>> In this unit, we'll look at a few common scans.The SYN scan starts off like a normal TCP three-way handshake.The source sends a TCP header with the SYN flag turned on.Nmap by default will scan the most common thousand ports,although you can specify a certain port or a custom range of ports.Each closed port in a SYN scan will respond by sending a TCP segmentwith the RST, reset, flag turned on.That's the way TCP/IP was designed.When closed ports receive a SYN, they reply with an RST, reset,which immediately closes any connection or attempt to connectbetween a source and destination.When the father of the internet, co-creator of the TCP/IP, Vint Cerf,came to RIT a few years ago, I told him that every time I teach port scanning and mentionthat a closed port responds to a SYN with an RST,a student usually asks, why does it do that?I continue telling Vint my response to the student is, well,that's the way Vint Cerf wanted it to be, and that made Vint laugh.Upon hearing that story, Vint told me his actual logic.If a closed port responded with nothing, there would be a period of unnecessary latencywhere the source of traffic would simply be waiting to hear back from the destination.A TCP timer would eventually kick in, but after a bit of time.Sending the RST leaves nothing to the imaginationand is an explicit way of saying, sorry, we're closed.Of course, Vint Cerf and Bob Kahn designed the TCP/IP suite long before hacking, cybercrime,and cybersecurity became everyday terms.An opened port will, of course, respond back with a TCP segmentthat turns on the SYN and ACK flags.If that wasn't the case, you'd never connect to a web server, an FTP server, an email server,an SSH server, or any server that uses TCP as its layer for protocol.Here's the kicker: Instead of completing the TCP three-way handshake with a TCP segmentwith the ACK flag turned on, Nmap sends an RST instead to the probe machine.If Nmap complete the three-way handshake with an ACK, there would be a log entryon the destination application, which would identify the source IP addressof the probing machine.The source wants to remain as stealth as possible.That's why Nmap will send an RST instead of an ACK.The SYN scan does require root access, since Nmap is creating these raw packets to be sentand is not relying on the operating system to do so.This allows the RST to be sent instead of the ACK in the eventof an open port being discovered.A similar scan called the connect scan should almost never be used.The connect scan is named after the connect function that operating systems useto initiate a TCP connection to a destination machine.This scan uses a normal TCP connection, the same method used by every TCP-based application,to determine if a port is available, not like the SYN scan, which uses Nmap to craft packets.Like the SYN scan, closed ports will respond to the initial SYN with an RSTand open ports will respond to the initial SYN with a SYN ACK.The difference is that since the operating system sent the initial SYN,the scanning device, when it gets the SYN ACK back, will respond to the probe machinewith an ACK that will actually complete the three-way handshakeand log the connection on the destination application.Furthermore, it uses many more system and application resources than the SYN scan.It would be like the burglar, instead of turning the doorknob discreetly, jumping up and down,banging, and singing as he does it.What Nmap will do at this point, though,is send an RST to close the connection, but the damage is already done.If you can't get root access but you must know the state of certain ports, use this scan.Otherwise, don't.
转载于:https://www.cnblogs.com/sec875/articles/10028368.html
相关资源:JAVA上百实例源码以及开源项目