Port scanning guide #2 TCP Techniques

In most cases, you will probably use SYN scan, however there are circumstances where other types of scanning may be needed. Unfortunately, modern firewalls detect different port scanning techniques. And there comes well known tool called nmap, which supports few of them which will help you to bypass firewalls. When full scan is chosen, there will be 65 536 ports checked.

TCP SYN 

As mentioned, this is the most common (and default for nmap) of TCP port scans. Firstly, it needs root privileges to run it, because raw sockets are used to send packet with SYN flag. If SYN/ACK is received, the port is open. If RST/ACK - closed. In case of no response, we can set how many times scanner should resend request (--max-retries in nmap). If still does not receives a response - it will be marked as filtered.

Hence SYN scan never establishes a TCP connection, it is relatively stealthy.

TCP ACK

This type of scan is used to check if firewall is tracking the state of existing TCP connections. A TCP ACK scan sends a packet with the ACK flag set. When request is received by the server, it will probably assume that the second party is attempting to continue three way handshake, so it will send back a packet with RST flag.

If firewall do not track opened connections, it will allow to send back RST response, hence we can assume that port is unfiltered.

If it tracks TCP connections - there will be no matches in internal TCP sessions - it will drop the packet or send response via ICMP with type 3 (code may vary depending on OS).

Lastly, when firewall is configured in a proper way, we will do not receive any response, because all of the ACK requests will be dropped.

TCP Connect

A TCP connect scan establishes TCP connection using connect() function and then tears it down. It is used as default when user has no root privileges or IPv6 network is being scanned. Disadvantage of this type of scan is probing may be logged in server and therefore easily detected. Hence it needs more requests to complete, it is also more time-consuming process. Furthermore, it can lead to overload and sometimes produce DoS situations.

NULL  |  FIN  |  Xmas

NULL scan has no flags set.
FIN scan has FIN flag.
Xmas scan has FIN, PSH and URG flags - packet lighted like a christmas tree.

All of those are almost the same - the only difference is in flags set. If in response we will receive RST packet - port is considered closed. No response means open|filtered. If there is ICMP message - filtered.

Main advantage of above three scans are low detectability - just a little bigger than in SYN scan. The biggest disadvantage - not every system is compatible with RFC793, so responses may be independent from actual port state.

Maimon

Very similar to above three - it uses FIN/ACK packet. In all cases RST flag should be received, but OS based on BSD will respond only when a port is closed.

TCP window

This is slightly modified version of the ACK scan. It uses TCP Window field to determine whether port is open. This field is a part of TCP's flow control, it helps to manage data transmission volumes. Some OSes positive TCP Window size will indicate that port is open (even though a RST packet is being sent). Conversely - when a TCP Window size is 0 - means that port is closed.

This type of scan is not very common and it's quite unreliable - it needs deep understanding what is going on to draw some conclusions.

Port scanning guide #1: TCP three way handshake

In this series I am going to delve in some theory of port scanning, which is essential of service identification within a TCP\IP network. The most popular tool used to do this inspection is nmap, however it is not the only one used to do it (Unicornscan and ZMap are the others). In cyber security it is very important to understand fundamentals, which obviously is port scanning. The two most often used types of scanning are TCP SYN and UDP. First, I will describe how TCP connection is formed.

SYN  |  SYN/ACK  |  ACK

Above term is used to describe how a TCP connection is established. Imagine situation - there is Mike and Kate. Mike wants to send a message to Kate via TCP on port 80. First thing that Mike has to do, is to check if Kate is accessible. He will open TCP connection to check this.


Mike - sends a TCP SYN to Kate on port 80   >>>     Kate
Kate - responds with a TCP SYN/ACK          >>>     Mike
Mike - sends a TCP/ACK                      >>>     Kate

Connection is established

Let's examine those steps:

1. Mike sends a SYN request to Kate.
2. Kate receives the request and if there is a listening process on port 80, she will respond with a TCP packet with the SYN/ACK flags set.
3. Mike receives TCP SYN/ACK, checks the acknowledgement number (more about it here) and then can send the last part of handshake - TCP/ACK. At this point, both parties are successfully connected and can share data on via TCP socket.

Closed port

If there is a situation, when no service is running on Kate server in port 80, she will send response with TCP RST/ACK flags. After this request connection is terminated.

Mike - sends a TCP SYN to Kate on port 80   >>>     Kate

--- port is closed ---

Kate - responds with a TCP RST/ACK          >>>     Mike

Connection is terminated

Other responses

When scanning a network you have to bear in mind that not every one will go as you would like. On the server which is being scanned can run firewall which will drop your SYN requests, hence it will never reach a destination. Rarely, you can encounter situation when request reaches a server, but response is firewalled and dropped.

Stopping a process

Sometimes we want to suspend a process execution. While for those which are running in terminal, we can use CTRL + Z shortcut, what about processes that run in the background? For instance, how we can stop a deamon process?

Fortunately, there is a special Unix signal called SIGSTOP. When this signal is sent to the running process, kernel will suspend the given process, which will stay suspended till the SIGCONT signal will be sent.

This is how it look like from the command line:

# suspend

kill -STOP PID

# resume

kill -CONT PID

I can imagine one situation when this feature can be useful. Let's suppose, there is PHP application which utilises MySQL database. When we want to test how the application will behave when database will stop responding, we can just send SIGSTOP to MySQL process. Despite sending this signal, all of the connections between those two will be preserved. This would be a similar situation of what happens when we experience heavy load on our machines.

VIM cheatsheet... and how to exit it!

Movement 

e             go to end of the current word
b             go to beginning of the current word
⇧ + $   go to an end of the current line
⇧ + ^   go to beginning of the current line
gg           go to beginning of the file
⇧ + q   go to end of the file

Searching

/      enter search (forward) mode

?               enter search (back) mode

n               next occurrence

General

u             undo

o             open new line below and go to insert mode

⇧ + o   open new line above and go to insert mode

%            jump to corresponding bracket
:q           quit
:wq        write changes & quit
:q!        quit without saving changes

Text manipulation

x               delete character being under cursor

r               replace a single character being under cursor

c + e      remove all characters from cursor to an and of given word

c + b      remove all characters from cursor to beginning of the given word 

c3e           remove next 3 words

5dd           remove next 5 lines

ci{           remove all content in between brackets

*                highlight all occurrences of a current word

⇧ + v      mark whole line

v                mark a custom selection

yy              copy whole line

y       copy selection

d                cut selection

p                paste below

⇧ + p      paste above

~/.vimrc

:set nocompatible "Use the newest features

:set number "Let's activate line numbers.

:set incsearch            "Live search

:set hlsearch               "Highlight search occurrences

:set autoindent  "Auto indent in code

:syntax on "Syntax highlightning

:set mouse=a "Enable mouse

TCP/IP #3: Network messaging

Communication between devices on packet-switched networks is based on items most generically called messages. These pieces of information also go by other names such as packets, datagrams, frames, and cells, which often correspond to protocols at particular layers of the OSI Reference Model. The formal OSI terms for messages are protocol data unit (PDU) and service data unit (SDU).

Message Formatting: Headers, Payloads, and Footers 

Every protocol uses formatting that determines the structure of the messages it employs. The format of the particular message will vary, depending on protocol/technology that uses it. Despite there are some differences, each message contains the following three elements:

Header

 This information is placed at the beginning of the message. It normally contains a small number of control bytes, which tells general information how this chunk of data should be treated and interpreted. Headers are links between protocol elements on different services.

Data

Often called also payload. This is actual part of information which is sent, eg. website contents. But sometimes messages contains no data. This is due to control and communication purposes. One of the application of empty data/payload is terminating connections.

Footer

This information is at the end of the message. Footer is very similar to Header, however it is in different place. The header is present in the most protocol messages, but footer only in some (especially in lower-layer protocols, as data link layer is OSI model).

The general format of networking message consists three parts in the following order: header, data and footer. Header and footer consists control information, data itself it’s ‘packed’ into the middle.

Message Addressing and Transmission Methods: Unicast, Broadcast, and Multicast

Like real world, in the networking there are also several ways of addressing and transmitting information. They vary on the amount of recipients, knowledge about who are the recipients and information about the party which is a recipient. Consider situation, where there is a large hall with a few hundred people in there. They are mingling ang having different conversations. Hence you may try to send messages to them in different ways. Bearing this analogy in mind, consider below three kinds of transmission and addressing types:

Unicast

These messages are sent by one party to another and they are not intended to others. If you want to share some confidential information during a party, you will ask a friend to go with you when you will not be heard by others. Obviously, there is a possibility to eavesdrop on it. Same in the web - using this type of transmission does not guarantee confidentiality.

Unicast delivery requires that message should be sent to specific recipient. This is the most common type used on the network.

Broadcast

As the name suggests, those messages are sent to the whole audience. It is like listening a music in one room - it is just a matter of somebody’s will to hear the music. While you should not use it to send any sensitive messages, you can use it to reach some party which you do not know how to reach. Broadcasting is used for a variety of purposes, including finding the locations of particular devices on the network that manage different services.

Broadcasts are usually implemented via special broadcasting address which sends the data into the network. Whoever wants to receive those data, only have to listen on specific place in network.

Multicast

These are a compromise between the previous two types. Multicast messages are sent to some group of specified recipients. It can be compared to talking with a small known group on the party. This type requires some kind of authentication who is allowed to see those messages.

Addressing in multicast is the most complicated, since they requires to broadcast data with some kinf of authentication.

Point-to-point & anycast

There is also point-to-point network type of addressing which links only two messages. Thus there are only two parties, no strict addressing are necessary. Another type worth mentioning here is anycast defined as a part of IPv6. This term identifies a message that should be sent to the closest (thus in theory the best) member of a group of devices.

TCP/IP #2: Network protocols

In the real world, protocol often refers to a code of conduct or a form of etiquette. People follow certain rules of behaviour, ceremony etc. They also have to know what is expected of them in any particular situation to ensure communication without conflicts. The same requirements are expected when they interact with people from other countries and cultures, making sure that they do not offend anybody due to unfamiliarity of local customs. In simple words - protocols are some kind of unwritten rules of society.

All in all, social networking and networking in context of computers are very similar. They define set of rules and procedures that enable devices and systems to communicate. Despite that PCs and laptops do not have to worry about making a faux pas, they strictly have to ensure that all the devices on the network are in agreement about how to communicate with each other.

Protocol is set of rules, algorithms, messages and other defined mechanisms which are governing communication between entities at the same working surface (like OSI layers). For example, Transmission Control Protocol (TCP) is responsible for specific way of communication on layer 4 in the OSI model. Therefore, all hosts must implement TCP to utilise it properly.

Despite above definition, term protocol often refers to different concepts of networking, eg: protocol suites (set of protocols), MS Windows Protocols.

Below is a list of the most popular internet protocols:

• IP: Internet Protocol
• FTP: File Transfer Protocol
• SSH: Secure shell
• SSL: Secure Sockers Layer
• TELNET
• SMTP: Simple Mail Transfer Protocol
• POP3: Post Office Protocol
• HTTP: HyperText Transfer Protocol
• HTTPS: HyperText Transfer Protocol

In the next posts, some of the above will be described more precisely.

Connection-Oriented and Connectionless Protocols

We can divide networking technologies based on whether or not they use a dedicated path (circuit switching, eg. telephone system) or packet-switching type (path is assigned while packets are traversing between routers). Another way which they could be differentiated has to do with whether or not they use persistent connections between them. This case is closely related to circuit vs packet-switching.

Connection-oriented protocols

To establish connection using these protocols, there have to be some kind of handshakes. Fox example, in TCP protocol, before data is being sent, both parties exchange information about connection (three way handshake). If the connection is established, only then payload is sent. When all the packets are sent, connection is closed.

Connectionless protocols

These protocols do not require to initiate any handshakes before data is send. One party just sends data to the receiver and do not care if the packet is delivered or not. This protocol is used in UDP, eg. for streaming videos, where establishing connections is not needed, thus faster performance is available.

TCP/IP #1: Networking introduction

Networks are everywhere, especially in the form of Internet. The Internet has revolutionized our lives to an extent people could not imagine several years ago. And more is going to come. Despite we tend to take it for granted that devices we use are connected somewhat magically - obviously there are great minds behind networking concepts. However, no magic at all. Hence this is very interesting topic, in this series I will try to answer some questions about it.

What is networking?

For such an extensive subject, there actually is a simple answer for that:

A network is a set of hardware devices connected together, either physically or logically. This allows them to exchange information.

Networks are used for a huge array of purposes. Most people learning about it, think that there are interconnecting PCs. But people use a variety of devices that are connected to some networks on a daily basis that are not PCs or laptops. Smartphones, tablets, cars, air conditioning, smart home solutions, even vacuums - all of those devices have to be connected to some type of network to exchange information.

Pros and cons

At first glance, networks are very advantageous because they allow computers and other devices to connect, share information, thus help ordinary people with organizing their lives and share resources. Some of the specific benefits include: communication, data sharing Internet access, data security, management and entertainment.

Nonetheless, all that glitters is not gold. Even though networking provide many solutions to our lives, it carries some drawbacks. Setting up a network costs. Hardware, software, administration, maintenance - it is not going to be self-sustainable. At least for now. It is also essential that networks keep running smoothy and address any issues asap. Nowadays, as we retain confidential data on many servers, data security becomes one of the bigger concerns.

Network layers

One of many reasons people find difficult to learn about networking is that it can be overwhelming. Plethora of concepts, protocols, standards - these are parts of a bigger puzzle which consist on a global networking system. Dividing networks into layers help encapsulate data and let them do only particular things. Somewhat similar to manufacturing facility, where labor is divided to do things which are they specialised in.

The most common general model in use today is the Open System Interconnection (OSI) Reference Model, which consists of seven layers. Understanding this is essential to grasp the whole image of networking. In this series I will break down each layer into smaller pieces and describe it in simple words. But most of the topics will be around layers 3 & 4, which are Transmission Control Procotol (TCP) and Internet Protocol (IP).