1、theree -way handshake

A TCP SYN packet is sent from the device that wishes to establish a connection with a  port of the device the it derires to connect with ,if the service assoicated with the receiving port accepts the connection , it will replay to the requesting system with a TCP packet that has both the SYN and ACKbits activated ,the connection is established only when the requesting system responds with the a TCP ACK response ,this therr-step process establish a TCP session between the two system. all of the TCP port scanning techniques will perform some varatio  of this process to identify live service on the remote hosts.

we know the Connect scanning is used to establish a full TCP connection for each port that is scanned ,Alternatively  ,Stealth scanning doesn't esatblish a full connection ,it only refered to as SYN scanning or half-open scanning , for each port  that is scanned , a single SYN packet is sent to the destination port ,and all ports that replay with a SYN +ACK packet are assumed to be running live service ,since no final ACK is sent from the initiating system ,the connection  is left half-open ,this is referred to as stealth scanning because logging solutions that only recode established connection will not record any evidence of the scan .

2、 Zombie scanning

when we know the scanning principle , let's discussed the final method of TCP scanning ,  the zombie scanning is to map ope ports on the remote the system without producing any evidence that you have interavted with the system ,

then how to do carry out the process of zombie scanning : as follow

step one  :  identify  a remote system for you zombie ,this system  should have the following characteristics

  1. the  system is idle and dose not communicate actively withe other systems on the network
  2. the system uses an incremental IPID sequence

step two :   Send a SYN+ACK packet to this zombie host and record the initial IPID values

step three:  send  a SYN packet with a spoofed source ip address of the zombie system to the scan target system

setp four :   depending the status of the port the scan target ,one of the following two things will happen:

  1. if the port is open ,the scan  target will return a SYN +ACK packet to the zombie host ,which it believe sent the original SYN request , in the case the zombie host will resopnd to this unsolicited SYN+ACK packet with an RST packet  and thereby incerment its IPID value by ONE
  2. if the port is closed , the scan target will return an RST response to the zombie host ,which it believe sent the original SYN request , this RST packet will solicit no resopnse form the zombie ,and the IPID will not be incremented

step five : send another SYN+ACK packet to the zombie host ,and evaluate the final IPID value of the return RST resopnse , if this value has incermente by ONE ,then the port on the scan target is closed  ,and if the value the incermented by TWO , then the port on the scan target is open .

.

To perform a zombie scan, an initial SYN+ACK request should be sent to the zombie system to determine the current IPID value in the returned RST packet. Then, a spoofed SYN packet is sent to the scan target with a source IP address of the zombie system. If the port is open, the scan target will send a SYN+ACK response back to the zombie. Since the zombie did not actually send the initial SYN request, it will interpret the SYN+ACK response as unsolicited and send an RST packet back to the target, thereby incrementing its IPID by one. Finally, another SYN+ACK packet should be sent to the zombie, which will return an RST packet and increment the IPID one more
time. An IPID that has incremented by two from the initial response is indicative of the fact that all of these events have transpired and that the destination port on the scanned system is open. Alternatively, if the port on the scan target is closed, a different series of events will transpire, which will only cause the final RST response IPID value to increment by one.

If the destination port on the scan target is closed, an RST packet will be sent to the zombie system in response to the initially spoofed SYN packet. Since the RST packet solicits no response, the IPID value of the zombie system will not be incremented. As a result, the final RST packet returned to the scanning system in response to the SYN+ACK packet will have the IPID incremented by only one. This process can be performed for each port that is to be scanned, and it can be used to map open ports on a remote system without leaving any evidence that a scan was performed by the scanning system.

Zombie Scanning的更多相关文章

  1. kali linux networking scanning Cookbok (第三章结尾笔记)

    1.Zombie Scanning with Nmap Zombie scans can also be performed with an option in Namp ,  we can find ...

  2. Connet Scanning

    1.connect scanning with Scapy,   Tools that perform  Tcp scans operate by performing a full there-wa ...

  3. XCode一直显示"scanning for working copies"的解决办法

    一个SVN上的项目,在本地重新CheckOut打开后,一直提示"scanning for working copies"且不能使用SVN的更新.提交等功能,当时想着晾它一晚上,看能 ...

  4. 避免产生僵尸进程的N种方法(zombie process)

    http://blog.csdn.net/duyiwuer2009/article/details/7964795 认识僵尸进程 1.如果父进程先退出 子进程自动被 init 进程收养,不会产生僵尸进 ...

  5. 专注docker安全:Security Scanning

    导读 Docker毫无疑问是近期运维同学们的热点话题,Docker安全也由此倍受重视,Docker Security Scanning 是一款Docker镜像扫描的安全工具,目前已经在Docker C ...

  6. OC内存管理--zombie对象

    当我们对于内存进行手动管理的时候,会出现两种错误:一种是野指针错误,一种则为内存泄露.这两点也是我们去管理内存时最终要解决的问题. 内存泄漏是指:不在使用的对象,一直保留在内存中未被销毁,一直占有着内 ...

  7. Spring Filter components in auto scanning

    In this Spring auto component scanning tutorial, you learn about how to make Spring auto scan your c ...

  8. Spring Auto scanning components

    Normally you declare all the beans or components in XML bean configuration file, so that Spring cont ...

  9. h.264 scanning process for transform coefficients

    宏块在经过变换.量化后,得到大小为4x4或者8x8的矩阵,矩阵中的数据被称为transform coefficient levels.这些level在后面会被用于熵编码,因此我们需要把矩阵按照一定顺序 ...

随机推荐

  1. django的中英文支持及切换

    版权声明:本文为博主原创文章,欢迎转载,并请注明出处.联系方式:460356155@qq.com 1.http://mlocati.github.io/articles/gettext-iconv-w ...

  2. js05-DOM对象二

    一.节点操作 创建节点:var ele_a = document.createElement('a');添加节点:ele_parent.appendChild(ele_img);删除节点:ele_pa ...

  3. 初识服务器和Linux

    一.什么是计算机 1.介绍 一说到计算机,我们首先想到的就是电脑,没错,电脑就是计算机,但是计算机不只是电脑. 所谓的电脑就是一种计算机,而计算机其实是:接收使用者输入的指令与资料,经中央处理器的数学 ...

  4. 【UOJ386】【UNR #3】鸽子固定器 链表

    题目描述 有 \(n\) 个物品,每个物品有两个属性:权值 \(v\) 和大小 \(s\). 你要选出 \(m\) 个物品,使得你选出的物品的权值的和的 \(d_v\) 次方减掉大小的极差的 \(d_ ...

  5. Django 分页组件替换自定义分页

    Django的分页器(paginator) 总之不太好用我们还是用自己的好一些 自定义分页器 分页实现源码 """ 自定义分页组件 """ ...

  6. jmeter笔记(1)--原理,下载与安装

    Apache JMeter是Apache组织开发的基于Java的压力测试工具.用于对软件做压力测试,它最初被设计用于Web应用测试,但后来扩展到其他测试领域. 它可以用于测试静态和动态资源,例如静态文 ...

  7. 应用调试(三)oops

    目录 应用调试(三)oops 引入 配置内核打开用户oops CONFIG_DEBUG_USER user_debug 设置启动参数测试 打印用户堆栈 分析栈 main的调用 title: 应用调试( ...

  8. Java NIO系列教程(一) Java NIO 概述

    <I/O模型之四:Java 浅析I/O模型> 一.阻塞IO与非阻塞IO 阻塞IO: 通常在进行同步I/O操作时,如果读取数据,代码会阻塞直至有 可供读取的数据.同样,写入调用将会阻塞直至数 ...

  9. [物理学与PDEs]第1章习题12 Coulomb 规范下电磁场的标势、矢势满足的方程

    试给出在 Coulomb 规范下, 电磁场的标势 $\phi$ 与矢势 ${\bf A}$ 所满足的方程. 解答: 真空中的 Maxwell 方程组为 $$\bee\label{1_10_12:eq} ...

  10. How far away ? HDU - 2586 【LCA】【RMQ】【java】

    题目大意:求树上任意两点距离. 思路: dis[i]表示i到根的距离(手动选根),则u.v的距离=dis[u]+dis[v]-2*dis[lca(u,v)]. lca:u~v的dfs序列区间里,深度最 ...