect() scan
  • Used for detecting open ports upon the completion of the three-way handshake.
  • Works by establishing a full connection and then dropping it by sending a RST packet.
    • TCP connect scan
  • Pros
    • πŸ“ Accurate, most reliable
    • Requires no additional user privileges
    • Allows scanning behind a firewall.
  • Cons
    • πŸ“ Easily detectable by IDSes and logged
  • πŸ’‘ Use SYN which would be faster and stealthier
  • Tools
    • Nmap: nmap -sT <ip-or-host>

SYN scanning​

  • πŸ“ Also known as TCP SYN ping, SYN stealth, stealth scan, half-open scan or TCP ping scan
  • Default and most popular scan
  • Works by resetting the TCP connection before the three-way handshake is completed, which in turn makes the connection half open.
    • SYN scanning flow
  • Pros
    • Fast
    • Reliable
    • Works on any compliant TCP stack
    • Stealthy because it never completes TCP connections (can bypass firewalls and logging)
  • Cons
    • Require root privileges
    • Rulesets block many SYN scan attempts
  • Tools
    • πŸ“ Nmap: -PS (host discovery) or -sS (port scan)
    • Hping: hping3 -8 <port-list e.g. 50-60> –S <ip-address> –V

RFC 793 scans​

  • πŸ“ According to RFC 793, any packet not containing SYN, RST, or ACK bits will result in
    • RST if the port is closed
    • no response the port is open
  • Works by sending TCP probe packets with or without SYN, RST, ACK flags.
  • Pros
    • Very stealthy (more than SYN) against IDS and logging systems
    • Avoids TCP three-way handshake
  • Cons
    • Require root privileges
    • Unreliable (false positives) against systems does not follow the RFC
      • Unix-only
      • Ineffective against Windows and many IBM/Cisco devices
  • πŸ€— Using Nmap, one could utilize --scanflags to test with permutations of each case (total: 8) to check for RST response, but there are easier ways for most popular combinations: β€’ XMAS β€’ NULL scan β€’Β FIN scan
XMAS Scan​
  • πŸ“ Works by sending a TCP frame with FIN, URG, and PUSH flags set.
  • πŸ€— Christmas tree packet: packet with every option set, like bulbs on a Christmas tree
  • XMAS scan response interpretation
  • Tools
    • Hping: hping3 -F -P -U <ip-address> -p <port-number>
      • -F for FIN, -P for PUSH), -U for URG
    • πŸ“ Nmap: -sX'
Inverse TCP flag scan​
  • An inverse TCP scan has PSH or URG or FIN or none flag set, i.e. a single flag or no flag.
  • As opposed to XMAS that sets PSH and URG and FIN, i.e. all three flags at once
NULL Scan​
  • Also known as NULL probe
  • Does not set any bits (TCP flag header is 0)
  • Nmap: -sN
FIN Scan​
  • Also known as FIN probe
  • Sets just the TCP FIN bit.
  • Nmap: -sF

ACK scanning​

  • Also known as ACK flag scanning, ACK flag probe scanning or TCP ACK scan
  • Used to detect existence of firewalls, cannot detect open ports
  • Works by sending TCP packet with ACK flag set.
    • ACK (acknowledgment) is used to acknowledge the successful receipt of a packet
    • TCP ACK Scan
  • Pros
    • Difficult to log, avoids IDS detection
    • Helps detecting existence of stateful firewalls
  • Disadvantages
    • Relies on BSD network code bug in older versions
    • Slow
  • Tools
    • Nmap: -PA (host discovery) or -sA (port scan)
    • Hping: hping3 –A <ip-address> –p <port>
ACK Classification​
  • Two fields are inspected to classify RST response: WINDOW and TTL

  • TTL

    • It's open if TTL has less than 64 while others have higher values

        packet 1: host X.X.X.X port 20: F:RST -> ttl: 70 win: 0 => closed
      packet 2: host X.X.X.X port 21: F:RST -> ttl: 70 win: 0 => closed
      packet 3: host X.X.X.X port 22: F:RST -> ttl: 40 win: 0 => open
      packet 4: host X.X.X.X port 23: F:RST -> ttl: 70 win: 0 => closed
  • WINDOW

    • It's open if it has non-zero value.
    • Works for older BSD and UNIX but has been patched
      packet 1: host X.X.X.X port 20: F:RST -> ttl: 64 win: 0 => closed
    packet 2: host X.X.X.X port 21: F:RST -> ttl: 64 win: 0 => closed
    packet 3: host X.X.X.X port 22: F:RST -> ttl: 64 win: 512 => open
    packet 4: host X.X.X.X port 23: F:RST -> ttl: 64 win: 0 => closed

IDLE scan​

  • Also known as TCP Idle Scan, IDLE header scan, header scan, IDLE/IPID scan
  • Allows for blind port scanning (without sending any packet with own IP)
  • Utilizes IP address of a zombie machine through spoofed packets
  • πŸ€— Found by author of hping2 tool
  • πŸ“ Flow
    1. Probe the zombie's IP ID and record it.
      • IP ID
        • Every IP packet on the Internet has a fragment identification number
        • Incremented by OSes for each packet sent
      • Zombie should be
        • idle as no other traffic would increase the traffic
        • assigning IP ID packets incrementally on global level instead of per-host basis.
    2. Forge a SYN packet from the zombie and send it to the desired port on the target.
    3. Probe the zombie's IP ID again.
      • If it's increased compared to one in step 1, port is open (it has received)
  • Pros
    • Ultimate stealth scan as attackers IP would not be revealed
    • Can be used for framing as IDS will report zombie as the attacker
  • Cons
    • It takes far longer
    • Many ISPs implement egress filtering to prevent the packet spoofing
  • Tools
    • Nmap: nmap -Pn -sI <zombie-ip/domain> <target-ip/domain>
      • πŸ“ -sI: Idle scan
      • -Pn: no ping to be stealthy

Scanning UDP​

  • Connectionless stream protocol, so no handshakes
  • UDP is used by e.g. DNS (port 53), SNMP (port 161/162), and DHCP (port 67/68)

UDP Scanning​

  • Also known as UDP ping, UDP/ICMP error scan, UDP port scan or UDP ICMP_PORT_UNREACHABLE scan
  • Exploits UDP behavior where the receiver sends an ICMP packet with error code when a port is unreachable.
  • No response is interpreted as "open" or "filtered" behind firewall
  • Pros
    • Avoids TCP IDS
    • Scans non-TCP ports that are quite common
  • Cons
    • Provides port information only
    • ICMP is rate-limited by Linux kernel however not by Windows
    • Require root privileges
    • Slower and more difficult than TCP
  • Tools
    • Hping: hping3 -2 <ip-address> –p <port>
    • πŸ“ Nmap: : -PU (host discovery) or -sU (port scan)

Other techniques​

List Scanning​

  • Performing a reverse DNS resolution to identify the names of the hosts.
  • No packets are sent to hosts
  • Pros
    • Sanity check to ensure that target IP addresses are proper
    • Stealthy, unobtrusive, does not trigger IDS alerts
  • Tools
    • Nmap: nmap -sL <ip-address>

SSDP Scanning​

  • Used to detect UPnP vulnerabilities and carry out buffer overflow or DoS attacks
  • SSDP
    • Simple Service Discovery Protocol
    • Network protocol based on for discovery of devices on same network
    • Basis of UPnP (Universal Plug and Play) protocol
  • Steps:
    1. Attacker discovers networked devices and create a list of all the devices that respond.
    2. Attacker creates a UDP packet with the spoofed IP address of the targeted victim.
    3. Attacker then uses a botnet to send a spoofed discovery packet to each plug-and-play device
    4. Each device will send a reply to the targeted victim with an amount of data up to about 30 times larger than the attacker's request.
    5. The target then receives a large volume of traffic from all the devices and becomes overwhelmed, potentially resulting in denial-of-service to legitimate traffic
  • Tools
    • Metasploit: use auxiliary/scanner/upnp/ssdp_msearch

ARP Scan​

  • Useful when scanning an ethernet LAN
  • ARP: Regular ARP packet request looks for the MAC address using the device's IP address.
  • Tools
    • nping: Learn router MAC address: nping --arp-type ARP <router-ip-address>
    • nmap: nmap -sn -PR 192.168.0.*
      • -PR: ARP discovery
      • -sn: skip port scan

Countermeasures​

  • Configuring firewall and IDS to detect and block scans
  • Protecting mechanisms for filtering and routing from being bypassed using certain ports
  • Updating the router, IDS, and firewall
  • Keeping as few ports open as necessary and filtering the rest
  • Checking the configuration of the network and its ports
  • Ensuring the proper configuration of anti- scanning and spoofing rulesets