Portscanner

A port scanner is a software that can be checked, which offers services working with a TCP or UDP system using the Internet Protocol. The Port Scanner takes the user from doing the work to examine the response of a system even with a sniffer and interpret.

Often port scanners also offer additional functions such as operating system and service discovery, although they have nothing to do with the actual port scanning.

Operation

TCP connect () scan

This is the simplest scanning method. The port scanner uses the connect () system call on the port scan. The actual connection will then take the operating system. If the system call is successful, the port is open. The connection is then immediately closed with close (). Could not be established the connection, the port is closed.

The advantage of this method is very simple programming. Since the connect () command is available on almost every system available, a connect () port scanner is very portable. Special rights are not usually necessary. Since the connection is completely built on success, it usually appears in the log files of services.

TCP SYN scan

When TCP SYN scan is a TCP packet with SYN flag is sent to the destination host to spoof a connection attempt. The response of the host provides information about the port: It sends a SYN / ACK packet, the second part of the three- way handshake of TCP, the port accepts connections and is therefore open. The source host then responds usually with a RST packet to close the connection again ( this usually does not happen, however, by the port scanners, but by the operating system, since no official connection attempt has been made ). If the host sends a RST packet, the port is closed. Sends the target host absolutely no packet, a packet filter is installed upstream.

This type of scan is called, because TCP implementations do not inform when not fully established connections the associated service also stealth scan. This therefore produces no log data for attempted call setups, or is given by the scan anything with. From an application perspective, the SYN scan is therefore invisible. This is not true for the network level: firewalls or intrusion detection systems detect the type of scan naturally anyway and they can with help from the port knocking method, in which the port is not opened until after receiving a prearranged package sequence block.

In most source systems, system administrator rights are also necessary because TCP packets must be handmade by the port scanner.

TCP SYN scans can be used in the form of service attacks, SYN Flood Denial of.

TCP FIN / Xmas / Null scan

These methods rely on a connection, but investigate the behavior of following packets. If a port is open, the following packets should be ignored because they do not belong to an existing connection. If the port is closed, a reset packet should be sent.

Which flags are set exactly depends on the scan type:

TCP Idlescan

This scan is performed through an intermediary, called a zombie. The Idlescan is currently the only known scanning method, in which the scanned host can not draw any conclusions on the scanned host because he believes he sees only packets of zombies.

Zombiehost

To be eligible as a zombie host for the Idlescan, it must fulfill conditions:

The predictability of the IPID is on the one hand, from the fact that most operating systems use for a system global IPID counter that always when the system is a self-generated packet sent to a specific value is increased. The values ​​are different depending on the operating system, and typically 1, 4 or 8 Moreover, for the predictability important that the zombie ideally does not generate the IPID changing packages even during operation the system is idle so - hence the term Idle Scan.

Surprisingly, routers are pretty good as zombies, as this is usually only manage packages ( wherein the IPID does not change ), but do not attend at the network traffic.

Expiration

For the actual scan of the port scanner needs the current IPID of zombies. To find the IPID, for example, is simply a TCP connection request ( SYN) sent to him. The zombie responds SYN | ACK or RST, the response packet contains the current IPID (2).

For the actual port scanning the attacker sends a spoofed SYN packet to the target (3). As a source IP address is the IP address of the attacker the zombie hosts. If the port is open, the target sends a SYN | ACK packet to the zombie (4a). Since he has not opened a connection, the zombie sends a RST packet to the destination (4a). Suppose the zombie increments the IPID always applies to the value of one thing: this reset is sent with an IPID 1 to the destination. The port is closed, the target sends a RST packet to the zombie (4b). This package is simply ignored by the zombie. Now the attacker asks in the same manner as at the start of the current according to IPID (5). If the IPID increased by 2 (1 1 packet to destination packet to attacker), the port is open. If the IPID only 1 higher (only one packet to attacker), so the port is closed (6).

UDP scan

A direct scan of UDP ports is not possible because the protocol is connectionless. About a detour, a scan is still possible. To this end, an empty UDP packet is sent to the appropriate port. Also returns a UDP packet, the port is open. If no response, the port is either open or filtered. If a " Port Unreachable " error message received, the port is closed. On most systems, the output of ICMP error messages is throttled to prevent a denial of service attack. Therefore, UDP scans are usually time consuming.

FTP bounce scan

In an FTP bounce scan the attacker an FTP server, which allows the PORT command requires. About the PORT command, the attacker can pass the IP address of the victim and a port to be tested. If the FTP server to establish a connection with the given data, so a service is running on the port that the server is known to the attacker. This variety of FTP was originally intended to be able to copy files between servers easily. The attacker remains invisible to the victim, because never a direct connection between the victim and attacker must be established.

Additional functions

The above additional features, such as OS fingerprinting ( remote host OS ) and Service detection, for example, the port scanner nmap is known are, strictly speaking, no more port scans and their use can not only due to a not entirely exclude crash risk at the target be problematic.

Legal Aspects

The legality of port scans is controversial, since they can be regarded as the first instance of a Eindringversuches. In any case, a use on their own systems is legal. Unclear is the legal situation of port scans against foreign systems and networks. For example, since sensitive computer can be disturbed by many connection requests, this can be seen as an attack on the availability of a system and in Germany by § 303b of the Criminal Code ( computer sabotage ) are punished. The SANS Institute confirmed in a publication is also the dichotomy of port scans.

Port scanners are however currently not viewed as a computer program for spying on data according to § 202c (hackers Clause ) because they bypass any security mechanisms or intercept data.

Simple implementation of a port scanner

With the following command you can search for open TCP ports on a Unix-like system with the program netcat.

$ Nc -vz $ zu_scannender_host 1-65535 Known Port Scanner

  • Nmap (Unix / Windows)
  • Scanmetender (Windows and GNU / Linux)
  • Blue's Port Scanner (Windows)
  • Super Scan ( Windows)
  • Unicornscan (Unix)
  • ZMap (Unix)
  • Scan rand ( Unix) by Dan Kaminsky
Transmission Control Protocol Portknocking SYN-Flood IP address spoofing Internet Control Message Protocol TCP/IP stack fingerprinting
657141
de