Port scanning is carried out by both hackers and information security professionals alike to probe network hosts and discover active services. Port scanning is often instrumental in exploiting potential vulnerabilities that exist in services running on a host; hence the reason for stealth port scans that try to evade firewall/IDS devices.

Although today’s IDS can pick up almost any type of traditional stealth scans, IDS or firewall evasion does exist and is commonly performed by using packet fragmentation or by using proxy hosts. This article looks at how these basic tcp stealth scans work.

Stealth tcp port scanning, involves sending one or more data packets to a target TCP port to avoid the 3-way TCP handshake with the objective of evading firewall/IDS detection.

Let’s take a look at some of the tcp stealth scans:

1.RFC 793 exploitation scans. RFC 793 standard states that if a port is closed on a host, an RST/ACK packet should be sent to reset the connection. This is exactly what is exploited in what I like to call “RFC 793 exploitation scans” (It is not a pretty name though is it?).

Probe packets with either the FIN tcp flag set or with no tcp flag set (NULL scan) or FIN, PSH and URG tcp flag sets (commonly referred to as XMAS probe) are directed towards the target listening for RST/ACKs to calculate open ports.

 

Source           Destination    Summary
----------------------------------------------------------------------------------------
[192.168.0.200] [192.168.0.100] TCP: D=800 S=34211 FIN SEQ=3872678719 LEN=0 WIN=2048
[192.168.0.100] [192.168.0.200] TCP: D=34211 S=80 RST ACK=3872678719 WIN=0

The above mentioned tcp scans can be performed using nmap:

nmap -sF target_ip_address (FIN probe)

nmap -sX target_ip_address (XMAS probe)

nmap -sN target_ip_address (NULL probe)

The above techniques work with most Linux distros but are ineffective against the Windows platform.

2. RST header analysis. Uriel Maimon was the first to describe this technique in Phrack magazine’s issue 49 which highlights a weakness in the implementation of the TCP/IP stack in some operating systems that use the BSD-flavor of the TCP/IP stack implementation.

 

RST Header - TTL value analysis using Hping2
-------------------------------------------------------------
Packet 1: host 192.168.0.100 port 79: F:RST -> ttl: 130 win: 0
Packet 2: host 192.168.0.100 port 80: F:RST -> ttl: 130 win: 0
Packet 3: host 192.168.0.100 port 81: F:RST -> ttl: 90 win: 0
Packet 4: host 192.168.0.100 port 82: F:RST -> ttl: 130 win: 0

As shown in Figure 3 and Figure 4 (below), the attacker sends ACK probe packet and listens to the incoming RST packets from the target and analyzing the header information contained within.

From the above log, the TTL value for Packet 3 from the target in response to the ACK probe indicates that the TTL or time-to-live value is lower than the ceiling value of 128 (varies from one OS platform to another) which indicates that there is a running service on port 81 on the target host.

 

RST Header - Window field analysis using Hping2
-------------------------------------------------------------
Packet 1: host 192.168.0.100 port 79: F:RST -> ttl: 128 win: 0
Packet 2: host 192.168.0.100 port 80: F:RST -> ttl: 128 win: 0
Packet 3: host 192.168.0.100 port 81: F:RST -> ttl: 128 win: 512
Packet 4: host 192.168.0.100 port 82: F:RST -> ttl: 128 win: 0

 

If the Window field of the TCP header of the received RST packet has a value greater than zero, it denotes that a port is open. A zero Window field size denotes a closed port and a no response would denote the port is filtered.

Do note that some TCP/IP stack implementations that the logic is exactly opposite of what is stated here, i.e., zero denotes open ports and non-zero figures denote closed ports. A quick look at the results will help us determine this. 

The above methods are ineffective against firewall that do Stateful Packet Inspection (SPI) that do not let ACK packets pass through that do not meet the conditions of a legitimate connection state. These probing techniques require some creativity to prove useful.

RST header analysis can be performed using nmap:

nmap -sA target_ip_address (for TTL analysis)

nmap -sW target_ip_address (for WINDOW field value analysis)

There’s more to keeping your scans stealth than using the above techniques. Today’s IDS can easily pickup the above including our favorite Snort! Take a look at what Snort picked up when it came across a FIN probe:

 
 Yes, it picked up a FIN scan! What else did we expect? The TCP stealth scans discussed here do not necessarily work for all platforms as we already know. The same goes for how a given firewall or IDS deals with them.

One way to get around and avoid detection is fragmenting the probe packets. Fragmenting the TCP (or even IP) header into smaller fragments gets around firewalls that do not reassemble all the fragments at the perimeter before passing it to the target. Similarly, signature-based IDS devices are often fooled to detecting these fragments as “junk traffic”. It is worthwhile mentioning here that fragmenting can cause the target to crash or result in unexpected behavior.

Using nmap, fragmenting can be done with the “-f” switch. Infact, nmap has a whole suite of “evasion” switches (see nmap documentation):

 -f; --mtu <val>: fragment packets (optionally w/given MTU)
 -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
 -S <IP_Address>: Spoof source address
 -e <iface>: Use specified interface
 -g/--source-port <portnum>: Use given port number
 --data-length <num>: Append random data to sent packets
 --ip-options <options>: Send packets with specified ip options
 --ttl <val>: Set IP time-to-live field
 --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
 --badsum: Send packets with a bogus TCP/UDP checksum

Other techniques that assist in carrying out a stealth tcp scan include randomizing scan timing to avoid detection, using decoy hosts, botnets, etc.