issuhub.com

CEH

(Jeff_L) #1

112 Chapter 5 ■ Scanning Networks


This information can be helpful in many areas, especially when you are using a packet

crafter. A packet crafter is a utility designed to create a packet with the flags you specify.

You can use it to create packets with the flags set in different ways to see how a host

responds, and based on these responses, you can gain information about the target.

Among the simplest utilities you can use are HPING2 and HPING3. Both of these

utilities are command-line only and offer a tremendous advantage in creating custom

packets for testing. Using HPING3, for example, you can create different types of packets

and send them to a target:

■ Create an ACK packet and send it to port 80 on the victim:

Hping3 –A <target IP address> -p 80

■ Create an SYN scan against different ports on a victim:

Hping3 -8 50-56 –s <target IP address> -v

■ Create a packet with FIN, URG, and PSH flags set and send it to port 80 on the victim:

Hping3 –F –p -U <target IP address> -p 80

Types of Scans


Now that you have seen the various types of flags and how a packet crafter works in the

form of HPING2 and HPING 3, let’s see how this information comes together.

Full Open Scan


The first type of scan is known as a full open scan, which is a fancy way of saying that

the systems involved initiated and completed the three-way handshake. The advantage of

a full open scan is that you have positive feedback that the host is up and the connection

is complete. However, with everything there is a downside, and in this case since you

complete the three-way handshake you have confirmed that you as the scanning party

are there. When this connection is no longer required, the initiating party will change

the three-way handshake, and the last step will be an ACK+RST (which tears down the

connection).

Stealth Scan, or Half-open Scan


In this type of scan, the process is similar to the full open scan with a few important, but

minor, differences. In this case, the attacker scans a system, but instead of sending the final

ACK packet the attacker sends an RST packet, tearing down the connection. However, if

the victim port is closed rather than open, the three-way handshake starts with the attacker

sending a SYN, only to have the victim fire back an RST packet indicating that the port is

closed and not taking connections. Figure 5.2 illustrates this scanning technique for open

and closed ports.
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.