Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An attacker uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the attacker information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four types of port status that a port scan usually attempts to discover:
For strategic purposes it is useful for an attacker to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is impossible with certain scan types. A TCP connect scan, for instance, cannot distinguish a blocked port with an active service from a closed port that is not firewalled. Other scan types can only detect closed ports, while others cannot detect port state at all, only the presence or absence of filters. Collecting this type of information tells the attacker which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An attacker often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.
Target Attack Surface Description
Targeted OSI Layers: Network Layer Transport Layer
Target Attack Surface Localities
Target Attack Surface Types: Network Host
The ability to craft arbitrary packets of various protocol types for use during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
[R.300.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 54. 6th Edition. McGraw Hill. 2009.
[R.300.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.300.3] [REF-27] J. Postel. "RFC768 - User Datagram Protocol". August 28, 1980. <http://www.faqs.org/rfcs/rfc768.html>.
[R.300.4] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 4.1 Introduction to Port Scanning, pg. 73. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
More information is available — Please select a different filter.