Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…

Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:

[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]

This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)

SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):

C:\\>hping -p 81 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes

len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0
win=0 rtt=70.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1
win=0 rtt=20.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2
win=0 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3
win=0 rtt=40.0 ms

As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:

C:\\>hping -p 80 -S lx.ro
HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter -
Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0
data bytes

len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=30.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1
win=5840 rtt=50.0 ms
len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0
win=5840 rtt=0.0 ms

As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…

Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…

More info about TCP :: www.rhyshaden.com
(first useful link that I have found with google)

Next >> Xmas/Fin/Null