SCAN is the foundation of all invasions, and there are many detection tools for the host, such as the famous NMAP. I don't have any fresh technology here, I am some old things, even the Phrack documentation of the reference is even the old document of 96 years, I just picking up my wife.
The most basic probe is ping, but now the basic personal firewall is constrained to ping, which is too basic. If you get the most ideal target map through the firewall, it is also a problem that many people think about the whole day.
First, advanced ICMP scanning technology
Ping is to take advantage of the ICMP protocol. We are mainly used here to use the ICMP protocol. The most basic use: error, according to the network protocol, if an error occurs according to the protocol, the receiving end will generate an ICMP error message. These error messages are not actively sent, but due to errors, it is automatically generated according to the protocol.
When the IP datagram is incorrect, the target host will abandon this datagram. If it is Checksum error, the router will discard this data directly. Some hosts such as AIX, HP-UX, etc., are not to send ICMP unreachable datagrams.
We use these features:
1. Send a IP packet with only IP headers to the target host, and the target will return the ICMP error message for Destination Unreachable.
2. Send a bad IP datagram to the target host, for example, the incorrect IP header length, the target host will return Parameter Problem ICMP error packets.
3, when the data package is divided, but there is no fragmentation that is sufficient to receive the receiving end, and the receiving end fragment assembly timeout will send a slice assembly timeout ICMP data report.
Send an IP datagram to the target host, but the protocol item is incorrect, such as the protocol item is not available, then the target will return the Destination Unreachable ICMP packet, but if it is a firewall or a firewall or one other filter device before the target host. It is possible to filter out the request, thereby receiving any response. A very large protocol number can be used as the protocol content of the IP header, and this protocol number is at least not used today, and the host will definitely return unreachable, if there is no unreachable ICMP datagram returns an error prompt, then explain Filtered by a firewall or other device, we can also use this approach to detect whether there is a firewall or other filtration device.
Use the IP protocol item to detect which protocols are using the host, we can change the protocol item of the IP header because it is 8-bit, 256 possibilities. By the ICMP error message returned by the target, it is used to determine which protocol is in use. If you return Destination Unreachable, the host does not use this protocol. On the contrary, if nothing returns, the host may use this protocol, but it may be filtered by the firewall. NMAP IP Protocol Scan is also using this principle.
Using IP fractions, assembly timeout ICMP error messages can also be used to achieve our probe purposes. When the host receives a datagram of the lost fragment, the entire package will be discarded at a certain period of time, and the ICMP fragment assembly timeout error is sent to the original transmission end. We can use this feature to make a fragmentation packet, then wait for the ICMP assembly timeout error message. You can sharpen the UDP, or you can sharpen the TCP or even ICMP packets, as long as the target host gets a complete data package, of course, for this non-connected unreliable agreement of UDP, if we do not receive To the timeout error ICMP returns, it is also possible to lose due to lines or other issues. We can use these features to get the ACL (Access List) of the firewall, even with these features to achieve the entire network topology. If we can't get unreachable messages or slice assembly timeout error messages, you can make the following judgments:
1. Firewall filters the type of protocol we send
2. The firewall filters the port we specified
3, firewall blocking ICMP Destination Unreachable or protocol unreachable error message.
4. The firewall has the block of ICMP error packets for our designated host.
Second, advanced TCP scanning technology
The most basic use of TCP scans is using connect (), which is easy to implement. If the target host can connect, you will explain that a corresponding port is opened. However, this is also one of the most primitive and first rejected tools.
In advanced TCP scanning techniques, mainly using TCP connection three handshake features, that is, the so-called semi-open scan. These methods can bypass some firewalls to get the host information behind the firewall. Of course, it is in the case where it is not deceived. There is also a benefit below that it is more difficult to be recorded, and some means that even if it is simply displayed on the NetStat command.
SYN
Send a TCP datagram with only the SYN flag bit, if the host feeds back a SYN || ACK packet, then this host is listening to the port, if the feedback is the RST packet, description, the host is not listening This port is. There is SYN selection on the X-Scanner.
ACK
Send a TCP data that only the ACK flag is reported to the host. If the host feeds back a TCP RST datagram, then this host exists.
FIN
Send a TCP FIN data to a remote host to a port. If the host does not feedback, then this host is existing, and it is listening to this port; the host feeds back a TCP RST back, then the host exists, but there is no listening to this port.
NULL
That is, a TCP package without any flag is sent, according to RFC793, if the corresponding port of the target host is closed, it should be sent back to an RST packet.
FIN URG PUSH
Send a FIN, URG, and PUSH packets to the target host, depending on RFC793, if the corresponding port of the target host is off, then a RST flag should be returned.
Third, advanced UDP scanning technology
In the scan implemented in UDP, there are many combinations of use and ICMP, which in ICMP and mentioned. There are also specials that UDP feedback, such as SQL Server, send 'X02' or 'X03' on its 1434 port to detect its connection port.
The following program is an example of a TCP detection. Of course, it is not perfect because there is no receiving part, and it is actually a selective Sniffer in Win2000, huh, everyone can use other Sniffer to achieve the same purpose. You can also change the following programs to send only IP packets, using ICMP characteristics to implement probing. Typedef struct ip_hdr // Defines IP header
{
Unsigned char h_verlen; // 4 top length, 4-digit IP version number
Unsigned char TOS; // 8 service type TOS
Unsigned short total_len; // 16-bit total length (bytes)
UNSIGNED short ident; // 16 bit identity
Unsigned short frame_and_flags; // 3 bit flag
Unsigned char TTL; // 8-bit survival time TTL
Unsigned char proto; // 8-bit protocol (TCP, UDP or other)
UNSIGNED Short Checksum; // 16-bit IP header checksum
Unsigned int sourceip; // 32 bitsource IP address
UNSIGNED INT Destip; // 32 bit IP address
} Ipheader;
Typedef struct tsd_hdr // Defines TCP pseudo
{
Unsigned long saddr; // source address
Unsigned long daddr; // destination address
CHAR MBZ;
CHAR PTCL; // Protocol Type
Unsigned short tcpl; // TCP length
} PSDHeader;
Typedef struct tcp_hdr // Defines TCP header
{
Ushort th_sport; // 16 bond source port
USHORT TH_DPORT; / / 16-bit destination port
Unsigned int th_seq; // 32-bit serial number
UNSIGNED INT TH_ACK; / / 32 bit confirmation number
Unsigned char th_lenres; // 4 head length / 6 reserved words
Unsigned char th_flag; // 6 bit flag
Ushort TH_WIN; / / 16-bit window size
USHORT TH_SUM; / / 16-bit checksum
Ushort TH_URP; // 16-bit emergency data offset
} TCPHEADER;
// Checksum: Computing the subunies of the checksum
Ushort Checksum (Ushort * Buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
CKSUM = * Buffer ;
Size - = SizeOf (Ushort);
}
size
{
CKSUM = * (Uchar *) BUFFER;
}
CKSUM = (CKSUM >> 16) (CKSUM = 0xFFFF);
CKSUM = (CKSUM >> 16);
Return (Ushort) (~ CKSUM);
}
Void usage ()
{
Printf ("**************************************************************************************************************);
Printf ("tcpping / n");
Printf ("/ T Written By Refdom / N);
Printf ("/ t email: refDom@263.net/n");
Printf ("Useage: tcpping.exe target_ip target_port / n");
Printf ("******************************************************************************************************) }
Int main (int Argc, char * argv [])
{
Wsadata wsadata;
Socket sock;
SockAddr_in addr_in;
Ipheader ipheader;
TCPHEADER TCPHEADER;
PSDHeader PSDHead;
Char szsendbuf [60] = {0};
Bool flag;
Int Rect, NTimeover;
USAGE ();
IF (argc! = 3)
{Return False;}
IF (WSAStartup (MakeWord (2, 2), = WSADATA)! = 0)
{
Printf ("WSAStartup Error! / N");
Return False;
}
IF ((SOCK = WSASOCKET (AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED) == Invalid_socket
{
Printf ("socket setup error! / n");
Return False;
}
Flag = true;
IF (setsockopt (sock, ipproto_ip, ip_hdrincl, (char *) = flag, sizeof (flag)) == Socket_ERROR)
{
Printf ("setsockopt ip_hdrincl error! / n");
Return False;
}
NTIMEOVER = 1000;
IF (SETSOCKOPT (SOCK, SOL_SOCKET, SO_SNDTIMEO, (CHAR *) = NTIMEOVER, SIZEOF (NTIMEOVER)) == Socket_ERROR)
{
Printf ("setsockopt so_sndtimeo error! / n");
Return False;
}
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (ATOI (ARGV [2]));
Addr_in.sin_addr.s_un.s_addr = inet_addr (Argv [1]);
//
//
// Fill the IP head
Ipheader.h_verlen = (4 << 4 | sizeof (iPheter) / sizeof (unsigned long);
// ipHeader.tos = 0;
Ipheter.total_len = Htons (Ipheter) SizeOf (TCPHEADER);
ipHeader.Ident = 1;
Ipheader.frag_and_flags = 0;
Ipheader.ttl = 128;
Ipheader.proto = ipproto_tcp;
Ipheader.checksum = 0;
Ipheader.SourceIP = INET_ADDR ("Local Address");
Ipheader.destip = inet_addr (argv [1]);
// Pack TCP header
TCPHEADER.TH_DPORT = HTONS (ATOI (ARGV [2]));
TCPHEADER.TH_SPORT = HTONS (Source_Port); // Source Port number
TCPHEADER.TH_SEQ = HTONL (0x12345678);
TCPHEADER.TH_ACK = 0;
TCPHEADER.TH_LENRES = (SIZEOF (TCPHEADER) / 4 << 4 | 0); TCPHEADER.TH_FLAG = 2; // Modify here to achieve different flag detection, 2 is SYN, 1 is Fin, 16 is ACK detection, etc.
TCPHEADER.TH_WIN = HTONS (512);
TCPHEADER.TH_URP = 0;
TCPHEADER.TH_SUM = 0;
PSDHeader.saddr = ipheader.sourceIP;
PSDHeader.daddr = ipheader.destip;
PSDHeader.mbz = 0;
PSDHeader.ptcl = ipproto_tcp;
PSDHeader.tcpl = htons (sizeof (tcpHeader));
// calculate the checksum
Memcpy (szsendbuf, = psdheader, sizeof (psdheader));
Memcpy (szsendbuf sizeof (psdheader), = TCPHEADER, SIZEOF (TCPHEADER));
TCPHEADER.TH_SUM = Checksum ((Ushort *) SzsendBuf, SizeOf (PSDHeader) Sizeof (TCPHEADER));
Memcpy (szsendbuf, = ipheader, sizeof (ipheader);
Memcpy (szsendbuf sizeof (ipheader), = tcpheader, sizeof (tcpheader);
MEMSET (SzsendBuf SizeOf (Ipheter) Sizeof (TCPHEADER), 0, 4);
Ipheader.checksum = Checksum ((Ushort *) SzsendBuf, SizeOf (Ipheader) Sizeof (TCPHEADER));
Memcpy (szsendbuf, = ipheader, sizeof (ipheader);
Rect = Sendto (Sock, Szsendbuf, Sizeof (Ipheader) Sizeof (TCPHEADER),
0 (Struct SockAddr *) = addr_in, sizeof (addr_in));
IF (Rect == Socket_ERROR)
{
Printf ("Send Error!:% D / N", wsagetlasterror ());
Return False;
}
Else
Printf ("Send OK! / N");
CloseSocket (SOCK);
WSACLEANUP ();
Return 0;
}
-------------------------------------------
REFERENCE:
1, "Breaking Into Computer Networks from the Internet" Roelof Temmingh = SENSEPOST (PTY) LTD
2, Phrack # 49, "Port Scanning without the syn flag"
3, Phrack # 51, "The Art of Port Scanning"
4, sys-security group "ICMP usage in scanning"
