Also known as a TCP Connect Scan

Also known as a Vanilla scan

Full connection is opened to the target
SYN
SYN/ACK Uses three way handshake
ACK
Open scan
Easy to detect
Easy to block Problems
Cannot be spoofed

Provides great information

Best scan for Benefits
determining port state

Differs from the full connect scan

SYN
SYN/ACK
Three way handshake is not completed
RST is sent to tear down the connection
RST
Connection is never established
Half-open scan
Sophisticated IDS and Firewalls
can now detect these
Admin/Root access is required Problems
You have to make a custom IP Packet

Harder to log
Benefits
Does not establish a connection Motivation and Study Techniques to help Cisco
you learn, remember, and pass your
All have the SYN flag omitted CISSP
Group of scans considered stealth technical exams!
CEH
All use Inverse mapping More coming soon...

SYN+ACK
Operation Visit us www.mindcert.com
RST

Closed Ports reply with an RST

SYN+ACK is sent to all ports SYN/ACK Scan
Open ports do not reply
TCP
Packets dropped by inline devices can be Port Scanning
Supports dozens of advanced techniques for mapping out networks UDP
incorrectly assumed to be open ports Can register large false positives filled with IP filters, firewalls, routers, and other obstacles
OS Detection
FIN Ping Sweeps
Operation
ACK
Works like SYN/ACK scan Obtaining Nmap Nmap can be downloaded from www.insecure.org
As RFC 793 Closed ports reply with a RST
FIN sent to all ports FIN Scan Nmap Documentation
Open ports ignore
Nmap install Guide
Exploits a BSD flaw
Some machines are patched
Does NOT work against Windows The best port scanning tool
ACK MAC OSX
Operation Linux
RST Originally UNIX only but now
Takes Advantage of IP routing function supported on Windows

Filtered ports are open Sun Solaris

Deduces port from TTL value ACK Scan Amiga
Any TTL value less than 64 is filtered
Works on most UNIX machines MAC OSX
Filtered by an inline device Also now has GUIs Windows
Shows filtered state
Does not show open or closed state
Linux

Packet sent with NO flags nmap -sS <targetip> nmap -S 172.18.1.1

Stealth scan
Operation SYN Scan
Does not cover how to respond RFC 793 Needs root access

If the port is open Scans Connect Scan nmap -sT <targetip>

Respond with RST
Most UNIX machines
Scanning classifications Nmap
nmap -sF <targetip>
Act differently Network Mapping Scanning FIN Scan
Windows machines
Tool nmap -sA <targetip>
NULL Scan ACK Scan
FIN
XMAS Tree Scans show no open ports nmap -sP 172.16.0.0/16
Scans nmap -sP <targetip's>
Null ICMP Scan/Sweep nmap -sP 172.14.1.0-255
Good way of OS detecting
SYN Shows open ports Nmap
UDP Scan nmap -sU <targetip>
Probably Windows machine
Does NOT work against Windows Idle Scan nmap -sI <targetip>

ACK nmap -sW <targetip>

Windows Scan
FIN
RST RPC Scan nmap -sR <targetip>
All flags are set
SYN Operation
SYN Scan nmap -sS
URG Root User
PSH Default Scans
XMAS Scan namp -sT
Connect Scan
Normal User
Hence the name Ornamental Look
Spoof source IP
Works on UNIX Spoofing
-S
Sends RST Closed port
Spoofed scans from Decoy machines
Does NOT work against Windows
Actual scan is injected in between
Other Features Decoy
Splits TCP header into small fragments Better the more decoys used
Due to reassembly May cause abnormal results -D
TCP Fragmenting
Fragmentation Fragments the packets
Linux Some Firewalls block fragments

ICMP Ping Sweeps

Detect the host based upon ICMP Echo Sweeps
and Echo replies

One of the first stealth scans

By the absence of a response Indicated if the machine is alive
Inverse Mapping Scan
Uses customised flags
Not really to port scan Used to map out networks

UNIX only
Port 113 Ident Scanning
IDENT
Queries the running services

With read/write access

Uses FTP servers
Often scripted and attacks padded

Try to initiate outbound connections Connect to an FTP server

FTP Bounce Misc
Port is open 150
Responses
Port is closed 225

So no three way handshake UDP has no connection

Subtopic
Sent to the target Zero Byte UDP packet
UDP Scan
Does not respond Open port Operation

Replies with ICMP HOST UNREACHABLE Closed Port

ICMP can be rate limited