In-Depth

Protocols and Types of Scans

A few things you should think about when evaluating vendors for network scanners.


One notable aspect of network scanners is their protocol dependence. Most scanners out there are TCP/IP-savvy. While it's true that TCP/IP is routed over the Internet, if you have a VPN or other "tunnel" connection to your network, you should ideally test all protocols enabled on the machines you're trying to secure. Unfortunately, few scanners provide capabilities for scanning networks with IPX, AppleTalk or other protocols enabled. When evaluating vendors for network scanners, be sure to ask about supported protocols—but don't be surprised if there are very few on the list.

There are several different types of TCP or UDP port scans. These scans can be used for various reasons, such as discovering open ports on a host behind a firewall (if the firewall's stateful inspection features aren't strong enough), gathering more information about the firewall itself, or preventing the scanned computer from noticing the scan. Some of the more popular types of TCP scans are TCP connect, SYN, FIN, Xmas Tree, and NULL. These different types of scans depend on manipulating the properties of the TCP/IP packet. A detailed description of TCP/IP packet parameters is beyond the scope of this article, but you can find more detailed technical information at www.insecure.org.

TCP connect scanning is the most basic form of scanning. The connect system call provided by the OS is used to open a connection to all interesting ports on the target. If the port's open, connection will succeed. Otherwise, the scanner knows the port's closed. This sort of scan is easily detectable, since the target will be able to log established connections.

TCP SYN scanning is referred to as "half-open" scanning, because the scanner doesn't establish a full TCP connection. The scanner sends a SYN packet, as if trying to open a real connection. A returned SYN|ACK packet indicates the port's listening. A RST packet means the port is closed. However, if a SYN|ACK is received, a RST is immediately sent back to prevent the host from opening a connection.

Stealth FIN, Xmas Tree or NULL scans can sometimes be more efficient than a SYN scan in passing through the firewalls and packet filters watching for unauthorized SYN requests. Closed ports are required to reply to your probe packet with an RST, while open ports must ignore the packets in question, allowing the scanner to establish which ports are open.

A UDP scan discovers which UDP ports are open on the target. The scanner usually sends 0 byte UDP packets to each port on the target host. If the scanner receives an "ICMP port unreachable" message, then the port is closed. Otherwise, the port must be open.

ACK scanning is an advanced method usually used to map out firewall rule sets. It can also help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.

About the Author

Greg Saoutine, MCSE, is an IT Consultant working in New York City.

Featured