Scanner is a program that automatically detects the security weaknesses of remote or local hosts. By using the scanner, you can find the distribution of various TCP ports, the services provided and their software versions of the remote server without leaving a trace! This can let us know the security problem of remote host indirectly or intuitively.
Ports are potential communication channels, that is, intrusion channels. You can get a lot of useful information by scanning the port of the target computer. There are many ways to scan, either manually or with port scanning software.
When scanning manually, you need to be familiar with various commands. Analyze the output after executing the command. When scanning with scanning software, many scanner softwares have the function of analyzing data.
Through port scanning, we can get a lot of useful information, so as to find the security loopholes of the system.
The above definition is only for network communication ports, and port scanning can also be defined as extensive device port scanning in some occasions. For example, some management software can dynamically scan the open state of various computer peripheral ports, and manage and monitor them. Such systems are very common, such as USB management system and various peripheral management systems.
2 scanning tool editing
Scanner is a program that automatically detects the security weaknesses of remote or local hosts. By using the scanner, you can find the distribution of various TCP ports, the services provided and their software versions of the remote server without leaving a trace! This can let us know the security problem of remote host indirectly or intuitively.
3 working principle editing
The scanner records the answers given by the target by selecting the services of different ports of remote TCP/IP (for example, can I log in anonymously? Whether there is a writable FTP directory, whether TELNET can be used, and whether HTTPD runs with ROOT or nobady.
4 technical classification editing
1, turn on scanning;
2. Semi-open scanning;
3. Hide the scan.
5 Other related editors
function
Scanner is not a program that directly attacks network vulnerabilities, it can only help us find some internal weaknesses of the target machine. A good scanner can analyze the data it gets and help us find the vulnerability of the target host. But it will not provide detailed steps to enter the system.
Scanners should have three functions: the ability to find hosts or networks; Once a host is found, it has the ability to find out what services are running on this host; The ability to find vulnerabilities by testing these services.
Writing scanner programs requires a lot of knowledge of TCP/IP programming and C, Perl and/or SHELL languages. Some background in socket programming is needed, which is a way to develop client/service applications. Developing a scanner is an ambitious project, which usually makes programmers satisfied.
port number
Proxy servers usually use the following ports:
(1). Commonly used port number of ⑴.HTTP protocol proxy server: 80/8080/3128/8081/9080.
⑵. Commonly used port number of ⑵.Socks proxy protocol server: 1080.
⑶. Common port number of ⑶.FTP (file transfer) protocol proxy server: 2 1.
(4) (4). Telnet protocol proxy server public port: 23.
HTTP server, the default port number is 80/tcp (Trojan actuator opens this port);
Https (Secure Transfer Web Page) server, with the default port number of 443/TCP 443/UDP;
Telnet (insecure text transmission), the default port number is 23/TCP (the port opened by Tiny Telnet server);
FTP, the default port number is 2 1/tcp (ports opened by Trojans such as Dolly Trojan, Fore, Stealth FTP, WebEx, WinCrash and Blade Runner);
TFTP (Common File Transfer Protocol), the default port number is 69/UDP;; ;
SSH (secure login), SCP (file transfer), port redirection, and the default port number is 22/TCP;; ;
Smtp simple mail transfer protocol (e-mail), the default port number is 25/tcp (Trojan antigen, email password sender, Haebucoeda, Shtrilitz Stealth, WinPC and WinSpy all open this port);
POP3 post office protocol (e-mail), the default port number is11TCP;
WebLogic, the default port number is 7001;
Webshpere application, the default port number is 9080;
Webshpere management tool, the default port number is 9090;
JBOSS, the default port number is 8080;
TOMCAT, the default port number is 8080;
WIN2003 remote login, the default port number is 3389;
Symantec AV/Filter for MSE, the default port number is 8081;
Oracle database, the default port number is1521;
ORACLE EMCTL, the default port number is1158;
Oracle XDB(XML database), the default port number is 8080;
Oracle XDB FTP service, the default port number is 2100;
MS SQL*SERVER database server, the default port number is1433/TCP1433/UDP;
MS SQL*SERVER database monitor, the default port number is1434/TCP1434/UDP;
QQ, the default port number is 1080/udp[ 1].
Scanning classification
TCP connection () scanning
This is the most basic TCP scan. The connect () system call provided by the operating system is used to connect the ports of each interested target computer. If the port is listening, then connect () can succeed. Otherwise, the port is unavailable, that is, no service is provided. One of the biggest advantages of this technology is that it doesn't need any license. Any user in the system has the right to use this call. Another advantage is speed. If you use a separate connect () call for each target port in a linear manner, it will take a long time. You can speed up scanning by opening multiple sockets at the same time. Using non-blocking I/O allows you to set a low timeout and observe multiple sockets at the same time. But the disadvantage of this method is that it is easy to be found and filtered out. The log file of the target computer will display a series of service information of connection and connection error, which can be closed quickly.
TCP SYN scanning
This technique is usually considered as "half-open" scanning because the scanner does not need to open a complete TCP connection. The scanner sends a SYN packet, as if to open an actual connection and wait for a response (refer to the process of establishing TCP connection in three-way handshake of TCP). The return information of SYN|ACK indicates that the port is listening. RST returns, indicating that the port is not listening. If SYN|ACK is received, the scanner must send another RST signal to close the connection process. The advantage of this scanning technology is that it generally does not leave a record on the target computer. However, one disadvantage of this method is that you must have root permission to build your own SYN package.
TCP FIN scanning
Sometimes SYN scans may not be secret enough. Some firewalls and packet filters monitor some designated ports, and some programs can detect these scans. On the contrary, the FIN packet may pass smoothly. The idea of this scanning method is that the closed port will reply the FIN packet with the appropriate RST. On the other hand, open ports ignore replies to FIN packets. This method has a certain relationship with the realization of the system. Some systems will reply to RST whether the port is open or not, so this scanning method is not applicable. This method is very useful for distinguishing Unix from NT.
IP segment scanning
This is not a new method, but a change in other technologies. Instead of sending TCP probe packets directly, it divides the packets into two smaller IP segments. In this way, a TCP header is divided into several packets, which makes it difficult for the filter to detect. But be careful. Some programs will encounter some troubles when dealing with these small packets.
TCP reverse identification scanning
Ident protocol allows (rfc 14 13) to view the user name of the owner of any process connected through TCP, even if the connection is not initiated by this process. For example, you can connect to. The FTP server (version Wu-2.4 (3) tuejun11...) is ready.
The 220 lem FTP server (SunOS 4. 1) is ready.
220 xxx。 The FTP server (version wu-2.4⑾ April 27th Saturday ...) is ready.
220 elios FTP server (SunOS 4. 1) is ready.
This method is not successful:
220 wcarchive。 The FTP server (version DG-2.0.39 Sun May 4th ...) is ready.
220xxx.xx. Version Wu-2.4.2-Academy [beta-12] (1) February 7th.
220 ftp Microsoft ftp service (version 3.0).
220 xxx FTP server (version Wu-2.4.2-Academy [beta-11] (1) Tuesday, September 3rd ...) is ready.
220 xxx。 The FTP server (version Wu-2.4.2-Academy [beta-13] [6] ...) is ready.
Unable to scan
The difference between this method and the above method is that UDP protocol is used. Because this protocol is simple, scanning becomes relatively difficult. This is because the open port does not send an acknowledgement to the scanning probe, while the closed port does not need to send an error packet. Fortunately, when you send a packet to an unopened UDP port, many hosts will return an ICMP_PORT_UNREACH error. So you can find out which port is closed. UDP and ICMP errors cannot guarantee arrival, so when a packet seems to be lost, this scanner must also realize retransmission. This scanning method is very slow, because RFC specifies the generation rate of ICMP error messages. Again, this scanning method requires root privileges.
scan
When non-root users can't directly read the root unreachable error, Linux can notify users when they arrive. For example, a second call to write () on a closed port will fail. When recvfrom () is called on a non-blocking UDP socket, if the ICMP error does not arrive, it will return EAGAIN- try again. If ICMP arrives, return econrejected-connection denied. This is a technique to see if a port is open.
This is not a real scan. But sometimes it is very useful to judge whether the host is on the network by ping. [2]