Penetration Testing: Phase 2- Scanning: Part 2:
TECHNIQUES OF SCANNING:
In the nmap “-s” (lowercase s) prefix is used to specify the type of scan should be launched on the target defined in the scan command. The selection of scan type can help the penetration tester to evade by some host and network security system for example IDS/IPS, Firewalls etc.
Half Open/Stealth Scan (-sS)
The stealth scan is the default type of scanning used by Nmap when no scan option is defined. In this type of scanning, pentester’s machine sends SYN packet to the target machine. The target machine will reply back with a SYN/ACK packet. Attacker will send RST packet instead of ACK (acknowledgement). If port is closed then target machine send RST packed instead of SYN/ACK packet.
-sT TCP Connect Scan/Full Open Scan
TCP connect scan can mostly be used to gather more information about the target. In this case, the attacker send a SYN packed to target. Target machine hopefully give the reply with SYN/ACK packet. The attacker completed the communication by sending a final ACK packet.
-sA Acknowledgement Scan
Acknowledgement scan is used to determine TCP port is filtered or unfiltered. In this scan Attacker communicate with the target machine with ACK (acknowledgement) flag. If the RST (reset) response from target means port is unfiltered, and if no response or response with unreachable error indicates port is filtered.
-sX Xmas Scan
In this type of scanning attacker send packet with FIN, PUSH, URG flag. If no response from target side indicates port is open, and if the target response with RST (reset) packet indicates port is closed.
-sP FIN Scan
In this type of scanning attacker sends packet only with FIN flag. If no response from targets side means port is open, and if target response with RST/ACK packet indicate port is closed.
-sN Null Scan
In Null Scan sends the packet without flags to the target host. I response from target side indicates port is open, if target response with RST/ACK indicates port is closed.
-sU UDP Scan
The UDP scan evaluates the UDP ports on the target system. Dissimilar to filtering TCP ports, UDP scans hope to get response back from target that have the tested ports shut. packets sent to open UDP ports are not reacted; then again, if the packet sent inspires a response from the target, then the port being tested is open. In the event that no response is accepted, then the port could be open alternately could be separated by a gadget like a firewall. Shut UDP ports might be recognized by an ICMP response with a sort 3 and code 3 response Finally, ports that are affirmed to be filtered will have an ICMP response of sort 3 with codes of 1, 2, 9, 10, or 13, demonstrating different inaccessible errors.