Navigation



stealth techniques – syn

Last updated: September 9, 2015 | 10,061 views

Or half-open scanning technique is the first of three to come series about stealth scanning… The other two are Xmas/Fin/Null and idle/zombie scan techniques…

Intro
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

3 Way Handshake
If you didn’t know a tcp connection is based on a method called the three way handshake, that goes like this:

[host] syn flagged packet ———> [destination] receives packet
[destination] syn-ack flagged packet ———> [host] receives packet
[host] ack flagged packet ———> [destination] receives packet [connection established]

This is the methodology of a TCP connection, just upon a successful execution of this section a real connection is done… You probably can see a weak point in this method, can’t you. For every sent packet the host (and destination) waits a period of time for the next packet. If you can send really fast spoofed syn packets you can DoS a target in no time, this is the oldest DoSing method ever known to man (and women) =)

SYNner
Firstly let’s see what happens if we hit a closed port, try out the following command (and result after it):

As you can see on an unsuccessful port scan we get a Reset-Acknowledge , which tels us, as already mentioned, that we hit a closed port…
Now for the moment we all were waiting for:

As you can see we hit an open port… If you weren’t attentive till now a syn-ack flag means an open port, half-way connected…

Epilogue
Nowadays this method isn’t as stealthy as it was years ago, because now firewalls most often drop unwanted packets or sees them as pre-DoS syn packets…

More info about TCP :: www.rhyshaden.com
(first useful link that I have found with google)

Next >> Xmas/Fin/Null

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares
Posted in: Hacking News, Hacking Tools, Linux Hacking, Networking Hacking, Windows Hacking

, , , , ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
January 15, 2020 - 131 Shares
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
January 10, 2020 - 204 Shares
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
December 19, 2019 - 301 Shares
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
December 2, 2019 - 169 Shares
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
November 25, 2019 - 143 Shares
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
November 1, 2019 - 162 Shares


5 Responses to stealth techniques – syn

  1. nTze June 12, 2007 at 10:07 am #

    Thanks for that post dude, very good idea :)
    Btw, did you mean “waiting”?

    “Now for the moment we all were [[ wainting ]] for:”

  2. backbone June 12, 2007 at 2:49 pm #

    yes, i did mean waiting =)…

  3. s1n June 13, 2007 at 12:00 pm #

    I recommend “scapy” as can be scripted and expanded on much easier:

    http://www.google.co.uk/search?hl=en&q=scapy&btnG=Google+Search&meta=

  4. shadow June 14, 2007 at 5:54 pm #

    Why even waste time explaining the techniques for xmas, null, and fin scans? xmas scans = pulling the IDS/IPS fire alarm. Null = another IDS/IPS fire alarm. FIN scan = not gonna bypass any firewall worth a grain of salt, unless it was developed back during the Cold War. All three should be known for historical reasons though. IMHO, the only tcp based scanning techniques worth anything are full connection scans (extremely low and slow), and idle scanning with an intelligent script that can identify enough idle zombies to guarantee reliability. Syn scans used to be worth something however a high number of syn packets with no follow up creates a telltale sign of reconnaissance activity; so if you are really trying to be sneaky you might as well just do a full connect scan so it at least appears to be normal connection attempts that suffered from some application error. On the other hand if you’re not worried about stealth and just want a quick scan use a syn scan (much faster when since you don’t have to wait for 3-way handshake to complete.

  5. backbone June 15, 2007 at 9:36 am #

    in some cases you may be right shadow… but not everybody has an IDS/IPS… and believe me I infiltrated many hosts/website which haven’t got protection at all… why waste my time? well if you didn’t know darknet is based on the motto: “share your knowledge”… so then why not share it…