In-Depth
Protocols and Types of Scans
A few things you should think about when evaluating vendors for network scanners.
- By Greg Saoutine
- 09/01/2001
One notable aspect of network scanners is their protocol dependence.
Most scanners out there are TCP/IP-savvy. While it's true that TCP/IP
is routed over the Internet, if you have a VPN or other "tunnel" connection
to your network, you should ideally test all protocols enabled on the
machines you're trying to secure. Unfortunately, few scanners provide
capabilities for scanning networks with IPX, AppleTalk or other protocols
enabled. When evaluating vendors for network scanners, be sure to ask
about supported protocols—but don't be surprised if there are very few
on the list.
There are several different types of TCP or UDP port scans. These scans
can be used for various reasons, such as discovering open ports on a host
behind a firewall (if the firewall's stateful inspection features aren't
strong enough), gathering more information about the firewall itself,
or preventing the scanned computer from noticing the scan. Some of the
more popular types of TCP scans are TCP connect, SYN, FIN, Xmas Tree,
and NULL. These different types of scans depend on manipulating the properties
of the TCP/IP packet. A detailed description of TCP/IP packet parameters
is beyond the scope of this article, but you can find more detailed technical
information at www.insecure.org.
TCP connect scanning is the most basic form of scanning. The connect
system call provided by the OS is used to open a connection to all interesting
ports on the target. If the port's open, connection will succeed. Otherwise,
the scanner knows the port's closed. This sort of scan is easily detectable,
since the target will be able to log established connections.
TCP SYN scanning is referred to as "half-open" scanning, because the
scanner doesn't establish a full TCP connection. The scanner sends a SYN
packet, as if trying to open a real connection. A returned SYN|ACK packet
indicates the port's listening. A RST packet means the port is closed.
However, if a SYN|ACK is received, a RST is immediately sent back to prevent
the host from opening a connection.
Stealth FIN, Xmas Tree or NULL scans can sometimes be more efficient
than a SYN scan in passing through the firewalls and packet filters watching
for unauthorized SYN requests. Closed ports are required to reply to your
probe packet with an RST, while open ports must ignore the packets in
question, allowing the scanner to establish which ports are open.
A UDP scan discovers which UDP ports are open on the target. The scanner
usually sends 0 byte UDP packets to each port on the target host. If the
scanner receives an "ICMP port unreachable" message, then the port is
closed. Otherwise, the port must be open.
ACK scanning is an advanced method usually used to map out firewall rule
sets. It can also help determine whether a firewall is stateful or just
a simple packet filter that blocks incoming SYN packets.
About the Author
Greg Saoutine, MCSE, is an IT Consultant working in New York City.