John works as an Ethical Hacker for company Inc. He wants to find out the ports that are open in
company’s server using a port scanner. However, he does not want to establish a full TCP
connection. Which of the following scanning techniques will he use to accomplish this task?
A.
TCP FIN
B.
Xmas tree
C.
TCP SYN/ACK
D.
TCP SYN
Explanation:
According to the scenario, John does not want to establish a full TCP connection.
Therefore, he will use the TCP SYN scanning technique. TCP
SYN scanning is also known as half-open scanning because in this a full TCP connection is never
opened. The steps of TCP SYN scanning are
as follows:
1.The attacker sends SYN packet to the target port.
2.If the port is open, the attacker receives SYN/ACK message.
3.Now the attacker breaks the connection by sending an RST packet.
4.If the RST packet is received, it indicates that the port is closed.
This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake
connection and most sites do not create
a log of incomplete TCP connections.
Answer option C is incorrect. In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to the
target port. If the port is closed, the victim
assumes that this packet was mistakenly sent by the attacker, and sends the RST packet to the
attacker. If the port is open, the SYN/ACK
packet will be ignored and the port will drop the packet. TCP SYN/ACK scanning is stealth scanning,
but some intrusion detection systems can
detect TCP SYN/ACK scanning.Answer option A is incorrect. TCP FIN scanning is a type of stealth scanning, through which the
attacker sends a FIN packet to the target port.
If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and
sends the RST packet to the attacker. If the
port is open, the FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is
useful only for identifying ports of non
Windows operating system because Windows operating systems send only RST packets irrespective
of whether the port is open or closed.
Answer option B is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree
scanning, all packets are turned on. If the
target port is open, the service running on the target port discards the packets without any reply.
According to RFC 793, if the port is closed,
the remote system replies with the RST packet. Active monitoring of all incoming packets can help
system network administrators detect an
Xmas Tree scan.