Skip to content

Instantly share code, notes, and snippets.

@sudosuraj

sudosuraj/portscanning.md

Created February 18, 2025 03:01
Show Gist options
  • Save sudosuraj/2062378e8a1c0806891a790cf598a856 to your computer and use it in GitHub Desktop.
Save sudosuraj/2062378e8a1c0806891a790cf598a856 to your computer and use it in GitHub Desktop.
Download ZIP
explanation of various port scan types and evasion techniques—with real command examples using nmap and hping3. Using these examples, you can experiment with different scanning techniques and understand both the underlying network behavior and the methods used to evade detection.
Raw
portscanning.md

Port Scan Types

1. Full Connect Scan (TCP Connect / Full Open Scan)

  • What It Does:
    Completes the entire TCP three-way handshake (SYN → SYN-ACK → ACK) to fully establish a connection and then tears it down (often with an RST).

  • Pros & Cons:

    • Pros: Most reliable; uses standard OS networking calls.
    • Cons: Easiest to detect since it creates a real connection.

  • Nmap Example:

    nmap -sT 192.168.1.10

  • Hping3 Example:
    Note: Hping3 is a packet-crafting tool. It doesn’t “connect” in the same way as a system’s TCP stack does, but you can mimic the first part of the handshake:

    hping3 -S -p 80 -c 1 192.168.1.10

    This sends a SYN packet to port 80. (To perform a full handshake, you’d need to capture the SYN-ACK and then send an ACK manually—something that is automated in nmap.)

2. Stealth Scan (Half-Open / SYN Scan)

  • What It Does:
    Sends only a SYN packet. If a SYN-ACK is returned, the port is considered open. Instead of sending the final ACK, a RST is issued to avoid completing the handshake.

  • Pros & Cons:

    • Pros: More stealthy since the connection isn’t fully established.
    • Cons: May still be detected by advanced IDS systems.

  • Nmap Example:

    nmap -sS 192.168.1.10

  • Hping3 Example:

    hping3 -S -p 80 -c 1 192.168.1.10

    Here, the -S flag sends a SYN packet to port 80. You then watch for a SYN-ACK response (via packet capture) to decide if the port is open.

3. Inverse TCP Flag Scans (Null and FIN Scans)

  • What It Does:
    Uses unusual TCP flag combinations to provoke different responses:

    • Null Scan: Sends a packet with no TCP flags set.
    • FIN Scan: Sends a packet with only the FIN flag set.

  • Response Behavior:

    • Open Port: Typically gives no response.
    • Closed Port: Responds with an RST/ACK packet.

  • Nmap Examples:

    • Null Scan: 
      nmap -sN 192.168.1.10
    • FIN Scan: 
      nmap -sF 192.168.1.10

  • Hping3 Examples:

    • FIN Scan: 
      hping3 -F -p 80 -c 1 192.168.1.10
    • Null Scan:
      Hping3 can be instructed to send packets with no flags. For example: 
      hping3 --tcp-flags NONE -p 80 -c 1 192.168.1.10
      (Ensure your hping3 version supports the --tcp-flags NONE syntax.)

4. Xmas Scan

  • What It Does:
    Sends a packet with multiple TCP flags set (FIN, PSH, and URG), making it “lit up” like a Christmas tree.

  • Notes:

    • Open ports usually don’t respond.
    • Closed ports send an RST/ACK.
    • Often ineffective against Windows targets.

  • Nmap Example:

    nmap -sX 192.168.1.10

  • Hping3 Example:

    hping3 --tcp-flags FIN,PSH,URG -p 80 -c 1 192.168.1.10

5. ACK Scan

  • What It Does:
    Sends an ACK packet to check for filtering rather than to discover open ports.

  • Techniques:

    • TTL Analysis: If the TTL in the RST reply is less than 64, it may indicate an open port.
    • Window Size Analysis: A nonzero TCP Window field in the RST can indicate an open port.
    • If no response is received, a stateful firewall might be filtering the packet.

  • Nmap Examples:

    • ACK Scan: 
      nmap -sA 192.168.1.10
    • Window Scan: 
      nmap -sW 192.168.1.10

  • Hping3 Example:

    hping3 -A -p 80 -c 1 192.168.1.10

    After sending an ACK packet, you’ll need to use a packet capture tool (like Wireshark) to examine the TTL and window size of any RST reply.

6. IDLE Scan

  • What It Does:
    Uses a “zombie” host (an idle third-party system) to indirectly scan a target. It relies on the zombie’s predictable IP ID sequence.

  • How It Works:

    1. Probe the zombie to record its IP ID.
    2. Send a spoofed packet to the target with the zombie’s IP as the source.
    3. Probe the zombie again to see how its IP ID has changed.
    • IPID Change Interpretation:
      • Increase of 1: Port is likely closed.
      • Increase of 2: Port is likely open.
      • A larger increase means the zombie wasn’t idle.

  • Nmap Example:

    nmap -sI zombie_ip 192.168.1.10

  • Hping3 Manual Process Example:
    Since hping3 lacks a built-in idle scan mode, you’d perform the steps manually:

    1. Initial Probe to Zombie: 
      hping3 -S -p 80 -c 1 zombie_ip
      Record the IP ID from the response.
    2. Send Spoofed Packet (from zombie's IP) to Target: 
      hping3 -S -a zombie_ip -p 80 -c 1 target_ip
    3. Re-probe the Zombie: 
      hping3 -S -p 80 -c 1 zombie_ip

    Compare the IP ID values to deduce the target port’s status.

Evasion Techniques

A. Fragmentation

  • Purpose:
    Splitting packets into smaller fragments can help bypass some IDS/Firewall reassembly routines.
  • Nmap Example: 
    nmap -f 192.168.1.10
  • Hping3 Example: 
    hping3 --frag -S -p 80 -c 1 192.168.1.10

B. OS Fingerprinting

  • Active Fingerprinting:
    Sending crafted packets (as nmap does) to elicit responses that reveal the target’s OS.
  • Passive Fingerprinting:
    Observing network traffic (using tools like Wireshark) to analyze fields such as TTL, Window size, DF flag, and ToS.
  • Hping3 Use:
    You can manually craft packets with hping3 to mimic various conditions and compare the responses.

C. Spoofing

  • Purpose:
    Faking the source IP address can be useful when you do not expect a response (or want to hide your identity).
  • Hping3 Example: 
    hping3 -S -a 10.0.0.5 -p 80 -c 1 192.168.1.10
    This sends a SYN packet that appears to come from 10.0.0.5.

D. Source Routing

  • Purpose:
    Specifies the exact route a packet should take. (Note: Most modern systems ignore source routing for security reasons.)
  • Usage:
    Rarely used today and not typically supported by nmap or hping3 due to tightened security policies.

E. IP Address Decoy

  • Purpose:
    Sends packets with multiple (decoy) source addresses to confuse the target’s logging and IDS.
  • Nmap Example: 
    nmap -D RND:10 192.168.1.10
    Or manually specify decoys: 
    nmap -D decoyIP1,decoyIP2,sourceIP,decoyIP3 192.168.1.10
  • Hping3 Note:
    Hping3 does not have built-in decoy support. You would need to script multiple runs with different spoofed source IPs (using the -a option).

F. Proxy, Tor, and Anonymizers

  • Purpose:
    These methods route your scan traffic through intermediaries so your true origin is hidden.
  • Usage Examples:
    • ProxyChains (with nmap): 
      proxychains nmap -sS 192.168.1.10
    • Tor:
      Configure your scanning tool to use Tor’s SOCKS proxy (this is more common with tools designed for web traffic).
  • Hping3 Note:
    Since hping3 sends raw packets, using proxies requires external routing configurations or chaining tools.

Summary

  • Nmap offers easy-to-use, one-flag solutions for many scan types (e.g., -sT, -sS, -sF, -sX, -sA, -sI), and has built-in support for evasion (fragmentation, decoys).
  • Hping3 provides flexibility to craft and send packets manually. While it can replicate many scan types, it generally requires additional manual steps and analysis (often with packet capture tools) to interpret responses.
  • Evasion Techniques (like packet fragmentation, spoofing, and using decoys) can help bypass some IDS/Firewall measures but might also raise suspicion if not done carefully.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment