Stealth Scans
TCP SYN, or "half connect ()" scan
The tcpdump is
<![CDATA[
10:42:40.962388 ntec24.44947 > ntec23.finger: S 660033090:660033090(0) win 3072
10:42:40.962616 ntec23.finger > ntec24.44947: S 2958343995:2958343995(0) ack 660033091 win 31624 <mss 536> (DF)
10:42:40.962745 ntec24.44947 > ntec23.finger: R 660033091:660033091(0) win 0
]]>
The scanner sends a reset to any port reported as open by the victim, rather than continue
with the three-way handshake. As the three-way handshake has not been completed, some old NIDS may
not detect this scan.
Similarly, a closed port will response a RST packet as follows.
<![CDATA[
10:43:03.689160 ntec24.38245 > ntec23.pop3: S 1088233087:1088233087(0) win 1024
10:43:03.689316 ntec23.pop3 > ntec24.38245: R 0:0(0) ack 1088233088 win 0
]]>
Stealth FIN, Xmas Tree, and Null Scan
The tcpdump is
<![CDATA[
10:52:34.601186 ntec24.35491 > ntec23.finger: F 0:0(0) win 1024
10:52:34.920570 ntec24.35492 > ntec23.finger: F 0:0(0) win 1024
10:52:42.320027 ntec24.35491 > ntec23.finger: F 0:0(0) win 1024
10:52:42.639999 ntec24.35492 > ntec23.finger: F 0:0(0) win 1024
10:53:01.789094 ntec24.63417 > ntec23.finger: FP 0:0(0) win 4096 urg 0
10:53:02.118432 ntec24.63418 > ntec23.finger: FP 0:0(0) win 4096 urg 0
10:53:07.598251 ntec24.63417 > ntec23.finger: FP 0:0(0) win 4096 urg 0
10:53:07.918197 ntec24.63418 > ntec23.finger: FP 0:0(0) win 4096 urg 0
10:53:20.762734 ntec24.45111 > ntec23.finger: . win 4096
10:53:21.066978 ntec24.45112 > ntec23.finger: . win 4096
10:53:24.327892 ntec24.45111 > ntec23.finger: . win 4096
10:53:24.636764 ntec24.45112 > ntec23.finger: . win 4096
]]>
Some firewalls may restrict the SYN packet in their network.
This scan is using FIN, FIN/URG/PUSH and NULL flag (turns off all flags)
packet to probe if the
port is open or not so as to get around the firewall restriction.
The idea of this is that closed ports are required to reply
to your probe packet with an RST, while open ports
must ignore the packets in question (see RFC 793). If scanners do not
receive any reply with this scan, then they know the port is open.
Here it is the response of a closed port
<![CDATA[
10:53:41.675979 ntec24.55700 > ntec23.pop3: F 0:0(0) win 4096
10:53:41.675997 ntec23.pop3 > ntec24.55700: R 0:0(0) ack 0 win 0
10:53:54.003968 ntec24.35307 > ntec23.pop3: FP 0:0(0) win 4096 urg 0
10:53:54.004089 ntec23.pop3 > ntec24.35307: R 0:0(0) ack 0 win 0
10:54:08.265547 ntec24.52031 > ntec23.pop3: . win 4096
10:54:08.265671 ntec23.pop3 > ntec24.52031: R 0:0(0) ack 0 win 0
]]>
Decoy Scans
Some scanner can causes a decoy scan to be performed which makes it
appear to the remote host that the host(s) you specify as decoys are scanning the
target network too. Thus their IDS might report 5-10 port scans from unique IP addresses,
but they won't know which IP was scanning them and which were innocent decoys.
For examples, the below tcpdump show that that there are four hosts having Xmas scan to
ntec16-36. However, all these scan packets show the same ttl value, 55.
<![CDATA[
15:20:01.766421 ieugb.ie.cuhk.edu.hk.56996 > ntec16-36.www: . [tcp sum ok] ack 262554700 win 1024 (ttl 55, id 21515, len 40)
15:20:01.766625 ntec16-36.www > ieugb.ie.cuhk.edu.hk.56996: R [tcp sum ok] 262554700:262554700(0) win 0 (ttl 255, id 21487, len 40)
15:20:01.766422 ntec1-20.56996 > ntec16-36.www: . [tcp sum ok] ack 262554700 win 1024 (ttl 55, id 53403, len 40)
15:20:01.766708 ntec16-36.www > ntec1-20.56996: R [tcp sum ok] 262554700:262554700(0) win 0 (ttl 255, id 21488, len 40)
15:20:01.766424 fortress.cse.cuhk.edu.hk.56996 > ntec16-36.www: . [tcp sum ok] ack 262554700 win 1024 (ttl 55, id 44355, len 40)
15:20:01.766763 ntec16-36.www > fortress.cse.cuhk.edu.hk.56996: R [tcp sum ok] 262554700:262554700(0) win 0 (ttl 255, id 21489, len 40)
15:20:01.766522 spring.csc.cuhk.edu.hk.56996 > ntec16-36.www: . [tcp sum ok] ack 262554700 win 1024 (ttl 55, id 15677, len 40)
15:20:01.766822 ntec16-36.www > spring.csc.cuhk.edu.hk.56996: R [tcp sum ok] 262554700:262554700(0) win 0 (ttl 255, id 21490, len 40)
15:20:02.049922 ieugb.ie.cuhk.edu.hk.56976 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 3077, len 40)
15:20:02.050085 ntec1-20.56976 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 14548, len 40)
15:20:02.050087 spring.csc.cuhk.edu.hk.56976 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 56798, len 40)
15:20:02.050089 fortress.cse.cuhk.edu.hk.56976 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 46431, len 40)
15:20:02.372015 ieugb.ie.cuhk.edu.hk.56977 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 39454, len 40)
15:20:02.372279 ntec1-20.56977 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 7288, len 40)
15:20:02.372281 fortress.cse.cuhk.edu.hk.56977 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 9943, len 40)
15:20:02.372283 spring.csc.cuhk.edu.hk.56977 > ntec16-36.www: FP [tcp sum ok] 0:0(0) win 1024 urg 0 (ttl 55, id 8424, len 40)
]]>