Secrets of Network Cartography - The Xmas Tree Scan (-sX) The Xmas Tree Scan (-sX) The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree. A closed port responds to a Xmas tree scan with a RST: Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.7] TCP: D=618 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=1024 [192.168.0.7] [192.168.0.8] TCP: D=36793 S=618 RST ACK=3378228596 WIN=0 Similar to the FIN scan, an open port on a remote station is conspicuous by its silence: Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.7] TCP: D=79 S=36793 FIN URG PUSH SEQ=3378228596 LEN=0 WIN=2048 The Xmas tree scan output shows similar results to the FIN scan:
Portjammer (SynAckFlood) - Port Scanner And Security Scanner Jammer. SynAckFlood doesn't stop port scanners and security scanners, it tries to blind the scanner with an avalanche of false information. How? , well, when the target computer receive SYN packet to a closed port, SynAckFlood generates a SYN/ACK Responce such as the kernel tcp module, but parallel to it. The result is a avalanche of trash information. There are many possible defense systems designed to stop portscanners, syn cookies, synackflood, some systems that prevent sequencial port scanner, etc.
Portjammer basically sends a SYN/ACK response to every SYN packet that arrives to an un-open port. PortJammer was written in C++ and uses libpcap and rawsockets. To see screenshots of several scanners which crashed due to Portjammer see: TCP Idle Scan (-sI) In 1998, security researcher Antirez (who also wrote the hping2 tool used in parts of this book) posted to the Bugtraq mailing list an ingenious new port scanning technique.
Idle scan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb “zombie host”. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits discovery of IP-based trust relationships between machines. While idle scanning is more complex than any of the techniques discussed so far, you don't need to be a TCP/IP expert to understand it.
One way to determine whether a TCP port is open is to send a SYN (session establishment) packet to the port. After this process, the zombie's IP ID should have increased by either one or two. The Big Brother Systems and Network Monitor. Five Best Remote Desktop Tools. Top 100 Network Security Tools. Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources. CloudShark.