Port Scanner

Introduction

There are various port scanners that use a simple method of scanning. These applications work at the application level and are quite slow. This scanner is faster than a normal scanner. It is based on the TCP Half Open Scanning or TCP SYN scanning technique. This method is less detectable than the simple port scanner.

What Is Half Open Scanning?

When any two hosts want to communicate together, a connection must be established between them. In the case of TCP, a three-way handshake takes place before any communiction begins. This is called Full connection and the process is described below.

  1. Host A sends the SYN packet (TCP packet with SYN flag set) to host B.
  2. If the port is open, host B responds by sending a SYN+ACK packet. Otherwise, it sends the RST+ACK packet to host B.
  3. Host A sends the ACK packet to host B (if the SYN+ACK packet is received).

Once the connection is established, both machines can transmit data packet until one of them ends the connection by sending a FIN packet. Some of the simple port scanners use this technique. It can be implemented by creating a socket and calling a Connect method on each port. This is simple to implement but quite slow and moreover it can easily be detected.

Half scanning is faster and more efficient than full scanning technique. The half open connection is explained below.

  1. Host A sends the SYN packet (TCP packet with SYN flag set) to host B.
  2. If the port is open, host B responds by sending a SYN+ACK packet. Otherwise, it sends the RST+ACK packet to host B.

Becaise host A does not send any additional ACK packet, it is called a half open connection. Now, the host can easily find out whether the target port is open or closed. It receives the TCP packet with the SYN+ACK flag set; that means that the target port is open. If it receives a RST+ACK packet, that implies that target port is closed.

In this method, a full handshake does not take place; therefore, it is much faster than the full scanning method. Because the implementation has to be done at the protocol level, knowledge of TCP/IP protocol suite is essential.

Implementation

The core part of the implementation is sending the TCP packet and ARP packet. This involves building the raw packet by filling all headers. For this, we must know the MAC address of the source and destination machine. A MAC address, also called an Ethernet address, is the address associated with an Ethernet adapter.

Find source MAC address


There are various methods for obtaining the source MAC address. This method is simple.

IP_ADAPTER_INFO adapter[5];
DWORD buflen=sizeof(adapter);
DWORD status=GetAdaptersInfo(adapter,&buflen);

Now, the adapter structure contains the source MAC address.

Find destination MAC address

This is done by sending an ARP packet. An ARP packet is used to determine the host's MAC address when its IP address is known. First, an ARP request packet is sent by specifying the source MAC address, source IP address, and destination IP Address. The ARP reply packet contains the destination MAC address. This method also prevents the target host from sending an ARP packet to the source host when the source host sends the first SYN packet during the scanning process. From the ARP request packet that we have sent, the target host will come to know about the MAC address of the source host.

Scanning process

The scanning process involves building a TCP packet. For this, one has to prepare the Ethernet Header, IP header, and TCP header. Header file packet.h contains the format details for each of these headers. You can refer to the RFC for details regarding these formats.

Each time during scanning a TCP SYN packet is sent with different port numbers. Then, the corresponding reply packet is checked for the flag RST+ACK or SYN+ACK. Based upon this flag, the target port status is determined.

Requirements

You need Winpcap (Windows version of Libpcap) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packets in detail. I advise to you to go through the WinPcap documentation before going through the source code.

Running the Application

First, make sure that you have installed WinPcap; then run the application. A Port Scanner dialog box will be displayed. Select the capture device and specify the target host and range of the port number to be scanned. When Port Scanner starts its scan, the port numbers and their staus will be displayed.

Acknowledgement

I am thankful to (Hacker) Hr.Ankit Fadia for his great book Unofficial Guide to Ethical Hacking. Most of the technical details that I have mentioned here came from this book.

If you want more details or you have any doubts, please feel free to drop a e-mail to nsry2002@yahoo.co.in.



Downloads

Comments

  • Escellent!!! I have a doubt

    Posted by prashanthgn on 02/27/2006 01:14pm

    Hi, This is an excellent article. I have a doubt. To perform TCP half Open scan, we need to build the TCP packet, as part of that i need the destination MAC address, for that you are using ARP, will this work if ping/icmp has been disabled? My requirement is to scan all tcp ports and create a report. Will I be able to get the MAC address (ARP response)?

    Reply
  • Nothing new

    Posted by Bios1 on 07/05/2004 09:18pm

    It will not run on winNT/2000, feature commun to winpcap library. Nothing new in this method. See Nmap open source, available since many years

    Reply
  • Why?

    Posted by PerryBruins on 07/02/2004 10:16am

    What is the reason to write this? To learn other people how to sneaky attack other computers?

    Reply
  • More of this, please

    Posted by darwen on 07/01/2004 06:14am

    I'd love to know more about the rusty innards of TCP/IP and exactly how it's implemented. Please, more more more ! Oh, and this is a very well considered concise article even though it is packed full of information.

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: September 16, 2014 @ 11:00 a.m. ET / 8:00 a.m. PT Are you starting an on-premise-to-cloud data migration project? Have you thought about how much space you might need for your online platform or how to handle data that might be related to users who no longer exist? If these questions or any other concerns have been plaguing you about your migration project, check out this eSeminar. Join our speakers Betsy Bilhorn, VP, Product Management at Scribe, Mike Virnig, PowerSucess Manager and Michele …

  • This ESG study by Mark Peters evaluated a common industry-standard disk VTl deduplication system (with 15:1 reduction ratio) versus a tape library with LTO-5, drives with full nightly backups, over a five-year period.  The scenarios included replicated systems and offsite tape vaults.  In all circumstances, the TCO for VTL with deduplication ranged from about 2 to 4 times more expensive than the LTO-5 tape library TCO. The paper shares recent ESG research and lots more. 

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds