AW: stealth scanning?

Datumsansicht Baumansicht Betreffansicht Attachement-Sicht

From: Johannes Walch (
Date: 10. May 2001

ein kleiner Auszug aus man nmap :-)


       -sT TCP connect() scan: This is the most basic form of
              TCP scanning. The connect() system call provided by
              your operating system is used to open a connection
              to every interesting port on the machine. If the
              port is listening, connect() will succeed, other­
              wise the port isn't reachable. One strong advantage
              to this technique is that you don't need any spe­
              cial privileges. Any user on most UNIX boxes is
              free to use this call.

              This sort of scan is easily detectable as target
              host logs will show a bunch of connection and error
              messages for the services which accept() the con­
              nection just to have it immediately shutdown.

       -sS TCP SYN scan: This technique is often referred to
              as "half-open" scanning, because you don't open a
              full TCP connection. You send a SYN packet, as if
              you are going to open a real connection and you
              wait for a response. A SYN|ACK indicates the port
              is listening. A RST is indicative of a non-lis­
              tener. If a SYN|ACK is received, a RST is immedi­
              ately sent to tear down the connection (actually
              our OS kernel does this for us). The primary advan­
              tage to this scanning technique is that fewer sites
              will log it. Unfortunately you need root privi­
              leges to build these custom SYN packets.

       -sF -sX -sN
              Stealth FIN, Xmas Tree, or Null scan modes: There
              are times when even SYN scanning isn't clandestine
              enough. Some firewalls and packet filters watch for
              SYNs to restricted ports, and programs like Synlog­
              ger and Courtney are available to detect these
              scans. These advanced scans, on the other hand, may
              be able to pass through unmolested.

              The idea is that closed ports are required to reply
              to your probe packet with an RST, while open ports
              must ignore the packets in question (see RFC 793 pp
              64). The FIN scan uses a bare (surprise) FIN
              packet as the probe, while the Xmas tree scan turns
              on the FIN, URG, and PUSH flags. The Null scan
              turns off all flags. Unfortunately Microsoft (like
                  usual) decided to completely ignore the standard
              and do things their own way. Thus this scan type
              will not work against systems running Windows95/NT.
              On the positive side, this is a good way to distin­
              guish between the two platforms. If the scan finds
              open ports, you know the machine is not a Windows
              box. If a -sF,-sX,or -sN scan shows all ports
              closed, yet a SYN (-sS) scan shows ports being
              opened, you are probably looking at a Windows box.
              This is less useful now that nmap has proper OS
              detection built in. There are also a few other
              systems that are broken in the same way Windows is.
              They include Cisco, BSDI, HP/UX, MVS, and IRIX.
              All of the above send resets from the open ports
              when they should just drop the packet.

Johannes Walch Network Engineering GmbH

Leiter Bereich Wingertstrasse 70/1
Netzwerksicherheit und Kommunikation D-68809 Neulussheim

                                           Tel: +49 - 62 05 / 30 90 - 0
Durchwahl: +49 - 62 05 / 30 90 - 14 Fax: +49 - 62 05 / 30 90 - 29

Datumsansicht Baumansicht Betreffansicht Attachement-Sicht

Dieses Archiv wurde generiert von hypermail 2.1.2 : 11. Mar 2002 CET