stealth techniques – syn

Outsmart Malicious Hackers

Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…

This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:

[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]

This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)

Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):

As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:

As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…

Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…

More info about TCP ::
(first useful link that I have found with google)

Next >> Xmas/Fin/Null

Posted in: General Hacking, Hacking Tools, Linux Hacking, Network Hacking, Windows Hacking

, , , , , , , , , , , , , , ,

Recent in General Hacking:
- The Dyn DNS DDoS That Killed Half The Internet
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,175,656 views
- Hack Tools/Exploits - 637,910 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 441,015 views

5 Responses to stealth techniques – syn

  1. nTze June 12, 2007 at 10:07 am #

    Thanks for that post dude, very good idea :)
    Btw, did you mean “waiting”?

    “Now for the moment we all were [[ wainting ]] for:”

  2. backbone June 12, 2007 at 2:49 pm #

    yes, i did mean waiting =)…

  3. s1n June 13, 2007 at 12:00 pm #

    I recommend “scapy” as can be scripted and expanded on much easier:

  4. shadow June 14, 2007 at 5:54 pm #

    Why even waste time explaining the techniques for xmas, null, and fin scans? xmas scans = pulling the IDS/IPS fire alarm. Null = another IDS/IPS fire alarm. FIN scan = not gonna bypass any firewall worth a grain of salt, unless it was developed back during the Cold War. All three should be known for historical reasons though. IMHO, the only tcp based scanning techniques worth anything are full connection scans (extremely low and slow), and idle scanning with an intelligent script that can identify enough idle zombies to guarantee reliability. Syn scans used to be worth something however a high number of syn packets with no follow up creates a telltale sign of reconnaissance activity; so if you are really trying to be sneaky you might as well just do a full connect scan so it at least appears to be normal connection attempts that suffered from some application error. On the other hand if you’re not worried about stealth and just want a quick scan use a syn scan (much faster when since you don’t have to wait for 3-way handshake to complete.

  5. backbone June 15, 2007 at 9:36 am #

    in some cases you may be right shadow… but not everybody has an IDS/IPS… and believe me I infiltrated many hosts/website which haven’t got protection at all… why waste my time? well if you didn’t know darknet is based on the motto: “share your knowledge”… so then why not share it…