Er Amit Tripathi
Number of posts : 37 Age : 38 Location : Lucknow Job/hobbies : Software Engeener What U like To do ? : I Rocks With Computer System. Registration date : 2008-01-09
| Subject: TCP Flag Types (Scanning and FootPrinting) 8 2/10/2008, 2:34 am | |
| - Quote :
Flag Purpose SYN Synchronize and Initial Sequence Number (ISN) ACK Acknowledgement of packets received FIN Final data flag used during the 4-step shutdown of a session RST Reset bit used to close an abnormal connection PSH Push data bit used to signal that data in the packet should be pushed to the beginning of the queue. Usually indicates an urgent message. URG Urgent data bit used to signify that urgent control characters are present in this packet that should have priority. At the conclusion of communication, TCP terminates the session by using a 4-step shutdown. Those four steps proceed as follows: 1. The client sends the server a packet with the FIN/ACK flags set. 2. The server sends a packet ACK flag set to acknowledge the clients packet. 3. The server then generates another packet with the FIN/ACK flags set to inform the client that it also is ready to conclude the session. 4. The client sends the server a packet with the ACK flag set to conclude the session. The TCP system of communication makes for robust communication but also allows a hacker many ways to craft packets in an attempt to coax a server to respond or to try and avoid detection of an intrusion detection system (IDS). Many of these methods are built into Nmap and other port scanning tools, but before taking a look at those tools, some of the more popular port scanning techniques are listed here: - TCP Connect scan This type of scan is the most reliable, although it is also the most detectable. It is easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK, whereas closed ports respond with an RST/ACK. - TCP SYN scan This type of scan is known as half open because a full TCP three-way connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems although most now detect it. Open ports reply with a SYN/ACK, whereas closed ports respond with a RST/ACK. - TCP FIN scan Forget trying to set up a connection; this technique jumps straight to the shutdown. This type of scan sends a FIN packet to the target port. Closed ports should send back an RST. This technique is usually effective only on UNIX devices. - TCP NULL scan Sure, there should be some type of flag in the packet, but a NULL scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, closed ports will return an RST. - TCP ACK scan This scan attempts to determine access control list (ACL) rule sets or identify if stateless inspection is being used. If an ICMP destination unreachable, communication administrative prohibited message is returned, the port is considered to be filtered. - TCP XMAS scan Sorry, there are no Christmas presents here, just a port scan that has toggled on the FIN, URG, and PSH flags. Closed ports should return an RST. Now let's look at UDP scans. UDP is unlike TCP. Although TCP is built on robust connections, UDP is based on speed. With TCP, the hacker has the ability to manipulate flags in an attempt to generate a TCP response or an error message from ICMP. UDP does not have flags, nor does UDP issue responses. It's a fire and forget protocol! The most you can hope for is a response from ICMP. If the port is closed, ICMP will attempt to send an ICMP type 3 code 3 port unreachable message to the source of the UDP scan. But, if the network is blocking ICMP, no error message will be returned. Therefore, the response to the scans might simply be no response. If you are planning on doing UDP scans, plan for unreliable results. | |
|