Skip to main content

port_scanning

hping3 -S 1.1.1.1 -c 4 -p 80
# -S sends SYN packets, -c number of packets, -p port

We can also control the source port from which the packet is coming out:

hping3 -V -S -p 93 -s 5678 example.com
# -V, for verbose mode
# -S, for SYN packet
# -p, to set the destination port
# -s, to set the source port

Notice that if no port is specified, port 0 is used.

Many firewalls include a rule to drop TCP packets that do not have TCP Timestamp option set which is a common occurrence in popular port scanners. Simply add --tcp-timestamp option to append timestamp information:

hping3 -V -S -p 22 example.com --tcp-timestamp
hping3 -S 1.1.1.1 -p ++50 -c 5 -I wlan0
# -S sends SYN packets
# -p ++50, it will start with port 50 and increase after each packet
# -c specifies the number of packets
# -I specifies the network interface to use

We can perform a TCP port scanning by doing:

hping3 -8 50-56 -S 8.8.8.8
# -8, use hping in port scanning mode
# 50-56 specifies the port to scan
# -S will send SYN packets

We can also perform UDP port scanning by doing:

hping3 -2 192.168.1.6 -p 56 -c 1
hping3 -c 4 -S -p <open_port> --tcp-timestamp <ip>
# sends 4 packets and tries and by analyzing the TCP timestamp
# tries to infer the uptime of the target system
# notice that this can be approximate, but it is useful to understand if
# a DoS or DDoS attack has been successful

Notice that guessing the uptime also gives us an idea to what is the patch level of the system, since generally application of big patches require reboots. Also the analysis of TCP timestamps can allow us to understand if we are dealing with a load-balanced system, since this happens when we have different timestamps per port.

Keep in mind that it is not a requirement of TCP timestamps to start at 0 at boot time. It is theoretically possible to set a random start value.

ACK Scan

This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered.

ACK scanning can be used to check if an host is alive, when we don't get any reply to a ping. What happens here is that we send a TCP packet with the ACK flag set, and the machine if it is alive should send back a packet with the RST flag set.

So to sum up, we have two scenarios after having sent an ACK packet: * the target is down if no reply is received * the target is alive if a packet with RST flag set is received

hping3 -c 1 -V -p 93 -s 5678 -A dominio.xyz

FIN Scan

In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed.

hping -c 1 -V -p 80 -s 5050 -F example.com
# -F, sets the FIN flag

Notice that some OSes like Windows, Cisco, HP-UX, IRIX do not follow the standard RFC and they replly in any case with an RST packet in order to make FIN scans ineffective.

Null Scan

In this type of scanning, we set the sequence ID to zero and no flag is set. Now here we can have two scenarios: * the TCP port of the target is closed: it will send back a packet with the RST flag set, * the TCP port is open or filtered it will discard the packet and no reply will be sent

hping3 -c 1 -V -p 93 -s 5678 -Y dominio.xyz

XMas Scan

In this type of scanning, we set the sequence ID to zero and no flag is set. Now here we can have two scenarios: * the TCP port of the target is closed: it will send back a packet with the RST flag set, * the TCP port is open or filtered it will discard the packet and no reply will be sent

hping -F -P -U <ip address> -c <number of packets>
# -F sets the Fin flag
# -P sets the Push flag
# -U sets the Urg flag

another example may be:

hping -c 1 -V -p 80 -s 5050 -M 0 -UPF example.com

Basically XMas and Null scans are very very similar, the infer reasoning about open/closed port is identical, the difference is only in how the scans are performed. Indeed in a XMas scan we set most of the flags (Push, Fin, Urg), while in the Null scan we don't set any flag at all.