The document discusses various techniques for port scanning, including open scans, stealth scans, SYN scans, FIN scans, XMAS scans, and NULL scans. It describes how these scans work to determine open and closed ports on a remote system. It also introduces Nmap as a powerful port scanning tool that supports many operating systems and scan types.

1. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
ETHICAL
HACKING

2. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
 Scanning is the process of finding open/close ports, vulnerabilities in remote
system, server & networks.
It will reveal IP addresses, Operating systems, Services running on remote
computer.
Three types of scanning.
1. Port Scanning
2. Network Scanning
3. Vulnerability Scanning

3. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Port Scanning:
is one of the most popular technique attacker uses to discover the service they break into.
is one of the most popular technique attacker uses to discover the service they break into.
It is one of the most popular technique attacker uses to discover the service they
break into.
 every machine connected to a LAN or connected to Internet via a modem
run many services that listen at well-known and not so well-known ports.
 There are 1 to 65535 ports are available in the computer.
 By port scanning the attacker finds which ports are available.

4. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Ports:
The port numbers are unique only within a computer system.
 Port numbers are 16-bit unsigned numbers.
 The port numbers are divided into three ranges:
1. Well Known Ports (0..1023),
2. The Registered Ports (1024..49151),
3. The Dynamic and/or Private Ports (49152..65535).

5. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Well Known Ports:
 echo 7/tcp Echo
 ftp-data 20/udp File Transfer [Default Data]
 ftp 21/tcp File Transfer [Control]
 ssh 22/tcp SSH Remote Login Protocol
 telnet 23/tcp Telnet
 domain 53/udp Domain Name Server
 www-http 80/tcp World Wide Web HTTP.
 Smtp 25/tcp Simple mail transfer protocol
 Whois 43/tcp Whois server

6. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Regestered Ports:
 wins 1512/tcp Microsoft Windows Internet Name
Service
 radius 1812/udp RADIUS authentication protocol
 yahoo 5010 Yahoo! Messenger
 x11 6000-6063/tcp X Window System

7. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
 SYN - Synchronize - it is used to initiate connection between hosts.
 ACK - Acknowledgement - It is used to establish connection between hosts.
 PSH - push - tells receiving system to send all buffer data.
 URG - urgent - stats that data contain in packet should be process
immediately.
 FIN - finish - tells remote system that there will be no more
transmission.
 TTL - Time to Live.

8. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Open Scan:
Known as TCP Scan and normally used to program sockets, this technique is
the oldest and works making a full connection with the server.
For that it makes an authentication with 3 packets. Is known as three-way-
handshake:
For the ports opened:
Client ----> SYN ---->
<---- SYN/ACK <---- Server
Client ----> ACK ---->

9. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
For the ports closed:
Client ----> SYN ---->
<---- RST <---- Server
Advantages : very easy to program.
 Disadvantages: is very easy to detect and make logs on each connection.
TCPConnect()
 The connect() system call provided by an OS is used to open a connection to
every interesting port on the machine.
 If the port is listening, connect() will succeed, otherwise the port isn't
reachable .

10. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Stealth Scan:
 A stealth scan is a kind of scan that is designed to go undetected by auditing
tools.
 Fragmented Scan: The scanner splits the TCP header into several IP
fragments.
 This bypasses some packet filter firewalls because they cannot see a complete
TCP
 header that can match their filter rules.

11. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
SYN Scan:
 This technique is called half open scanning because a TCP connection is not
completed.
 A SYN packet is sent to remote computer.
 The target host responds with a SYN+ACK, this indicates the port is listening
and an RST indicates a non- listener.

12. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
FIN Scan:
 Another technique sends erroneous packets at a port, expecting that open
listening ports will send back different error messages than closed ports.
 Closed ports reply to fin packets with RST.
 Open ports ignore packets.

13. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
XMAS Scan:
 XMAS uses scans where all flags in the TCP packet are set & sent to target
host.
 Closed ports reply to packets with RST.
 Open ports ignore packets.
NULL Scan:
 Null Scan used no flags of TCP header & it sent to the target host.
 Closed ports reply to packets with RST.
 Open ports ignore packets.

14. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
Port Scanner: NMAP:

15. DEPARTMENT OF INFORMATION TECHNOLOGY, SRKR ENGINEERING COLLEGE
SCANNING
 Nmap is powerful utility to scan large number of tools.
 Provided with GUI as well as Command line interface.
 It is supported by many operating systems.
 It can carry out SYN Scan, FIN Scan, Stealth Scan, Half open scan & many
other types.