John works as an Ethical Hacker for www.company.com Inc. He wants to find out the ports that
are open in www.company.com’s server using a port scanner. However, he does not want to
establish a full TCP connection. Which of the following scanning techniques will he use to
accomplish this task?
A.
TCP SYN
B.
Xmas tree
C.
TCP SYN/ACK
D.
TCP FIN
Explanation:
According to the scenario, John does not want to establish a full TCP connection. Therefore, he
will use the TCP SYN scanning technique. TCP SYN scanning is also known as half-open
scanning because in this type of scanning, a full TCP connection is never opened. The steps of
TCP SYN scanning are as follows:
1.The attacker sends a SYN packet to the target port.
2.If the port is open, the attacker receives the SYN/ACK message.
3.Now the attacker breaks the connection by sending an RST packet.
4.If the RST packet is received, it indicates that the port is closed.
This type of scanning is hard to trace because the attacker never establishes a full 3-way
handshake connection and most sites do not create a log of incomplete TCP connections.
Answer option C is incorrect. In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to
the target port. If the port is closed, the victim assumes that this packet was mistakenly sent by the
attacker, and sends the RST packet to the attacker. If the port is open, the SYN/ACK packet will
be ignored and the port will drop the packet. TCP SYN/ACK scanning is stealth scanning, but
some intrusion detection systems can detect TCP SYN/ACK scanning.
Answer option D is incorrect. TCP FIN scanning is a type of stealth scanning through which the
attacker sends a FIN packet to the target port.
If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and
sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the
port will drop that packet. TCP FIN scanning is useful only for identifying ports of non-Windows
operating systems because Windows operating systems send only RST packets irrespective of
whether the port is open or closed.
Answer option B is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas
Tree scanning, all packets are turned on. If the target port is open, the service running on the
target port discards the packets without any reply. According to RFC 793, if the port is closed, the
remote system replies with the RST packet. Active monitoring of all incoming packets can help
system network administrators detect an Xmas Tree scan.