104
◾
Ethical Hacking and Penetration Testing Guide
This diagram illustrates that it’s working:
◾
The source machine sends a SYN packet at Port 80.
◾
The destination machine responds with a SYN/ACK.
◾
The source machine then sends an ACK packet to complete the three-way handshake.
◾
The source machine finally sends the RST packet in order to close the connection.
The TCP connect scan can be accomplished by
specifying an additional
–sC
parameter with
nmap.
Here is an example:
NULL, FIN, and XMAS Scans
NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans
for pentest is that many times they get past firewalls and IDS and can be
really beneficial against
Unix-based OS as all three of these scans do not work against Windows-based operating systems,
because they send a reset packet regardless of whether the port is open or closed.
The second dis-
advantage is that it cannot be exactly determined if the port is open or filtered. This leaves us to
manually verify it with other scan types.
NULL Scan
Source
192.168.0.8
Destination
192.168.0.7
RST
00000000 + Port 438
A null scan is accomplished by sending no flags/bits inside the TCP header.
If no response
comes, it means that the port is
open
; if a
RST
packet
is received, it means that the port is
closed
or
filtered
.
Command
:
nmap –sN
