Understanding Stealth Scans

Purpose of Stealth Scans

Stealth scans aim to identify open ports on target systems while evading detection by Intrusion Detection Systems (IDS) and firewalls. Unlike more straightforward approaches, they exploit the subtleties in TCP/IP to avoid logging activities that could alert defenders. The primary advantage is reduced risk of detection, which is crucial for maintaining anonymity during reconnaissance.

FIN, Xmas, and Null Scans

  • FIN Scan: Sends a FIN flag to the target port. Open ports under this scan will not reply, while closed ports will respond with an RST packet.

  • Xmas Scan: Utilizes packets with the FIN, PSH, and URG flags set, resembling little lights on a Christmas tree. The expected behavior mirrors the FIN scan's response, where open ports remain silent.

  • Null Scan: Sends packets without any flags, aiming to exploit various TCP implementations. Open ports do not reply, whereas closed ports send an RST packet in response.

These methods generate minimal logging within the target systems and are advantageous against older or improperly configured systems.

Fragmented Scans Techniques

Purpose of Fragmentation in Scanning

Fragmented scans are used to avoid detection by splitting a packet into smaller segments or fragments, making it harder for intrusion detection systems to examine or filter. IPv4 packet fragmentation divides the datagram into smaller, manageable pieces, which can perplex conventional inspection defenses.

Configuring Fragmented Packets

Tools such as Nmap facilitate the crafting and dispatching of fragmented packets. Fragmentation is manipulated by adjusting the IP headers, predominantly altering the offset and flag fields to instruct fragmentation. Here’s an Nmap command configured to perform fragmented scans:

nmap -sS -f <target>

The -f flag instructs Nmap to send fragmented IP packets, assisting in passing undetected through some filtering mechanisms.

Reassembling Fragmented Responses

Upon reaching the destination, fragmented packets are expected to be reassembled by the target system. Similar reconstruction is necessary on the scanning side to interpret responses. Network stack behavior varies, and detection of open or filtered ports relies on adeptly managing these reassembled fragments.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.