Shulou(Shulou.com)06/01 Report--

TCP connection scan:

A three-way handshake is required for the client to establish a TCP connection with the server. If a successful three-way handshake is performed, the port is open; TCP SYN scan (also known as semi-open scan or stealth scan):

This technique is very similar to TCP connection scanning. Similarly, the client sends a packet with the SYN ID and port number to the server, and if the destination port is developed, it will return the TCP packet with the SYN and ACK identity; TCP Christmas tree (Xmas Tree) scan:

During the Christmas tree scan, the client sends a packet with the PSH,FIN,URG ID and port number to the server. If the target port is open, there will be no response from the server. If the server returns a TCP packet with a RST identity, the port is down. TCP FIN scan:

The FIN scan sends a TCP packet with the FIN identity and port number to the server. If there is no server-side response, the port is open. If the server returns an RST packet, the destination port is closed. TCP null scan (Null):

In an empty scan, the TCP packet sent by the client only contains the port number and does not contain any other identification information. If the destination port is open, no message will be replied. If the server returns a RST packet, the destination port is closed. TCP ACK scan: ACK scan is not used to find the port open or closed state, but to find out if there is a stateful firewall on the server. Its results can only indicate whether the port is filtered. Again, the ACK scan cannot find out whether the port is open or closed. The client sends a packet with the ACK identity and port number to the server. If the server returns a TCP packet with a RST identity, the port is not filtered and there is no stateful firewall. If the target server does not respond or returns a packet of ICMP error type 3 and the code is 1meme 2je 3diary 10 or 13, then the port is filtered and there is a stateful firewall. TCP window scan:

The process of TCP window scanning is similar to ACK scanning, where the client sends a TCP packet with an ACK identity and port number to the server, but this scan can be used to discover the status of the target server port. Returning RST in an ACK scan indicates that it is not filtered, but in a window scan, when a returned RST packet is received, it checks the value of the window size. If the value of the window size is a non-zero value, the target port is open.

1. SYN scanning:

I=IP ()

T=TCP ()

I.dst='10.202.32.0/24'/ contiguous address field

T.sport=8888

T.dport = [3389pdport = [3389pcdport] / (1pc1024) 21 pyrrine 22 22pr 23443445137138139]

[] indicates multiple ports, and () indicates consecutive ports

Repose= (iPo)

Repose= (iPo)

T.flags='S'/ generate flag bits can also write data such as ACK write 16

FIN-SYN-RST-PSH-ACK-URG from bottom to top

1 2 4 8 16 32

Ans,unans=sr (respose)

Ans.show ()

0000 IP / TCP 192.168.80.250 TCP 10.202.32.1:ssh 8888 > 10.202.32.1:ssh S = = > IP / TCP 10.202.32.1:ssh > 192.168.80.250 Swiss 8888 SA / Padding

0001 IP / TCP 192.168.80.250 TCP 10.202.32.74:microsoft_ds 8888 > 10.202.32.74:microsoft_ds S = = > IP / TCP 10.202.32.74:microsoft_ds > 192.168.80.250 Swiss 8888 SA / Padding

0002 IP / TCP 192.168.80.250 TCP 10.202.32.74:netbios_ns 8888 > 10.202.32.74:netbios_ns S = = > IP / TCP 10.202.32.74:netbios_ns > 192.168.80.250 Swiss 8888 RA / Padding

0003 IP / TCP 192.168.80.250 TCP 10.202.32.74:netbios_ssn 8888 > 10.202.32.74:netbios_ssn S = = > IP / TCP 10.202.32.74:netbios_ssn > 192.168.80.250 Swiss 8888 SA / Padding

Monitor the data:

Sniff (iface= "eth0", prn=lambda x:x.show ())

View and process the data:

Ans.summary (lambda (r.sprintf): r.sprintf ("% IP.src%\ t% TCP.sport%\ t% TCP.flags%"))

10.200.230.1 ssh SA

10.200.230.11 3389 SA

10.200.230.11 loc_srv SA

10.200.230.11 microsoft_ds SA

10.200.230.12 3389 SA

10.200.230.12 https SA

10.200.230.40 3389 SA

10.200.230.41 3389 SA

10.200.230.42 loc_srv SA

10.200.230.42 microsoft_ds SA

10.200.230.50 3389 SA

2. TCP ACK scanning

I=IP ()

I.dstcards 10.200.193.0Universe 24'

T=TCP ()

T. Please send someone A'

T.sport=9999

T.dport = [3389 pr. 21 pr. 22 pr. 23 pr 80443]

Respose= (iPo)

Ans,unans=sr (respose)

Ans.show ()

0000 IP / TCP 192.168.80.250 IP 9999 > 10.200.193.0VR 3389 A = > IP / TCP 10.200.193.0Remo3389 > 192.168.80.250R / Padding

0001 IP / TCP 192.168.80.250 10.200.193.0:ftp 9999 > 10.200.193.0:ftp A = > IP / TCP 10.200.193.0:ftp > 192.168.80.250 TCP 10.200.193.0:ftp 9999 R / Padding

0002 IP / TCP 192.168.80.250 10.200.193.0:ssh 9999 > 10.200.193.0:ssh A = > IP / TCP 10.200.193.0:ssh > 192.168.80.250 TCP 10.200.193.0:ssh 9999 R / Padding

0003 IP / TCP 192.168.80.250 10.200.193.0:telnet 9999 > 10.200.193.0:telnet A = > IP / TCP 10.200.193.0:telnet > 192.168.80.250 TCP 10.200.193.0:telnet 9999 R / Padding

If the server returns a TCP packet with a RST identity, the port is not filtered and there is no stateful firewall.

Monitor the data:

Sniff (iface= "eth0", prn=lambda x:x.show ())

View and process the data:

Ans.summary (lambda (ans.summary): r.sprintf ("% IP.src%\ t% TCP.sport%\ t% TCP.flags%\ t% ICMP.type%"))

10.200.193.1 3389 R??

10.200.193.1 ftp R??

10.200.193.1 ssh R??

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.