0. Secret scanning
Secret scanning is a scanning technology that will not be detected by audit tools.
It is usually used to hide itself when filtering through a common firewall or router.
Secret scanning can avoid IDS, firewall, packet filtering and log auditing, so as to obtain the information of opening or closing the target port. Because it doesn't contain any part of TCP three-way handshake protocol, it can't be recorded, which is more hidden than semi-connected scanning.
However, the disadvantage of this scanning is that the unreliability of the scanning results will increase, and the scanning host needs to construct its own IP packet. The existing secret scanning includes TCP FIN scanning, TCP ACK scanning, empty scanning, XMAS scanning and SYN/ACK scanning.
1, connection () scanning
This scan attempts to "three-way handshake" every TCP port. If the connection can be successfully established, it proves that the port has been developed, otherwise it is closed. The accuracy is very high, but it is most easily detected by firewalls and IDS, and a large number of connection requests and error messages will be recorded in the log of the target host.
The TCP connection port scans the process of successfully establishing a connection between the server and the client (the target port is open):
① the client sends SYN;;
② The server returns SYN/ACK, indicating that the port is open;
③ The client returns an ACK, indicating that the connection has been established;
④ The client actively disconnects.
Connection established successfully (target port is open)
TCP connection port scanning server and client cannot establish connection (target port closed) process:
① the client sends SYN;;
② The server side returns RST/ACK, indicating that the port is not open.
Advantages: The implementation is simple, and there is no strict requirement for the operator's authority (some types of port scanning require the operator to have root authority). Any user in the system has the right to use this call. If you want to get the information of banners returned by the target port, you can only use this method.
Another advantage is fast scanning speed. If you use a separate connect () call for each target port in a linear manner, you can speed up the scanning by opening multiple sockets at the same time.
Disadvantages: it will leave a trace in the log record of the target host, which is easy to be found and the packet will be filtered out. The log file of the target host will display a series of connection and service information with connection errors, which can be closed quickly.
2. Synchronous scanning
The scanner sends a SYN packet requesting to connect to the port of the target host. After receiving SYN/ACK, the scanner sends a RST packet instead of an ACK reply to request disconnection. In this way, three-way handshake is not completed, and normal TCP connection cannot be established. Therefore, the scan will not be recorded in the system log. This scanning technology generally does not leave scanning marks on the target host. However, this scan requires root privileges.
Port open: (1) client sends SYN;; (2) the server sends SYN/ACK;; ; (3)3) The client sends RST to disconnect (only the first two steps are needed to judge whether the port is open)
Port closed: (1) client sends SYN;; (2) The server side replies RST (indicating that the port is closed)
Advantages: SYN scanning is more subtle than TCP Connect () scanning, and SYN only needs to send the initial SYN packet to the target host, and if the port is open, send the corresponding SYN-ACK packet; If it is closed, respond to the RST packet;
3. Zero scanning
Reverse scanning-the principle is to send a data packet without any flag bit to TCP port, and at least one flag bit should be set during normal communication. According to the requirements of FRC 793, if a data field without flag bit is received when the port is closed, the host should give up this data segment and send a RST packet, otherwise it will not respond to the client computer that started the scan. That is, if the TCP port is closed, it will respond to a RST packet, and if it is open, it will not respond. However, we should know why empty scanning requires all hosts to comply with RFC 793, while windows system hosts do not. No matter whether the port is open or closed, as long as a packet without any flag bit is received, it will respond to the RST packet. However, based on Unix(*nix, such as Linux), it follows RFC 793 standard, so it can be scanned with NULL. Through the above analysis, we know that NULL can identify what operating system a host is running.
Port open: the client sent Null, but the server didn't respond.
Port closed: (1) Client sends NUll;; (2) The server replies to RST.
Description: Empty scan is just the opposite of previous TCP Connect () and SYN. In the first two scans, the response packet indicates that the port is open, but in the empty scan, the response packet indicates that the port is closed. Reverse scanning is more concealed than the first two, and its accuracy is relatively low.
Objective: To judge whether it is a Windows system or a Linux system.
4. Fin scanning
It is similar to NULL, except that FIN indicates the end of the TCP session. After sending a packet with the FIN bit set in the FIN scan, if it responds to the RST packet, it means that the port is closed; if it does not respond, it means that the port is open. This kind of scanning can not accurately judge the port development on windows system.
Port open: send FIN, no response.
Port closed: (1) send FIN;; (2) Reply to RST
Step 5 Confirm the scan
The scanning host sends an ACK packet to the target host. There are two ways to obtain port information based on the returned RST packets. The first method is: if the TTL value of the returned rst packet is less than or equal to 64, the port is opened, otherwise the port is closed.
6. Christmas tree scanning
By sending a tcp packet with the following flag bits.
URG: When indicating data, emergency data should be handled immediately.
PSH: Force data into the buffer.
FIN: used when ending a TCP session.
Under normal circumstances, the three flag bits cannot be set at the same time, but they can be used to judge which ports are closed and which ports are open in this scan. Like the reverse scan above, the port on the windows platform still cannot be judged.
Port open: send URG/PSH/FIN, no response.
Port closed: (1) send URG/PSH/FIN, no response; (2) response RST
The principle of Christmas scanning is similar to that of empty scanning. The flag bits of ACK, FIN, RST, SYN, URG and PSH in TCP packets are 1, and then sent to the destination host. When the target port is open, the target host will not return any information.
7. Dump scan
Also known as idle scanning or reverse scanning, third-party zombie scanning is applied when scanning the host. The zombie host sends SYN packets to the target host. The target host port responds SYN|ACK at development time and returns RST at shutdown time. The zombie host responds to SYN|ACK, but does not respond to RST. When scanning from a zombie host, it is a continuous ping operation from the local computer to the zombie host. By looking at the ID field of the response returned by the zombie host, you can determine which ports are open or closed on the target host.
Second, Python code implementation
1, using the connect method in Python's Socket package, directly connect the target IP and port and try to return the result, without building the SYN package yourself.
2. Scan IP ports with multi-threads. Note that different computers and different CPUs can create different threads at most. If you create too many threads, you may report an error. You need to modify the number of scans or extend the time of seelp according to your computer.
Have you finished reading it? Feel the feeling of hands-on operation!
Python learning network, free online learning Python platform, welcome to pay attention!
This article is transferred from: /p/243bb7cfc40f