HALF-OPEN SCANNING

The term 'half-open' applies to the way the client terminates the connection before the three-way handshake is completed. As such, this scan method will often go unlogged by connection based IDS', and will return fairly positive results (reliability of open/closed port recognition).

We have seen that a TCP connect () scan can be easily logged as the IDS can detect a complete connection being initiated from outside and being established. One way hackers began evading this detection while meeting their objective was to do a half open scan. In a half open scan, a complete TCP connection is not established. Instead, as soon as the server acknowledges with a SYNACK response, the client tears down the connection by sending a RST (or reset connection) flag. This way, the attacker detects an open port listening / running a service from the ACK response, and at the same time succeeds in not establishing a full connect ( ) system call by sending the RST from the kernel level.

HALF-OPEN SCAN is of two types :

• SYN Scan
• IP ID Header "Dumb Scan"

TCP Ports

• A port is a number between 1 and 65,535, and port number references are usually specific to an application.
• Network makes the use of ports which are basically numbers to distinguish between which data packet is received by which application.
  
• A list of well known, registered, and dynamic port numbers is maintained by the Internet Assigned Numbers Authority (IANA) at this location:
• http://www.iana.org/assignments/port-numbers
  

Reverse - Ident

UNIX offers a service called ident or auth which will identify the user of a TCP connection. In the intended operation of this feature, when a user connects to a server, the server sends back a request to the ident service to discover the user's identity.

However, it can also be used in a reverse way. If a server itself also has the ident feature turned on, when a user connects to the server, the user can query the identify of the service it is connecting to.

This helps discover possible accounts that can be broken into.

• technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process.
• Finds daemons running as root.
• Intruder finds a vulnerable overflow and instigate other suspicious activities involving this port.
• identd could release miscellaneous private information such as:
  * user info
  * entities
  * objects
  * processes

ADVANTAGES : fast, requires no additional priveleges, return vital service information.
DISADVANTAGES : Easily Detectable

TCP Connect Scan

The TCP connect() scan is named after the connect() call that's used by the operating system to initiate a TCP connection to a remote device. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network. An active(Open) port sends a SYN|ACK exsuring that it is open, whereas a closed port sends a RST ensuring that it is closed.

TCP Connection with an open port



TCP Connection with a Closed Port



Advantages of the TCP connect() Scan

• No special privileges are required to run the TCP connect() scan.
• Accurate Results
  
• NMap uses the operating system's normal method of connecting to remote devices via TCP before it tears down the connection with the RST packet.
  

Disadvantages of the TCP connect() Scan

• Since the TCP connect() scan is completing a TCP connection, normal application processes immediately follow. These applications are immediately met with a RST packet, but the application has already provided the appropriate login screen or introductory page. By the time the RST is received, the application initiation process is already well underway and additional system resources are used.
• Easy to detect and filter by IDS and Firewall.
  

TCP SCAN TYPES

TCP SCAN TYPES

OPEN SCAN

• TCP Connect
• Reverse Ident

HALF-OPEN SCAN

• SYN Flag
• IP ID Header "dumb scan"

STEALTH SCAN

• SYN ACK Flags
• FIN Flag
• ACK Flag
• NULL Flag
• ALL Flags (XMAS)
• tcp fragmenting

SWEEPS

• TCP echo
• UDP echo
• TCP ACK
• TCP SYN
• ICMP Echo

Misc.

• UDP/ICMP Error
• FTP Bounce

Transmission Control Protocol [TCP]

The Transmission Control Protocol/Internet Protocol (TCP/IP) model, describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination.

TCP is a very needy protocol. When a frame with TCP data is sent across the network to another station, the sending station must receive an acknowledgement that the data was received properly. If the sending station doesn't receive an acknowledgement after a certain time period, the data is resent in the hopes that it will make it through the second time. This process continues until either the data makes it through, or the transmission process times out.

TCP doesn't need to know how to traverse the network because it relies on IP to get the data to the other side. Once the data makes the trip across the network, TCP takes over and uses its port numbers to determine where to drop the package. It's possible that IP could properly route the data across the network and TCP would try to drop the data at the specified port, but the receiving station may not be listening on that port. The TCP data would have nowhere to go and the entire packet would be discarded.

Fig. TRANSMISSION CONTROL PROTOCOL STRUCTURE. Click to Enlarge

Learn about TCP/IP Layered Structure - How TCP works?

THE TCP/IP 3-WAY HANDSHAKE

This handshake is often referred to as the "three way handshake" because of the three frames that pass back and forth:


The First Frame – The initial synchronize (SYN) frame is sent from the station initiating the conversation to the destination station. The SYN frame includes initial sequence numbers and the port that will be used for the conversation, as well as other initialization parameters.

The Second Frame – The destination station receives the SYN frame. If everything is in agreement, it sends an acknowledgement to the SYN (called an ACK) and its own SYN parameters.

The Third Frame – The original station receives the ACK to its original SYN, as well as the SYN from the destination device. Assuming everything is in order, the source station sends an ACK to the destination station's SYN.

War Dialers

• A war dialer is a tool used to scan a large pool of telephone numbers to detect vulnerable modems to provide access to the system.
• A demon dialer is a tool used to monitor a specific phone number and target its modem to gain access to the system.
• Threat is high in systems with poorly configured remote access products providing entry to larger networks.
• Tools include THC-Scan, ToneLoc, TBA etc

DOWNLOAD

Detecting LIVE Systems

Detecting 'Live' Systems On Target Network

• Objective is to look for Live Hosts on the target network so that services and vulnerabilities may be enumerated later
• To determine the perimeter of the target network /system
• To facilitate network mapping
• To build an inventory of accessible systems on target network
• Can be intrusive, may be setected by IDS

Tools

• War Dialers
• Ping Utilities

SCANNING

Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment.

Scanning is done with the purpose of :

• Detecting 'live' systems on target network.
• Discovering services running/ listening on target systems.
• Understanding port scanning techniques.
• Identifying TCP and UDP services running on target network.
• Discovering the operating system
• Understanding active and passive fingerprinting

Tools Used : NMap, AngryIPScan

Ethical Hacking

Problem Definition - Why Security?

• Easy to use technology helps normal users to perform cracking.
• Increasing complexity of computer infrastructure administration and management.
• Decreasing skill level needed for exploits.
• Direct impact of security breach on corporate asset base and goodwill
• Increased networked environment and network based applications
  

Can Hacking Be Ethical?

• 'hacker' -- a person who enjoys learning the details of computer systems and stretch their capabilities.
• 'hacking' -- rapid development of new programs or the reverse engineering of already existing software to make the code better and efficient.
• 'cracker' -- a person who uses his hacking skills for offensive and malicious purposes.
• 'ethical hacker' -- security professionals who utilise their hacking skills for defensive purposes.

HACK (b)LOG - swizardb.blogspot.com

This blog aims to provide you with detailed endless hacking study material and is intended for learning ethical hacking for a hacker of any skill level. Please visit the posts, and leave comments.