When an information system is able to interact over the network, he is always giving some information about him. Attackers are looking for information in order to focus their attacks. Scanning is playing an important role in the process of network discovery for the end-user but also for potential attackers.
Network scanning is not exact science
Active scanning
IP protocol scanning
ICMP scanning
Internet Control Message Protocol.
- ICMP type 8 - echo request
- ICMP type 13 - time stamp request
- ICMP type 15 - information request
- ICMP type 17 - netmask request
Not always filtered as some are required by RFCs and/or for proper operation.
TCP port scanning
Classical TCP Connect scan
Half-open TCP SYN flag scan
Inversed or multiple flags TCP scan
TCP ACK flag scan
Based on the result of TTL :
- Variation of the TTL
- Variation in the Window field
UDP port scanning
UDP requires a different approach to compare to TCP. As UDP is stateless, you have one way to check UDP port open :
* sending a UDP packet to a random port and waiting
for an ICMP "destination port unreachable" type 3 code 3
* If there is an ICMP "destination port unreachable", there is no UDP service listening.
* If you got no reply, there is probably a UDP service listening.
A lot of firewalls are filtering specific ICMP messages and the result of UDP scanning may vary from time to time.
If you know the UDP services targeted, you also use correct message to get reply. This approach is often giving more feedback.
Passive Scanning
![[FSF
Associate Member]](http://www.foo.be/fsfbutton-adulau.png){kind=small}
