SCAN is the foundation of all invasions. The scan detection includes a host to determine if the host is active, which ports are using, which services are available, software version of the service, etc., the detection of these content is for " "" "" There are a lot of detection tools for the host, such as the famous NMAP, Netcat, Superscan, and China X-Scanner, etc.
ICMP protocol -Ping is the most common and the simplest detection means for judge whether or not the target is active. In fact, ping is an ICMP datagram to send a request (Type = 8) to the target. When the host gets the request, return a return (Type = 0) datagram. And the PING program is generally implemented directly in the system kernel, not a user process. Ping is the most basic detection means, ping Sweep is a wide range of pings for a network segment, thereby determining the network operation of this network segment, such as the famous FPING tool is ping.
But now the basic personal firewall has restricted PING, this is too basic. If you get the most ideal target map through the firewall, it is also a problem that many people think about the whole day. Some scanning technologies we introduced here is to bypass some security protection devices as much as possible and try to protect themselves while achieving the purpose we need.
First, advanced ICMP scanning technology
Ping is to take advantage of the ICMP protocol, advanced ICMP scanning technology is mainly the most basic use of ICMP protocol: an error. According to the network protocol, if an error occurs according to the protocol, the receiving end will generate an ICMP error message. These error messages are not actively sent, but due to errors, it is automatically generated according to the protocol.
When the IP datagram is incorrect, the target host will abandon this datagram. If it is Checksum error, the router will discard this data directly. Some hosts such as AIX, HP-UX, etc., are not to send ICMP unreachable datagrams.
We use these features:
1. Send a IP packet with only IP headers to the target host, and the target will return the ICMP error message for Destination Unreachable.
2. Send a bad IP datagram to the target host, for example, the incorrect IP header length, the target host will return Parameter Problem ICMP error packets.
3, when the data package is divided, but there is no fragmentation that is sufficient to receive the receiving end, and the receiving end fragment assembly timeout will send a slice assembly timeout ICMP data report.
Send an IP datagram to the target host, but the protocol item is incorrect, such as the protocol item is not available, then the target will return the Destination Unreachable ICMP packet, but if it is a firewall or a firewall or one other filter device before the target host. It is possible to filter out the request, thereby receiving any response. A very large protocol number can be used as the protocol content of the IP header, and this protocol number is at least not used today, and the host will definitely return unreachable, if there is no unreachable ICMP datagram returns an error prompt, then explain Filtered by a firewall or other device, we can also use this approach to detect whether there is a firewall or other filtration device.
Use the IP protocol item to detect which protocols are using the host, we can change the protocol item of the IP header because it is 8-bit, 256 possibilities. By the ICMP error message returned by the target, it is used to determine which protocol is in use. If you return Destination Unreachable, the host does not use this protocol. On the contrary, if nothing returns, the host may use this protocol, but it may be filtered by the firewall. NMAP IP Protocol Scan is also using this principle. Using IP fractions, assembly timeout ICMP error messages can also be used to achieve our probe purposes. When the host receives a datagram of the lost fragment, the entire package will be discarded at a certain period of time, and the ICMP fragment assembly timeout error is sent to the original transmission end. We can use this feature to make a fragmentation packet, then wait for the ICMP assembly timeout error message. You can sharpen the UDP, or you can sharpen the TCP or even ICMP packets, as long as the target host gets a complete data package, of course, for this non-connected unreliable agreement of UDP, if we do not receive To the timeout error ICMP returns, it is also possible to lose due to lines or other issues.
We can use these features to get the ACL (Access List) of the firewall, even with these features to achieve the entire network topology. If we can't get unreachable messages or slice assembly timeout error messages, you can make the following judgments:
1. Firewall filters the type of protocol we send
2. The firewall filters the port we specified
3, firewall blocking ICMP Destination Unreachable or protocol unreachable error message.
4. The firewall has the block of ICMP error packets for our designated host.
Second, advanced TCP scanning technology
The most basic use of TCP scans is using connect (), which is easy to implement. If the target host can connect, you will explain that a corresponding port is opened. However, this is also one of the most primitive and first rejected tools.
In advanced TCP scanning techniques, the three handshake features of the TCP connection are mainly used in the three handshake features and the flag bits in the TCP data header, that is, the so-called semi-open scan.
First meet the six flags of the TCP data header.
URG: (Urgent Pointer Field Significant) emergency pointer. When used, the value is 1, used to handle the TCP data stream interrupt
ACK: (ACKNOWLEDGMENT FIELD SIGNIFICANT) Set the AcknowleledGment Number as a legal, indicating that the data segment does not include confirmation information when 0, and the confirmation number is ignored.
PSH: (push function), the data of the Push flag, the data segment requested at 1 can be sent directly to the application after the receiver is obtained, without having to transfer when the buffer is full.
RST: (RESET THE CONNECTION) is used to reset the error connection that causes some reason, also used to reject illegal data and requests. If you receive an RST bit, some errors have occurred.
SYN: (SYNCHRONIZE SEQUENCE NUMBERS) is used to establish a connection, in the connection request, SYN = 1, ACK = 0, when the connection response, SYN = 1, ACK = 1. That is, SYN and ACK distinguish CONNECTION Request and Connection Accepted. FIN: (No more data from sender) is used to release the connection, indicating that the sender has no data sent.
The three handshake processes connected to the TCP protocol are like this:
First, the client (request party) transmits SYN = 1, the TCP packet of SYN = 1, ACK = 0 is sent to the server side (receiving the request), indicating that a connection is required to establish a connection with the server side; then if the server responds to this connection, Returns a SYN = 1, the data of the ACK = 1 is reported to the client, indicating that the server side agrees to this connection, and requires the client to confirm; the last client will send SYN = 0, the data package of the ACK = 1 gives the server. Represents confirmation establishment connection.
We use these flag bits and TCP protocols to connect three handshake features to scan detection.
SYN Scan
This scanning method is also called "semi-open" scan because the first step of the TCP protocol connection is used and a complete TCP connection is not established.
The implementation method is to send a TCP datagram with only the SYN flag bit to a port of the remote host. If the host feeds back a syn || ACK packet, then this host is listening to the port, if the feedback is the RST packet, description, The host does not listen to this port. There is SYN selection on the X-Scanner.
ACK scan
Send a TCP data that only the ACK flag is reported to the host. If the host feeds back a TCP RST datagram, then this host exists. It is also possible to determine if the other firewall is a simple packet filtering or a state-based firewall.
FIN
Send a TCP FIN data to a remote host to a port. If the host does not feedback, then this host is existing, and it is listening to this port; the host feeds back a TCP RST back, then the host exists, but there is no listening to this port.
NULL
That is, a TCP package without any flag is sent, according to RFC793, if the corresponding port of the target host is closed, it should be sent back to an RST packet.
FIN URG PUSH
Send a FIN, URG, and PUSH packets to the target host, depending on RFC793, if the corresponding port of the target host is off, then a RST flag should be returned.
The above method can bypass some firewalls to get the host information behind the firewall, of course, is in the absence of deception. One of these methods is that it is more difficult to record, and some means that even if it is simply displayed in the NetStat command, and the general security protection equipment does not record these content, which can better hide themselves.
Third, advanced UDP scanning technology
In the scan implemented in UDP, there are many combinations of use and ICMP, which in ICMP and mentioned. There are also specials that UDP feedback, such as SQL Server, send 'X02' or 'X03' on its 1434 port to detect its connection port.
