stealth techniques – syn

The New Acunetix V12 Engine


Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…

Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:

[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]

This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)

SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):

As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:

As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…

Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…

More info about TCP :: www.rhyshaden.com
(first useful link that I have found with google)

Next >> Xmas/Fin/Null

Posted in: Hacking News, Hacking Tools, Linux Hacking, Networking Hacking, Windows Hacking

, , , , ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


5 Responses to stealth techniques – syn

  1. nTze June 12, 2007 at 10:07 am #

    Thanks for that post dude, very good idea :)
    Btw, did you mean “waiting”?

    “Now for the moment we all were [[ wainting ]] for:”

  2. backbone June 12, 2007 at 2:49 pm #

    yes, i did mean waiting =)…

  3. s1n June 13, 2007 at 12:00 pm #

    I recommend “scapy” as can be scripted and expanded on much easier:

    http://www.google.co.uk/search?hl=en&q=scapy&btnG=Google+Search&meta=

  4. shadow June 14, 2007 at 5:54 pm #

    Why even waste time explaining the techniques for xmas, null, and fin scans? xmas scans = pulling the IDS/IPS fire alarm. Null = another IDS/IPS fire alarm. FIN scan = not gonna bypass any firewall worth a grain of salt, unless it was developed back during the Cold War. All three should be known for historical reasons though. IMHO, the only tcp based scanning techniques worth anything are full connection scans (extremely low and slow), and idle scanning with an intelligent script that can identify enough idle zombies to guarantee reliability. Syn scans used to be worth something however a high number of syn packets with no follow up creates a telltale sign of reconnaissance activity; so if you are really trying to be sneaky you might as well just do a full connect scan so it at least appears to be normal connection attempts that suffered from some application error. On the other hand if you’re not worried about stealth and just want a quick scan use a syn scan (much faster when since you don’t have to wait for 3-way handshake to complete.

  5. backbone June 15, 2007 at 9:36 am #

    in some cases you may be right shadow… but not everybody has an IDS/IPS… and believe me I infiltrated many hosts/website which haven’t got protection at all… why waste my time? well if you didn’t know darknet is based on the motto: “share your knowledge”… so then why not share it…