SCANNING:

Scanning is defined as the gathering intelligence from the system/network, it is mainly used for network
auditing, system maintenance, also for performing attacks by the hackers.
The purpose of scanning is to identify live hosts, open ports, IP addresses in a target network and to
discover operating systems, services running on hosts and vulnerabilities in live hosts.

Three types of scanning are involved:

 Port scanning: This phase involves scanning the target for the information like open ports, Live
systems, various services running on the host.
 Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities which can be
exploited. Usually done with help of automated tools
 Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host
information and drawing a network diagram with the available information. This map may serve
as a valuable piece of information throughout the hacking process.

Here before going to do scanning, you need to know backend functionality of a connection
establishment in between Source and Destination, and how a scan will perform.

Note: In this concept some time meaning of words will be change as given below.
Source Host = Attackers Computer
Destination Host = Target Computer
Zombie Host = Innocent Computer

TCP (Transmission Control Protocol)

TCP is one of the main protocols in TCP/IP networks. It helps to transmit data, before that TCP creates a
connection between the source and destination and keeps it live until the communication is active. This
connection is possible through the process of the three-way handshake. TCP breaks large data into
smaller packets and ensures that the data integrity is intact once it is reassembled at the destination.
TCP uses where you have to get all transmitted data like HTTP, HTTPs, FTP, SMTP, Telnet, etc.,

Process of three-way handshake

> the source sends a SYN packet to the destination.
> The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK
packet back to the source.
> finally, the source sends an ACK packet for the SYN+ACK packet sent by the destination.
> This ACK packet confirms the arrival of the first SYN packet to the source.
> This process allowing to establish communication in between the source and destination.

TCP Communication Flags:

TCP flags are used within TCP packet is can be used to transfers to indicate a particular connection state
in between the source and destination Therefore, they can be used for troubleshooting purposes.

The following are the TCP communication flags:

> SYN (Synchronize): Initiates a connection between source and destination.
> ACK (Acknowledgement): ACK acknowledges the receipt of a packet.
> PSH (Push): System accepting requests and sends all buffered data immediately.
> URG (Urgent): Instructs data contained in packets to be processed as soon as possible.
> FIN (Finish): Announces there will be no more transmissions.
> RST (Reset): Aborts a connection in response to an error.
UDP (User Datagram Protocol):
UDP is one of the oldest network protocol in existence. It's a simple OSI transport layer protocol for
client/server network applications, it is based on Internet Protocol (IP), also this is the main alternative
to TCP.

UDP is a connection less protocol, it has no way of creating a connection like TCP. For this reason, UDP is
faster than TCP. When using UDP, packets are just sent to the destination. The source will not wait to
make sure the destination received the packet, it will just continue sending the next packet. If
destination miss some UDP packets, it cannot ask for those packets again. There is no guarantee
destination are getting all the packets but losing all this overhead means the computers can
communicate more quickly.

UDP uses where you don't care too much if you get all data always like DNS, DHCP, TFTP, SNMP, RIP,
VOIP.
Also, some examples with explanation:
Tunneling/VPN (lost packets are ok - the tunneled protocol takes care of it).
Media streaming (lost frames are ok).
Games that don't care if you get every update.
Local broadcast mechanisms (same application running on different machines "discovering" each other).
Scanning Methodologies:
TCP Connect scan:
TCP Connect Scan are also called as full open scan and it is the original form of port scan which attempts
to establish a complete connection with a range of ports. This connection is establishing with three-way
handshake. so, the source host logs will store in destination host and it was easily detected by most
firewalls and IDS’s.

PORT IS OPEN
> the source sends a SYN packet to the destination.
> The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK
packet back to the source.
> finally, the source sends an ACK packet to the destination.
> This ACK packet confirms the arrival of the first SYN packet to the source, means the port is open.

PORT IS CLOSE
> the source sends a SYN packet to the destination.
> The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a RST
packet back to the source, means the port is close.
Stealth Scan (SYN Scan):
The Stealth Scan are also called as half open scan, this scan is mostly used by the bad hackers. because it
does not complete the full TCP three-way handshake. when the source receives a SYN/ACK from the
destination host, implying an open port on the destination, the source immediately tears down the
connection with an RST. This type of scan used to be considered a stealth scan because the connection
was not completed and therefore not logged by the destination host; however, it is easily detected by
the IDS’s. This scan uses various flag settings, fragmentation, and other types of evasion techniques to
go undetected. Such as FIN scan, NULL scan, and a XMAS scan.
PORT IS OPEN
> the source sends a SYN packet to the destination.
> The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a SYN+ACK
packet back to the source.
> finally, the source sends an RST packet to the destination. means the port is open.

PORT IS CLOSE
> the source sends a SYN packet to the destination.
> The destination, on receiving the SYN packet, i.e., sent by the source, responds by sending a RST
packet back to the source, means the port is close.
Xmas Scans:
The Xmas scan are also called as Christmas tree scan, it is a more stealth and faster compare to other
type of scans, This Scan breaks the rule of TCP connection establishment because it sends an
unexpected packet at the start of the connection. XMAS packets should never be seen on your network,
so if you see any XMAS packet, it means someone is scanning your network. Also, this scan is illegal and
it was easily detected by IDS’s and more advanced firewall.
According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work
anymore against present version of Windows.

PORT IS OPEN
> the source sends FIN, URG, PUSH packet to the destination.
> If there is no response from the Destination, means port is open.

PORT IS CLOSE
> the source sends FIN, URG, PUSH packet to the destination.
> The destination, on receiving the FIN, URG, PUSH packets, i.e., sent by the source, responds by
sending a RST packet back to the source, means the port is close.

FIN Scan:
FIN Scan is like an Xmas scan but it sends a packet with just the FIN flag set. it is a more stealth and
faster compare to other type of scans, This Scan breaks the rule of TCP connection establishment
because it sends an unexpected packet at the start of the connection. FIN packets should never be seen
on your network, so if you see any FIN packet, it means someone is scanning your network. Also, this
scan is illegal and it was easily detected by IDS’s and more advanced firewall.
According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work
anymore against present version of Windows.

PORT IS OPEN
> the source sends FIN packet to the destination.
> If there is no response from the Destination, the port is open.
PORT IS CLOSE
> the source sends FIN packet to the destination.
> The destination, on receiving the FIN packet, i.e., sent by the source, responds by sending a RST packet
back to the source, means the port is close.

NULL Scan:
NULL scan is also like XMAS and FIN scan, also it is a more stealth and faster compare to other type of
scans, This Scan breaks the rule of TCP connection establishment because it sends an TCP with no flags
at the start of the connection. NULL packets should never be seen on your network, so if you see any
NULL packets, it means someone is scanning your network. Also, this scan is illegal and it was easily
detected by IDS’s and more advanced firewall.
According to RFC 793 implementation of TCP/IP this scan only works on Unix based OS, but not work
anymore against present version of Windows.

PORT IS OPEN
> the source sends TCP packet without no flag to the destination.
> If there is no response from the Destination, the port is open.

PORT IS CLOSE
> the source sends TCP packet without no flag to the destination.
> The destination, on receiving the TCP packet without no flag, i.e., sent by the source, responds by
sending an RST packet back to the source, means the port is close.

UDP Scan:
 Here UDP scan will locate open ports and provide the security manager with valuable information that
can be used to identify these invasions achieved by the attacker on open UDP port caused by malware
software’s.

PORT IS OPEN
> the source sends UDP to the destination.
> If there is no response from the Destination, the port is open.

PORT IS CLOSE
> the source sends UDP to the destination.
> The destination, on receiving the UDP, i.e., sent by the source, responds by getting an ICMP Port
unreachable error back to the source, means the port is close.

Inverse TCP Flag Scan:

In this scan source sends TCP probe packets with a (FIN, URG, PSH) flag set, or without flags. Generally,
firewalls and IDS blocks the SYN packets. But this probe packets can pass through filters. Inverted
Technique is probing a target using a half-open SYN flag because the closed ports can only send the
response back.
This scan avoids many IDS and logging systems, highly undetectable. But According to RFC 793
implementation of TCP/IP this scan only works on Unix based OS, but not work anymore against present
version of Windows.

PORT IS OPEN
> The source sends TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags to the
destination.
> If there is no response from the Destination, the port is open.

PORT IS CLOSE
> The source sends TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags to the
destination.
> The destination, on receiving the TCP probe packets, i.e., sent by the source, responds by sending a
RST packet back to the source, means the port is close.

ACK scanning:
TCP ACK scan is not used for port scanning purposes. Generally, it is used to determine whether the
firewall is existing or not.

PORT IS OPEN
> the source sends ACK Probe Packet with random sequence number to the destination.
> If there is no response from the Destination, means the port is filtered so the stateful firewall is
present.
 PORT IS CLOSE
> the source sends ACK Probe Packet to the destination.
> The destination, on receiving the ACK Probe Packet, i.e., sent by the source, responds by sending an
RST packet back to the source, means the port is not filtered so the firewall is not present.

IDLE Scan:
IDLE is a highly clever and undetectable scan, here an attacker can actually scan a target without any
interaction to the target. Instead attacker use an innocent remote host such computers generally called
as zombie for scanning the target, because of this Intrusion detection system reports will finger the
innocent zombie as the attacker. But the thing is attacks done by zombie without their knowledge.
However, this scanning technique is used to know that IP-based trust relationships between hosts.

Before going to learn this scanning technique, you need to know two things.

1. Response of host to the TCP flags: already you learned how TCP flags works in previous scans.
2. IP ID: Every IP packet on the Internet has a fragment identification number called IP ID. This IP ID
value will be incremented by one for each IP packet arrived to a host, probing for the IPID can
tell an attacker how many packets have been sent since the last probe.
Note: For easy understanding we denoted some IP ID value as X, in below IDLE Scan diagrams, if
the IP ID value is increases the additional number will added to the value of X, like X+1, X+2, etc.,

IDLE Scan: Step 1/2/3

Step 1:

 Send SYN+ACK packet to the zombie machine to probe its IPID number.
 Every IP packet on the Internet has a fragment identification number (IPID), which increase every
time a host sends IP packet.
 Zombie not expecting a SYN+ACK packet will send RST packet, disclosing the IPID.
 Analyze the RST packet from zombie machine to extract
IPID.

Step 2:
 Send SYN packet to the target machine (port 80) spoofing the IP address of the "zombie".
 If the port is open, the target will send SYN+ACK Packet to the zombie and in reponse zombie sends
RST to the target.
 If the port is closed, the target will send RST to the "zombie" but zombie will not send anything
back.

Step 3:

 Probe
"zombie" IPID again