In-Depth

Protocols and Types of Scans

A few things you should think about when evaluating vendors for network scanners.


One notable aspect of network scanners is their protocol dependence. Most scanners out there are TCP/IP-savvy. While it's true that TCP/IP is routed over the Internet, if you have a VPN or other "tunnel" connection to your network, you should ideally test all protocols enabled on the machines you're trying to secure. Unfortunately, few scanners provide capabilities for scanning networks with IPX, AppleTalk or other protocols enabled. When evaluating vendors for network scanners, be sure to ask about supported protocols—but don't be surprised if there are very few on the list.

There are several different types of TCP or UDP port scans. These scans can be used for various reasons, such as discovering open ports on a host behind a firewall (if the firewall's stateful inspection features aren't strong enough), gathering more information about the firewall itself, or preventing the scanned computer from noticing the scan. Some of the more popular types of TCP scans are TCP connect, SYN, FIN, Xmas Tree, and NULL. These different types of scans depend on manipulating the properties of the TCP/IP packet. A detailed description of TCP/IP packet parameters is beyond the scope of this article, but you can find more detailed technical information at www.insecure.org.

TCP connect scanning is the most basic form of scanning. The connect system call provided by the OS is used to open a connection to all interesting ports on the target. If the port's open, connection will succeed. Otherwise, the scanner knows the port's closed. This sort of scan is easily detectable, since the target will be able to log established connections.

TCP SYN scanning is referred to as "half-open" scanning, because the scanner doesn't establish a full TCP connection. The scanner sends a SYN packet, as if trying to open a real connection. A returned SYN|ACK packet indicates the port's listening. A RST packet means the port is closed. However, if a SYN|ACK is received, a RST is immediately sent back to prevent the host from opening a connection.

Stealth FIN, Xmas Tree or NULL scans can sometimes be more efficient than a SYN scan in passing through the firewalls and packet filters watching for unauthorized SYN requests. Closed ports are required to reply to your probe packet with an RST, while open ports must ignore the packets in question, allowing the scanner to establish which ports are open.

A UDP scan discovers which UDP ports are open on the target. The scanner usually sends 0 byte UDP packets to each port on the target host. If the scanner receives an "ICMP port unreachable" message, then the port is closed. Otherwise, the port must be open.

ACK scanning is an advanced method usually used to map out firewall rule sets. It can also help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.

About the Author

Greg Saoutine, MCSE, is an IT Consultant working in New York City.

Featured

  • Microsoft Adds Modular Datacenter to Azure Space Efforts

    Microsoft this week introduced the Microsoft Azure Modular Datacenter as part of its overall Azure Space effort.

  • Microsoft and Partners Continue To Block Trickbot To Protect Elections

    Microsoft on Tuesday provided an update about its efforts, along with partners, to take down the Trickbot criminal network, which uses servers and devices to spread ransomware.

  • Microsoft Releases Windows 10 and Windows Server Versions 20H2

    Microsoft on Tuesday announced the "semiannual channel" release of Windows 10 version 20H2, otherwise known as the "October 2020 Update," and it also released Windows Server version 20H2.

  • How To Debug a PowerShell Script

    Here are three pointers for finding and fixing any bugs in your PowerShell script, no matter how long it is.

comments powered by Disqus