CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [27]
XMAS XMAS scans send a packet with the FIN, URG, and PSH flags set. If the port is open, there is no response; but if the post is closed, the target responds with a RST/ACK packet. XMAS scans work only on target systems that follow the RFC 793 implementation of TCP/IP and don't work against any version of Windows.
FIN A FIN scan is similar to an XMAS scan but sends a packet with just the FIN flag set. FIN scans receive the same response and have the same limitations as XMAS scans.
NULL A NULL scan is also similar to XMAS and FIN in its limitations and response, but it just sends a packet with no flags set.
IDLE An IDLE scan uses a spoofed IP address to send a SYN packet to a target. Depending on the response, the port can be determined to be open or closed. IDLE scans determine port scan response by monitoring IP header sequence numbers.
List TCP Communication Flag Types
TCP scan types are built on the TCP three-way handshake. TCP connections require a threeway handshake before a connection can be made and data transferred between the sender and receiver. Figure 3.2 details the steps of the TCP three-way handshake.
FIGURE 3.2 TCP three-way handshake
In order to complete the three-way handshake and make a successful connection between two hosts, the sender must send a TCP packet with the synchronize (SYN) bit set. Then, the receiving system responds with a TCP packet with the synchronize (SYN) and acknowledge (ACK) bit set to indicate the host is ready to receive data. The source system sends a final packet with the acknowledge (ACK) bit set to indicate the connection is complete and data is ready to be sent.
Because TCP is a connection-oriented protocol, a process for establishing a connection (three-way handshake), restarting a failed connection, and finishing a connection is part of the protocol. These protocol notifications are called flags. TCP contains ACK, RST, SYN, U RG, PSH, and FIN flags. The following list identifies the function of the TCP flags:
■ SYN-Synchronize. Initiates a connection between hosts.
■ ACK-Acknowledge. Established connection between hosts.
■ PSH-Push. System is forwarding buffered data.
■ URG-Urgent. Data in packets must be processed quickly.
■ FIN-Finish. No more transmissions.
■ RST-Reset. Resets the connection.
A hacker can attempt to bypass detection by using flags instead of completing a normal TCP connection. The TCP scan types in Table 3.4 are used by some scanning tools to elicit a response from a system by setting one or more flags.
Hacking Tools
IPEye is a TCP port scanner that can do SYN, FIN, Nul I, and XMAS scans. It's a command-line tool.
IPEye probes the ports on a target system and responds with either closed, reject, drop, or open. Closed means there is a computer on the other end, but it doesn't listen at the port. Reject means a firewall is rejecting (sending a reset back) the connection to the port. Drop means a firewall is dropping everything to the port, or there is no computer on the other end. Open means some kind of service is listening at the port. These responses help a hacker identify what type of system is responding.
IPSecScan is a tool that can scan either a single IP address or a range of addresses looking for systems that are IPSec enabled.
Netscan Tools Pro 2000, Hping2, KingPingicmpenum, and SNMP Scanner are all scanning tools and can also be used to fingerprint the operating system (discussed later).
lcmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and ICMP Information packets. Furthermore, it supports spoofing and sniffing for reply packets. lcmpenum is great for scanning networks when the firewall blocks ICMP Echo packets but fails to block Timestamp or Information packets.
Hping2 is notable because it contains a host of other features