I have talked to some people on IRC and have realized that my tutorials need some work. Thanks you for those who pointed out my errors and gave me suggestions. This tutorial, I hope, is better. Cheers.
As I stated in Section 1 Part 4 of my series, recon is probably the most important step of hacking. There are many techniques used, but in these tutorials I will only cover Scanners, specifically Port Scanners and Web Scanners.
By definition, Port Scanners are:
"Application designed to probe a server or hosts for open ports."
The results of a scan on a port usually is categorized in one of three categories:
- Open or Accepted: Host sent a reply that indicates that a service is listening on a port.
- Closed and/or Denied or Not Listening: Host sent a repy indicating that connections will be denied to the port.
- Filtered, Dropped, or Blocked: No reply from host or a Firewall (other security measures) is in place.
nmap there are many types of scans, but I’m only going to cover TCP, SYN, and UDP scans.
Types of Scans
The simplest port scanners use the operating system’s network functions.
nmap calls this a connect scan. In other words, if a port is open then the OS completes a TCP three-way-handshake, but afterwards the connection is closed to avoid a DoS attack.
A TCP three-way-handshake is when each device sends a SYN and an ACK (also known as a SYN-SYN-ACK). In normal sequence of a connection establishment, a SYN is sent by one device (
host a). Once the SYN is received by the other device,
host b sends a SYN-ACK. The SYN-ACK is received by
host a and then host a sends a ACK. Once
host b receives an ACK the TCP socket connection is established. A quick diagram is:
host a ------ SYN ------> host b host a <------ SYN-ACK ------ host b host a ------ ACK ------> host b
nmap, the connect scan is as follows:
$ nmap -sT (Ip)
The problem with TCP scanning is that it’s noisy because services may log a sender’s IP address or an Intrusion Detection System may raise an alarm.
Thus, a SYN scan is often preferred. A SYN scan is a bit different. As with the TCP scan, a SYN scan first sends a SYN, but instead of a SYN-ACK returned only a ACK is actually returned. A quick diagram is:
Client ------ SYN ------> Server Client <------ ACK ------ Server
A SYN (TCP SYN) scan is done in
nmap -sS (Ip)
The last scan type, UDP, is the trickiest. UDP is known as a connectionless protocol: when a packet is sent to a UDP port, that open port receives a packet, but the closed ports send a ICMP back. A quick diagram is:
Client ------- Packet ------> Server Client <------ ICMP ------- Server
nmap, a UDP (UDP-ICMP) scan can be performed with this command:
nmap -sU (Ip)
The UDP scan is the only scan type that can be inserted with another scan type, for example, SYN scan:
nmap -sS -sU (Ip)
Well, that’s it for this tutorial. I decided not to talk about the Web Scanners in this part because this tutorial was getting long, but I will have that tutorial up next. Please comment down below, as any suggestions are welcome, but please don’t flame me.