Professional Documents
Culture Documents
Abstract*
his paper reports the most important tech-
T niques used by TCP port scanners. TCP port
scanners are specialized programs used to de-
termine what TCP ports of a host have processes
Stealth scanners are based on the use of FIN seg-
ments. The idea is that in most implementations,
closed TCP ports reply to a FIN segment with a
RST, while open ports usually discard the segment
listening on them for possible connections. Since with no reply at all. Indirect scanning, as will be ex-
these ports characterize, in part, the amount of expo- plained, is realized with the (usually involuntary)
sure of the hosts to potential external attacks, know- help of a spoofed host.
ing their existence is a fundamental matter for net- In the next section several scanning techniques de-
work and/or security administrators. Moreover, as
veloped to bypass firewalls analysis and/or filtering
scanners are also used by hackers, administrators are discussed. We first explain the use of IP frag-
need to know how they work and what possible mentation to split up the TCP header of a SYN or
weakness they exploit to be able to prevent unwanted FIN probe over several packets. Then decoy scan-
scanning or at least to record each scanning attempt. ning is presented and finally several forms of coor-
dinated scanning are analyzed.
Keywords: TCP/IP, UDP, Three-way Handshake, The fifth section is dedicated to examine the basics
SYN Scanning, FIN Scanning, Stealth Scanning, of UDP scanning.
Indirect Scanning, Decoy Scanning, Fingerprinting, The sixth section presents several forms of scanning
and Coordinated Scanning. related to specific application level protocols. Usu-
ally these scanners exploit weak and/or faulty im-
Introduction. plementations as well as permissive features. The
ident (or reverse ident) scanning is explained as well
In the first section we review the TCP connection as the proxy based scanning approach.
establishment process (often called the three-way In the last section, additional scanning techniques
handshake), and discuss some implementation de- are reviewed. Scanning tools not based only on TCP
tails that are relevant to the design of scanner pro- port abstraction or designed mainly for security
grams. scanning are considered (e.g., SATAN). Also the
Next, classical scanners (full TCP connection) are use of scanners for stack fingerprinting is analyzed.
reviewed as well as the so-called SYN (or "half Stack fingerprinting solves the problem of operating
open") scanners. systems identification in a unique way, by probing a
A third section is devoted to study indirect and host's TCP and comparing the answer (or the lack of
stealth scanning; techniques developed to conceal answer) against the results expected from known op-
scanning attacks and/or their origin. erating systems TCPflP stacks.
i
user (even under multi-user systems) since, usually, drops the segment and sends back a RST. Otherwise,
no special privileges are needed. when a FIN segment arrives for a listening port, it is
This scanning method is easily detectable (logs will simply dropped (no RST sent).
report a rapid sequence of connections and error). Xmas Tree, and Null scan modes [9] are just varia-
Monitoring programs like Courtney, Gabriel, and tions of the preceding one based on the fact that
TCP Wrappers [7] are usually employed for detec- "FIN behavior" (closed port = RST, listening port =
tion. Besides, since wrappers also provide some dropped) can also be seen with the PSH and URG
control over incoming requests, they can be used to flags, with a TCP segment with no flags, and with
(try to) prevent full connection scanning originating all the combinations of FINIPSHIURG. The Xmas
from known hosts. Tree scan turns on the FIN, URG, and PUSH flags.
The Null scan turns off all flags. These combinations
TCP SYN Scanning: are supposed to eventually bypass certain filters like
In this technique, the scanning host performs the the so-called FIN FLAG detectors.
equivalent of an active open by sending a SYN seg- Stealth scanning usually works with UNIX targets
ment to a selected port on the target machine. If the except for those few systems (including Cisco, BSDI,
answer is a RST then the port is closed and, if HP/UX, MVS, and IRIX) that send resets when they
scheduled, a different port is probed; else, if a should just drop the packet. The method however
SYNIACK segment is received, it means that the fails with systems running Windows95/NT since
target port is indeed listening. Since this information they always send back a RST whether the probed
is all the scanning host needs to know, a RST is sent port is open or closed.
back to the target to break the connection establish- As in the case of SYN scanners, the IP packets must
ment. Observe that since under SYN scanning not still be custom built.
full connections are ever established, this technique
is frequently known as half-open scanning. The Indirect Scannimz:
main advantage of SYN scanning resides on the fact A very interesting technique for anonymous scan-
that even if this method can still be detected by cer- ning was recently proposed in [10]. The idea is to
lain loggers (e.g., tcplogger), SYN connection at- use the (spoofed) IP address of a third host to dis-
tempts are logged less frequently than full connec- guise the real scanning system. Since the scanned
tions. The trade-off is that the sender, under most host will react by sending or not certain segments to
operating systems, needs to custom build the entire the spoofed host, all that is needed is to monitor the
IP packet for this kind of scanning, and usually su- IP activity of the spoofed host to know the results of
per-user or privileged group access to special system the original scan. This form of indirect scanning is
calls is needed to build these custom SYN packets called by the author "dumb host scan" and works as
[8]. follows:
Suppose that the three participating hosts are Scan-
Both options (SYN and full connection scanning) as ner, Silent, and Target. The roles of Scanner and
well as almost all the techniques discussed in this Target are obvious. Silent is a very particular host
paper are implemented in nmap [9], a very powerful that must not send any packets while Scanner is
and comprehensive TCP port scanner. scanning Target (except for the ones related to the
scan). The author suggests as candidates for Silent,
3. Stealth and Indirect Scanning. any of the reachable "zero traffic" hosts that can be
found at "night" in the Internet. Finally, all the in-
volved TCP implementations must be well behaved
Stealth (FIN, Xmas Tree, Null) scan techniques: (i.e., following the general rules listed in section 1).
Stealth scanning was first proposed in [8]. Since this Scanner starts the process by sending probes to
technique does not consist of any part of the standard Silent (e.g., ICMP echo requests) in order to monitor
TCP three-way handshake, it is very difficult to log the identification values contained in the IP headers
and thus more clandestine that SYN scanning. Be- of the replies (from now on we will call this value
sides, FIN segments may be able to pass through IP-id). Since Silent is not exchanging packets with
packet filters watching only for SYNs. any other host, each of its successive replies to
The stealth scan technique uses FIN segments to Scanner will show an IP-id increment of 1.
probe ports. As explained in section 1, when a FIN
segment arrives for a closed port, the receiving TCP
i
Since any new fingerprint is easily added in the form References.
of templates, NMAP fingerprints database is con-
stantly increasing, and the number of Operating [1] W.R. Stevens, TCP/IP Illustrated,
Systems that can be flawlessly identified has become Vol. 1. Addison-Wesley, 1994.
very large.
The technique used by scanners to remotely detect [2] W.R. Stevens, TCP/IP Blustrated,
OS is known as (TCP/IP) stack fingerprinting. Vol. 2. Addison-Wesley, 1995.
In [23] Commer and Lin introduced a technique
called active probing. Active probing treats a TCP
[3] Daemon9, Project Neptune.
implementation as a black box, and uses a set of pro- Phrack Magazine, Issue 48, 1996.
cedures to probe the black box. By studying the way
TCP responds to the probes, several characteristics RFC 793, TRANSMISSION CONTROL
of the implementation can be deduced. TCP/IP stack [4]
PROTOCOL, PROTOCOL
fingerprinting is a variant of active probing that ap-
SPECIFICATION, pp. 64.
plies to the whole TCP]IP implementation (stack) of
an OS. Stack fingerprinting uses several techniques [5]
L. Granquist, Port 0 Scanning,
(see bellow) to detect the presence of subtle differ-
Bugtraq mailing list archives, 8 Jul 1998.
ences in the TCP/IP stack of the OS of a scanned
machine. This information is then used to create a
D. Comer, Internetworking with TCP/IP
fingerprint, which is compared with a collection of [6]
Vol. 3, Second Edition. Prentice Hall, 1996.
known fingerprints to identify the scanned system.
The stack fingerprinting methodology includes a
considerable amount of techniques. The following is [7] D. Atkins et al., lnternet Security,
Second Edition. New Riders, 1997, pp. 413.
a list of the most relevant ones to date:
[16] RFC 1413, Identification Protocol. [23] D. Commer, J.C.Lin, Probing TCP
Implementations. Department of Computer
[171 RFC 959, FILE TRANSFER Sciences, PUrdue University, 1994.
PROTOCOL (zrP).
[24] Fyodor, Remote OS detection via
[181 The FTP Bounce Attack, TCP/IP Stack FingerPrinting. Phrack
ftp://avian.org/random/ftp-attack. Magazine, Volume 8, Issue 54, Dec 25th,
1998. <fyodor@dhp.com>.
[19] Anonymus, Maximum Security,
Second Ed., SAMS, 1998, pp. 174-202.