CEH Scanning Methodology - Check for Open Ports

SSDP Scanning

  • The Simple Service Discovery Protocol (SSDP) is a network protocol that works in conjunction with UPnP to detect plug and play devices available in a network.
  • Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks.
  • Attacker may use UPnP SSDP M-SEARCH information discovery tool to check if the machine is vulnerable to UPnP exploits or not.
  • SSDP uses UDP transport protocol on port 1900
  • Host:

Scanning in IPv6 Networks

  • IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy.
  • Traditional network scanning techniques will be computationally less feasible due to larger search space (64 bits of host address space or 2^64 addresses) provided by IPv6 in a subnet.
  • Scanning in IPv6 network is more difficult and complex than the IPv4 and also some scanning tools do not support ping sweeps on IPv6 networks.
  • Attackers need to harvest IPv6 addresses from network traffic, recorded logs or Received from: and other header lines in archived email or Usenet news messages.
  • Scanning IPv6 network, however, offers a large number of hosts in a subnet if an attacker can compromise one host in the subnet; attacker can probe the "all hosts" link local multicast address.


Scanning Tool: Nmap

  • Network administrators can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
  • Attacker uses Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems and OS versions.

Hping2/Hping3 (重要)

  • Command line network scanning and packet crafting tool for the TCP/IP protocol.
  • It can be used for network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, etc..
  • 也可當封包產生器,預設為TCP Mode
  • 對8.8.8.8發出icmp request封包,同時將來源IP偽造為1.3.3.7:hping3 --icmp -a

Hping Commands

  • ICMP Ping: hping3 -1
  • ACK scan on port 80: hping3 -A -p 80
  • UDP scan on port 80: hping3 -2 -p 80
  • Collecting Initial Sequence Number: hping3 -Q -p 139 -s
  • Firewalls and Time Stamps: hping3 -S -p 80 --tcp-timestamp
  • SYN scan on port 50-60: hping3 -8 50-60 -S -V
  • FIN, PUSH and URG scan on port 80: hping3 -F -P -U -p 80
  • Scan entire subnet for live host: hping3 -1 10.0.1.x --rand-dest -I eth0
  • Intercept all traffic containing HTTP signature: hping3 -9 HTTP -I eth0
  • SYN flooding a victim: hping3 -S -a -p 22 --flood

Scanning Techniques

  • Scanning TCP Network Services:
    • Open TCP Scanning Methods
      • TCP Connect / Full Open Scan
    • Stealth TCP Scanning Methods
      • Half-open Scan
      • Inverse TCP Flag Scanning
        • Xmas Scan
        • FIN Scan
        • NULL Scan
      • ACK Flag Probe Scanning
    • Third Party and Spoofed TCP Scanning Methods
      • IDLE / IP ID Header Scanning
  • Scanning UDP Network Services:
    • UDP Scanning

TCP Connect / Full Open Scan (-sT) (重要)

  • TCP Connect scan detects when a port is open by completing the three-way handshake.
  • TCP Connect scan establishes a full connection and tears it down by sending a RST packet.
  • It does not require super user privileges.
  • Default 1000 ports
  • 考圖、考指令
  • Wireshark語法分capture filter和displayer filter

Stealth Scan (Half-open Scan) (-sS)

  • Stealth scan involves resetting the TCP connection between client and server abruptly before completion of three-way handshake signals making the connection half open.
  • Attackers use stealth scanning techniques to bypass firewall rules, logging mechanism, and hide themselves as usual network traffic.
  • Stealth Scan Process:
    1. The client sends a single SYN packet to the server on the appropriate port.
    2. If the port is open then the server responds with a SYN/ACK packet.
    3. If the server responds with an RST packet, then the remote port is in the "closed" state.
    4. The client sends the RST packet to close the initiation before a connection can ever be established.
  • Firewall -> Packet Filtering -> Connection logging -> Connected
  • 所以未連線成功的不會記錄起來

Q1). What is missing from a half-open scan?

  1. SYN
  2. ACK
  3. SYN-ACK
  4. FIN

Inverse TCP Flag Scanning (-sF, -sN)

  • Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set or with no flags, no response means port is open and RST means the port is closed. Note: Inverse TCP flag scanning is known as FIN, URG, PSH scanning based on the flag set in the probe packet. It is known as null scanning if there is no flag set.

Q1) A packet with no flags set is which type of scan?

  1. TCP
  2. XMAS
  3. IDLE
  4. NULL

A1) A NULL scan has no flags set.

Xmas Scan (-sX)

  • In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set.
  • FIN scan works only with OSes with RFC 793-based TCP/IP implementation.
  • It will not work against any current version of Microsoft Windows.


ACK Flag Probe Scanning (-sA)

  • Attackers send TCP probe packets with ACK flag set to a remote device and then analyzes the header information (TTL and WINDOW field) of received RST packets to find whether the port is open or closed.
  • TTL based ACK flag probe scanning:
    • If the TTL value of RST packet on particular port is less than the boundary value of 64, then that port is open.
  • WINDOW based ACK flag probe scanning:
    • If the WINDOW value of RST packet on particular port has non zero value, then that port is open.
  • ACK flag probe scanning can also be used to check the filtering system of target.
  • Attackers send an ACK probe packet with random sequence number, no response means port is filtered (stateful firewall is present) and RST response means the port is not filtered.

Q1) Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?

  1. RST flag scanning
  2. FIN flag scanning
  3. SYN flag scanning
  4. ACK flag scanning

IDLE/IPID Header Scan (-sI)

  • Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. Port is considered "open" if an application is listening on the port.
  • One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port.
  • The target machine will send back a "SYN|ACK" (session request acknowledgement) packet if the port is open, and an "RST" (Reset) packet if the port is closed.
  • A machine that receives an unsolicited SYN|ACK packet will respond with an RST. An unsolicited RST will be ignored.
  • Every IP packet on the Internet has a "fragment identification" number (IPID).
  • OS increments the IPID for each packet sent, thus probing an IPID gives an attacker the number of packets sent since last probe.

IDLE Scan: Step 1/2/3

Step 1:

  • Send SYN+ACK packet to the zombie machine to probe its IPID number.
  • Every IP packet on the Internet has a fragment identification number (IPID), which increase every time a host sends IP packet.
  • Zombie not expecting a SYN+ACK packet will send RST packet, disclosing the IPID.
  • Analyze the RST packet from zombie machine to extract IPID.

Step 2:

  • Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie".
  • If the port is open, the target will send SYN+ACK Packet to the zombie and in reponse zombie sends RST to the target.
  • If the port is closed, the target will send RST to the "zombie" but zombie will not send anything back.

Step 3:

  • Probe "zombie" IPID again

使用IDLE scan前提是:zombie是idle的,且sequence number是依序增加的

Q1) You’re running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine?

  1. Open
  2. Closed
  3. Unknown
  4. None of the above

A1) Since the IPID incremented by only one, this means the zombie hasn’t sent anything since your original SYN/ACK to figure out the starting IPID. If the IPID had increased by two, then the port would be open because the zombie would have responded to the target machine’s SYN/ACK.

UDP Scanning (-sU)

  • UDP Port Open:
    • There is no three-way TCP handshake</**span> for UDP scan
    • The system does not respond with a message when the port is open.
  • UDP Port Closed:
    • If a UDP packet is sent to closed port, the system responds with ICMP port unreachable message (type 3, code 3).
    • Spywares, Trojan horses, and other malicious application use UDP ports.


ICMP Echo Scanning (-sn/-sP)/List Scan (-sL)

  • ICMP Echo Scanning:
    • This is not really port scanning, since ICMP does not have a port abstraction.
    • But it is sometimes useful to determine which hosts in a network are up by pinging them all.
    • nmap -sn cert.org/24
  • List Scan:
    • This type of scan simply generates and prints a list of IPs/Names without actually pinging them.
    • A reverse DNS resolution is carried out to identify the host names.

List Scan只列表,沒掃描,但會做DNS反解析

Q1) What is an ICMP Echo scan?

  1. A ping sweep
  2. A SYN scan
  3. A Xmas scan
  4. Part of a UDP scan

Scanning Tool: NetScan Tools Pro

  • Network Tools Pro assists in troubleshooting, diagnosing, monitoring and discovering devices on the network.
  • It lists IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs automatically or with manual tools.

Scanning Tools

Scanning Tools for Mobile

Port Scanning Countermeasures

  • Configure firewall and IDS rules to detect and block probes.
  • Run the port scanning tools against hosts on the network to determine whether the firewall properly detects the port scanning activity.
  • Ensure that mechanism used for routing and filtering at the routers and firewalls respectively cannot be bypassed using particular source ports or source-routing methods.
  • Ensure that the router, IDS, and firewall firmware are updated to their latest releases.
  • Use custom rule set to lock down the network and block unwanted ports at the firewall.
  • Filter all ICMP messages (i.e. inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and routers.
  • Perform TCP and UDP scanning along with ICMP probes against your organization's IP address space to check the network configuration and its available ports.
  • Ensure that the anti scanning and anti spoofing rules are configured.

results matching ""

    No results matching ""