The Architecture of Windows Computers
Scanning
- One of the most basic methods of identifying active machines is to perform a ping sweep. Ping is found on just every system running TCP/IP. Although many networks have restricted ping, it is an effective tool if available. Ping uses ICMP and works by sending an echo request to a system and waiting for the target to send an echo reply back.
- Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what target device services and applications are open.
Table FF.2. Common Port Numbers
Port
Service
Protocol
20/21
FTP
TCP
22
SSH
TCP
23
Telnet
TCP
25
SMTP
TCP
53
DNS
TCP/UDP
69
TFTP
UDP
80
HTTP
TCP
110
POP3
TCP
135
RPC
TCP
161/162
SNMP
UDP
1433/1434
MSSQL
TCP
Table FF.3. TCP Flags
Flag
Purpose
SYN
Synchronize sequence number
ACK
Acknowledgement of sequence number
FIN
Final data flag used during the 4-step shutdown
RST
Reset bit used to close and abnormal connection
PSH
Push data bit used to signal that data in this packet should be pushed to the beginning of the queue
URG
Urgent data bit used to signify that urgent control characters are in this packet that should have priority
- TCP Connect scan This type of scan is the most reliable but also the most detectable. It is easily logged and detected since a full connection is established. Open ports reply with a SYN/ACK, whereas closed ports respond with a RST/ACK.
- TCP SYN scan This type of scan is known as half open because a full TCP connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems, although most now detect it. Open ports reply with a SYN/ACK, whereas closed ports respond with a RST/ACK.
- TCP FIN scan Forget trying to set up a connection; this technique jumps straight to the shutdown. This type of scan sends a FIN packet to the target port. Closed ports should send back a RST.
- TCP NULL scan Sure, there should be some type of flag in the packet, but a NULL scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, closed ports will return a RST.
- TCP ACK scan This scan attempts to determine access control list (ACL) rule sets or identify if stateless inspection is being used. If an ICMP destination is unreachable, a communication administrative prohibited message is returned, the port is considered to be filtered.
- TCP XMAS scan A port scan that has toggled on the FIN, URG, and PSH flags. Closed ports should return a RST.
Enumeration
|