Once again, we are back to talk about two essential tools for any network administrator, Nmap and Hping.
I will explain how each type of scan works and the flags that are activated in the IP packets depending on the port status.
In Hping, you have to pay attention to the flags=RA RST ACK
Complete scan with version number of services, OS...
Complete connection: NOROOT
->SYN <-syn-ack ->ACK => OPEN
->SYN <-rst-ack => CLOSED
Half-open connection:
hping3 -c 4 -S -p PORT IP
->SYN <-syn-ack ->RST => OPEN
->SYN <-rst-ack => CLOSED
TCP ACK connection: Always responds with an RST, used to discover if the machine is active.
->ACK <-rst => ACTIVE
TCP SYN ACK connection: Depends on the OS stack
->SYN-ACK <-nothing => OPEN
->SYN-ACK <-rst => CLOSED
TCP FIN connection: Quite “clandestine”
hping3 -c 4 -F -p PORT IP
->FIN <-nothing => OPEN
->FIN <-rst => CLOSED
TCP Null Flag: No flag marked
hping3 -c 4 -p PORT IP
->Tcp Null <-nothing => OPEN
->Tcp Null <-rst => CLOSED
TCP Xmas: All flags marked
hping3 -c 4 -F -S -R -P -A -U -X -Y -p PORT IP
->Tcp Xmas <-nothing => OPEN
->Tcp Xmas <-rst => CLOSED
UDP Scan:
hping3 -V -c 4 -2 -p PORT
Ping Scan (type 8):
->type 8 <-type 0
Broadcast Ping:
ICMP type 10 (Presence of a Router):
ICMP type 13 (Timestamps): Provides information about the machine regarding the time zone (geographical location) and whether it is active or not.
ICMP type 15 (Request for Network Address):
ICMP type 17 (Request for Network Mask):
OS Analysis:
Fragment Scan:
FTP Bounce Scan:
Dumb Host Scan: False source address, the zombie should not send packets during the scan.
IP Protocol Scan: Determines which IP protocols the victim supports (ICMP TCP UDP GRE).
Well, I think I have summarized it quite well and I hope it helps someone.