Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Monday, June 29, 2009

HALF-OPEN SCANNING

The term 'half-open' applies to the way the client terminates the connection before the three-way handshake is completed. As such, this scan method will often go unlogged by connection based IDS', and will return fairly positive results (reliability of open/closed port recognition).

We have seen that a TCP connect () scan can be easily logged as the IDS can detect a complete connection being initiated from outside and being established. One way hackers began evading this detection while meeting their objective was to do a half open scan. In a half open scan, a complete TCP connection is not established. Instead, as soon as the server acknowledges with a SYNACK response, the client tears down the connection by sending a RST (or reset connection) flag. This way, the attacker detects an open port listening / running a service from the ACK response, and at the same time succeeds in not establishing a full connect ( ) system call by sending the RST from the kernel level.



HALF-OPEN SCAN is of two types :
Posted by at No comments:
Labels:

TCP Ports

  • A port is a number between 1 and 65,535, and port number references are usually specific to an application.
  • Network makes the use of ports which are basically numbers to distinguish between which data packet is received by which application.
  • A list of well known, registered, and dynamic port numbers is maintained by the Internet Assigned Numbers Authority (IANA) at this location:
  • http://www.iana.org/assignments/port-numbers
Posted by at No comments:
Labels: ,

Reverse - Ident

UNIX offers a service called ident or auth which will identify the user of a TCP connection. In the intended operation of this feature, when a user connects to a server, the server sends back a request to the ident service to discover the user's identity.

However, it can also be used in a reverse way. If a server itself also has the ident feature turned on, when a user connects to the server, the user can query the identify of the service it is connecting to.

This helps discover possible accounts that can be broken into.
  • technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process.
  • Finds daemons running as root.
  • Intruder finds a vulnerable overflow and instigate other suspicious activities involving this port.
  • identd could release miscellaneous private information such as:
    * user info
    * entities
    * objects
    * processes
ADVANTAGES : fast, requires no additional priveleges, return vital service information.
DISADVANTAGES : Easily Detectable
Posted by at 1 comment:
Labels:
Subscribe to: Posts (Atom)