[ad]
Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…
Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:
[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]
This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)
SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):
1 2 3 4 5 6 7 8 9 10 11 12 13 |
C:\\>hping -p 81 -S lx.ro HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0 data bytes len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=0 win=0 rtt=70.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=1 win=0 rtt=20.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=2 win=0 rtt=30.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=81 flags=RA seq=3 win=0 rtt=40.0 ms |
As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
C:\\>hping -p 80 -S lx.ro HPING (XPSP2) lx.ro (SiS 900 PCI Fast Ethernet Adapter - Packet Scheduler Miniport 81.181.218.80): S set, 40 headers + 0 data bytes len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=30.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=50.0 ms len=46 ip=81.181.218.80 ttl=54 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=0.0 ms |
As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…
Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…
More info about TCP :: www.rhyshaden.com
(first useful link that I have found with google)
Next >> Xmas/Fin/Null
nTze says
Thanks for that post dude, very good idea :)
Btw, did you mean “waiting”?
“Now for the moment we all were [[ wainting ]] for:”
backbone says
yes, i did mean waiting =)…
s1n says
I recommend “scapy” as can be scripted and expanded on much easier:
http://www.google.co.uk/search?hl=en&q=scapy&btnG=Google+Search&meta=
shadow says
Why even waste time explaining the techniques for xmas, null, and fin scans? xmas scans = pulling the IDS/IPS fire alarm. Null = another IDS/IPS fire alarm. FIN scan = not gonna bypass any firewall worth a grain of salt, unless it was developed back during the Cold War. All three should be known for historical reasons though. IMHO, the only tcp based scanning techniques worth anything are full connection scans (extremely low and slow), and idle scanning with an intelligent script that can identify enough idle zombies to guarantee reliability. Syn scans used to be worth something however a high number of syn packets with no follow up creates a telltale sign of reconnaissance activity; so if you are really trying to be sneaky you might as well just do a full connect scan so it at least appears to be normal connection attempts that suffered from some application error. On the other hand if you’re not worried about stealth and just want a quick scan use a syn scan (much faster when since you don’t have to wait for 3-way handshake to complete.
backbone says
in some cases you may be right shadow… but not everybody has an IDS/IPS… and believe me I infiltrated many hosts/website which haven’t got protection at all… why waste my time? well if you didn’t know darknet is based on the motto: “share your knowledge”… so then why not share it…