Obviously, scans are done by people trying to find a way in. The reason they choose to scan first is that since some of the doors (ports) may open if they scan (knock) on them, or might be opened by a program (doorman) that identifies itself. This gives them valuable information on what kind of security (if any) they are facing, and what revisions of software components can be seen.

Finding this out is half the challenge ... the other half is exploiting the holes.

Back to the analogy: there is more than one way to try a door ... but in every single case, you must interact with the door, somehow, to determine if it may be opened.
The obvious interaction is banging on the door... however, if you do not wish to alert the security guards, this is probably a bad approach. There are slightly quieter approaches (such as, moving the door handle slightly).

A port scan on a computer can be as simple as rattling the door handle of one door, or as lengthy as combinations of tapping, rattling and banging on every one of the 65535 doors, in parallel, to see which respond and how.

In the early days of scanning, tools scanned ports sequentially, and simply attempted a full connection with each port. These scans gave interesting results, but became so common that port scan detectors were quickly designed to set off alarms if the computer under attack noticed doors being accessed like this in a sequential manner.
Then came random port scans ... simple randomizing of the order of doors, and intervals between door knocks. This soon became easy to detect also.

Next stage in the arms race: by looking at the protocol involved in knocking on doors, it become possible to program a so-called 'stealth' scan. (TCP SYN Scan). This is more subtle than a straight knock. If your objective is to know whether the door would be answered, but you don't want it to be opened yet, it is possible to do a few different "half-knocks" that reveal whether the door is "alive" but do not alert possible higher level security or logging systems that the door was tried.

Next in port scan technology came the FIN Scan. This is like an inverse half knock(!). It happens that computer packet handlers (tcp stacks) have an interesting characteristic: FIN packets (a type of negotiation packet) addressed to "dead" doors cause a receipt of an RST packet, but alive doors do NOT. Therefore, a FIN scan can identify all the dead doors, and leave you with a list of potentially alive ones. Because the lowest level of the operating system is handling this, most port scan alarm systems have no awareness that this is happening.

If the FIN scan is not good enough, then there is the fragmentation scan. This breaks probe packets up, to possibly get through firewalls or avoid port alarms, and then be reassembled by the victim's computer to possibly reveal an open port.

Once a port scanner has assembled a list of potentially alive port numbers (doors), it has a good chance of identifying the operating system, the machine hardware, and which alive doors may have faulty "doormen" (software) behind them.

feedback form feedback form

by KeysCapt
last modified: 2004-02-01 04:50:38