| Type | Cmnd Line Switch |
Description |
|---|---|---|
| TCP Connect | -sT | Completes the three-way handshake with each scanned port. Not stealthy. |
| TCP SYN | -sS | Only send the initial SYN and awaits the SYN-ACK response to determine if a port is open. If the port is closed the destination will send a RST or nothing. Stealthier than Connect scan. |
| TCP FIN | -sF | Sends a TCP FIN to each port. A RST indicates the port is closed, while no response may mean the port is open. Stealthier than Connect scan. |
| TCP Xmas Tree | -sX | Sends a packet with FIN, URG, and PSH set. A RST indicates the port is closed, while no response may mean the port is open. |
| Null | -sX | Sends a packet with no code bits set. A RST indicates the port is closed, while no response may mean the port is open. |
| TCP ACK | -sA | Sends a packet with ACK set to each target port. Allows for determining a packet filter's rules regarding established connections. |
| TCP Window | -sW | Similar to ACK scan, but focuses on the TCP Window Size to determine if ports are open or closed on a variety of operating systems. |
| FTP Bounce | -b | Bounces a TCP scan off an FTP server, obscuring the orginator of the scan. |
| UDP Scanning | -sU | Sends a UDP packet to target ports to determine if a UDP service is listening. |
| Ping | -sP | Sends ICMP echo requests to every machine on the target network, allowing for locating live hosts. This netwrok mapping, as in Cheops. |
| RPC Scanning | -sR | Scans (RPC) Remote Procedure Call services, using all discovered open TCP/UDP ports on the target to send RPC NULL commands. Attempts to determine if an RPC program is listening at the port and, if so, identifies what type of RPC program it is. |
|
This is the legitimate process of establishing a TCP connection. It sets up the initial sequence number of the sender ISN[a] and the initial sequence number of the responder ISN[b] so that if packets arrive out of order the larger message can be reasembled. E.g a may be from your Web browser and b from a Web server. |
TCP Connect scans, also known as "plain vanilla" scans, attempt to complete the TCP 3way handshake with each target port on the destination system. Such scans have little or no likelihood of carshing the target system. If a connection is established then it is ended with a FIN packet. If the target port is closed, ACK-SYN response is not sent. Instead the attacker's system would receive either: no response, a RST packet, or an ICMP Port Unreachable packet. The difficulty of this type of scan is that the target system may log the attempt. For this reason stealthier scan techniques are usually used.
TCP SYN scans, also called half open scans, stop 2/3 of the way through the 3way handshake. A SYN is sent to each target port. If the port is open, the target will send a SYN-ACK response. The attacking machine then sends a RST packet aborting the connection before it is established (hopefully avoiding being logged).
If the target port is closed, the attacker's system will have either: no response, a RST packet, or an ICMP Port Unreachable packet (depending on the traget machine type, OS and network architecture). Routers and Firewalls will still log the SYN packet with the source IP if so enabled. SYN scans are faster because of fwer packets hence less waiting.
One risk with a SYN scan is that the target system could become flooded with outstanding SYN scans, with a possible denial-of-service attack by going off line. This happens with old software.
© 2005 Prem Sobel. All Rights Reserved.