Electronic Books

Appendix B : Tool Syntax
683
Chapter Tool Syntax
Chapter 3
(continued)
Ping -sS TCP SYN scan This technique is often referred to as
???half-open??? scanning, because you do not open a full
TCP connection. You send a SYN packet, as if you are
going to open a real connection and you wait for a
response. A SYN|ACK indicates the port is listening. An
RST is indicative of a nonlistener. If a SYN|ACK is
received, an RST is immediately sent to tear down the
connection (actually our OS kernel does this for us).
The primary advantage to this scanning technique is
that fewer sites will log it. Unfortunately you need root
privileges to build these custom SYN packets.
-sF ??“sX ??“sN Stealth FIN, Xmas Tree, or NULL scan modes
There are times when even SYN scanning is not
clandestine enough. Some firewalls and packet filters
watch for SYNs to restricted ports, and programs like
Synlogger and Courtney are available to detect these
scans. These advanced scans, on the other hand, may
be able to pass through unmolested. The idea is that
closed ports are required to reply to your probe packet
with an RST, while open ports must ignore the packets
in question (see RFC 793 p. 64). The FIN scan uses a
bare FIN packet as the probe, while the XMAS tree scan
turns on the FIN, URG, and PUSH flags. The NULL scan
turns off all flags. Unfortunately, Microsoft decided to
completely ignore the standard and do things its own
way. Thus, this scan type will not work against systems
running Windows 95/NT.


Pages:
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241