TCP SYN stealth 스캔 (Half open scan)

Linux/모의해킹

TCP SYN stealth 스캔 (Half open scan)

GGkeeper 2021. 12. 31. 00:40

화면으로 출력하는 경우
o 방화벽이 없는 경우

1. 포트가 열린 경우
Victim ~# iptables -F
Victim ~# systemctl start httpd
Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 06:30 EST
Nmap scan report for 192.168.108.100
Host is up (0.00084s latency).

PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
11:22:49.781663 IP 192.168.108.102.59687 > 192.168.108.100.http: Flags [S], seq 27991601, win 1024, options [mss 1460], length 0
SYN/ACK
11:22:49.781730 IP 192.168.108.100.http > 192.168.108.102.59687: Flags [S.], seq 2343217698, ack 27991602, win 29200, options [mss 1460], length 0
RST
11:22:49.782045 IP 192.168.108.102.59687 > 192.168.108.100.http: Flags [R], seq 27991602, win 0, length 0

2. 포트가 닫힌 경우
Victim ~# systemctl stop httpd
Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 06:33 EST
Nmap scan report for 192.168.108.100
Host is up (0.0015s latency).

PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
11:26:57.907415 IP 192.168.108.102.46045 > 192.168.108.100.http: Flags [S], seq 3740904298, win 1024, options [mss 1460], length 0
RST
11:26:57.907505 IP 192.168.108.100.http > 192.168.108.102.46045: Flags [R.], seq 0, ack 3740904299, win 0, length 0

o 방화벽이 있는 경우

1. 포트가 열린 경우
iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP

systemctl start httpd

Victim ~# tcpdump -n tcp port 80 -i ens33

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 06:36 EST
Nmap scan report for 192.168.108.100
Host is up (0.0015s latency).

PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
11:29:29.310157 IP 192.168.108.102.56548 > 192.168.108.100.http: Flags [S], seq 3009393550, win 1024, options [mss 1460], length 0
SYN/ACK
11:29:29.310232 IP 192.168.108.100.http > 192.168.108.102.56548: Flags [S.], seq 2591662996, ack 3009393551, win 29200, options [mss 1460], length 0
RST
11:29:29.310458 IP 192.168.108.102.56548 > 192.168.108.100.http: Flags [R], seq 3009393551, win 0, length 0

2. 포트가 닫힌 경우
iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
systemctl stop httpd

Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 06:38 EST
Nmap scan report for 192.168.108.100
Host is up (0.00030s latency).

PORT STATE SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

Victim ~# tcpdump -n tcp port 80 -i ens33
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
SYN
11:32:15.565782 IP 192.168.108.102.48013 > 192.168.108.100.http: Flags [S], seq 3758520710, win 1024, options [mss 1460], length 0
SYN
11:32:15.677680 IP 192.168.108.102.48015 > 192.168.108.100.http: Flags [S], seq 3758389636, win 1024, options [mss 1460], length 0

파일로 저장하는 경우
o 방화벽이 있는 경우

1. 포트가 열린 경우
A      V
   S
------->
  S/A
<-------
   R
------->
Victim ~# vi tcpScan5.sh
-- tcpScan5.sh --
#!/bin/sh

iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
systemctl start httpd
tcpdump -w tcpScan5.pcap -n tcp port 80 -i ens33
-- tcpScan5.sh --
Victim ~# chmod 755 tcpScan5.sh
Victim ~# ./tcpScan5.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

다른 터미널을 열어서 확인한다.
Victim ~# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53 state NEW
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Victim ~# netstat -nlt|grep 80
tcp6       0      0 :::80                   :::*                    LISTEN

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 06:50 EST
Nmap scan report for 192.168.108.100
Host is up (0.0028s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Victim ~# ./tcpScan5.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C3 packets captured
3 packets received by filter
0 packets dropped by kernel

Victim ~# scp tcpScan5.pcap 192.168.108.102:
root@192.168.108.102's password:
tcpScan5.pcap                             100%  250   252.4KB/s   00:00

Attacker ~# wireshark tcpScan5.pcap &

2. 포트가 닫힌 경우
A      V
    S
------->
    S
------->
Victim ~# vi tcpScan6.sh
-- tcpScan6.sh --
#!/bin/sh

iptables -F
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
systemctl stop httpd
tcpdump -w tcpScan6.pcap -n tcp port 80 -i ens33
scp tcpScan6.pcap 192.168.108.102:
-- tcpScan6.sh --
Victim ~# chmod 755 tcpScan6.sh
Victim ~# ./tcpScan6.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Victim ~# ./tcpScan6.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@192.168.108.102's password:
tcpScan6.pcap                             100%  176   181.6KB/s   00:00

o 방화벽이 없는 경우

1. 포트가 열린 경우
A      V
   S
------->
  S/A
<-------
   R
------->

Victim ~# vi tcpScan7.sh
-- tcpScan7.sh --
#!/bin/sh

iptables -F
systemctl start httpd
tcpdump -w tcpScan7.pcap -n tcp port 80 -i ens33
scp tcpScan7.pcap 192.168.108.102:
-- tcpScan7.sh --
Victim ~# chmod 755 tcpScan7.sh
Victim ~# ./tcpScan7.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

다른 터미널을 열어서 포트와 방화벽 룰을 확인한다.
Victim ~# netstat -nlt|grep 80
tcp6       0      0 :::80                   :::*                    LISTEN
Victim ~# iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 07:23 EST
Nmap scan report for 192.168.108.100
Host is up (0.0014s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Ctrl + C를 눌러서 패킷 덤프를 종료한다.
Victim ~# ./tcpScan7.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C3 packets captured
3 packets received by filter
0 packets dropped by kernel
root@192.168.108.102's password:
tcpScan7.pcap                             100%  250   148.0KB/s   00:00

공격자에서 와이어샤크로 패킷을 분석한다.
Attacker ~# wireshark tcpScan7.pcap

2. 포트가 닫힌 경우
A      V
    S
------->
    R
<-------

Victim ~# vi tcpScan8.sh
-- tcpScan8.sh --
#!/bin/sh

iptables -F
systemctl stop httpd
tcpdump -w tcpScan8.pcap -n tcp port 80 -i ens33
scp tcpScan8.pcap 192.168.108.102:
-- tcpScan8.sh --
Victim ~# chmod 755 tcpScan8.sh
Victim ~# ./tcpScan8.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

Attacker ~# nmap -sS -p 80 192.168.108.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 07:28 EST
Nmap scan report for 192.168.108.100
Host is up (0.0014s latency).

PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:0C:29:87:C2:1B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Ctrl + C를 눌러서 패킷 덤프를 종료한다.
Victim ~# ./tcpScan8.sh
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@192.168.108.102's password:
tcpScan8.pcap                             100%  170    94.6KB/s   00:00

공격자에서 복사된 tcpScan8.pcap 파일을 와이어샤크로 분석한다.
Attacker ~# wireshark tcpScan8.pcap

'Linux > 모의해킹' 카테고리의 다른 글

hping3 로 IDLE 스캐닝 (0)	2022.01.03
TCP FIN 스캔 (-sF) (0)	2021.12.31
TCP Connect 스캔 (Full Connection Scan) (0)	2021.12.30
nmap 을 이용한 포트 스캐닝 (0)	2021.12.30
IP 헤더에서 TTL 값 변경하기 (0)	2021.12.30

현재글TCP SYN stealth 스캔 (Half open scan)

정보 보안 분야

도메인, for 문, physical, iptables, Network, ubuntu, 리눅스, Netcat, Linux, 물리계층, 가상 호스트, 반복문, 파이썬, html, 서버, 설치, http, 1계층, php, Python,

Today :
Yesterday :

정보 보안 분야