Port Scanning
Target Verification
Active Scans
Ping
Msgs used to determine if the target is alive
Echo Request
Echo Replay
initial request: set the Type field to “8” & send it
If target system is alive => Return a datagram using the value of "0"
Results are not always accurate => protection against random scans
nmap -sP 192.168.1.123
ICMP echo request
TCP ACK packet
nmap -sP 192.168.1.0/24
Passive Scans
UDP Scanning
disadvantages
slow when compared to TCP scans
most exploitable applications use TCP
possible results returned (UDP scan)
Open
the existence of an active UDP port
Open/filtered
No response was received
Closed
“port unreachable”
Filtered
If OPEN or CLOSED => the target is ALIVE
If OPEN/FILTRED or FILTRED => IPS or Firewall is intercepting => We need to adjust our attack
UDP scans are not something most firewall administrators think about
TCP Scanning
TCP Connect Scan (-sT)
most reliable method of determining port activity
complete three-way TCP handshake
may be noticed by IDSes
advantage: we will know for certain whether an application is truly present or not
TCP SYN Stealth Scan (-sS)
creates a half-open connection
this might help against IDSes
advantage: speed
Perimeter Avoidance Scanning
ACK Scan (-sA)
send an ACK to the target system
firewall will assume a communication channel that already exists