Today’s multiple programs at the same number of operating systems in the world now permits the study. Some of these programs from outside requests (client-to-client / requester) to accept and see what the appropriate response (sunucuserv is / response) serves. The server program is given an address to employees computer (IP address), and achieved the desired computer using these addresses. Reached on the computer to determine which server is requested to receive services from the program it is available through the ports. and each of a positive number is given to addressing (port number), but LPT behind your these machines and not COM ports are so connected that currently active abstract ports are examples remote location in a place the phone open to the rate of the area first space as you need 0216 to translate the code is as dialed after the system is unable to call that channel opens here ports t it something you need him to turn the area code before you can use before you run.


Some server programs, before the services, while the port is known by everyone (eg telnet-> 23. port) MSN port, etc. some also provide services from different ports depending on the kind of person that is running the server program and wishes.Therefore, to connect to any server software on the network on demand, what the program’s requests accepted by the port number in to the port is closed we want on the opposite side, or do not give the next to the address of the computer that is running happens? Of course, we can not connect to anything that does not know the IP port number is usually kept alone as 2 bytes. There is therefore up port 6555 port number, which is usually small 1024t users with special rights (root) is used by big ones that are open to the general public. If these ports are Port Scanner automatically scans their existing software. There are many types of scan process. These varieties, with the development of improved methods and techniques to counter the hackers and hacking methods has increased in direct proportion.


Basic Port Scan types are as follows:

1. TCP Connect Scan
2. SYN Scan
3. TCP FIN Scan
4. SYN / FIN scanning using IP fragments (bypasses packet filters)
5. TCP Xmas Tree Scan
6. TCP Null Scan
7. TCP ACK Scan
8. TCP ftp proxy (bounce attack) scanning
9. TCP Scan Windows
10. RPC TCP Scan
11. UDP Scan
12. Ident Scan


However, the issue should be examined by this scan before described a number of varieties better enables the connection with a computer via the Internet in order to understand the network protocol Transmission Control Protocol TCP’s how it works. Short as TCP session, the first time, other computers to request services from a server computer (the client), the SYN flag is raised to indicate that you want to link (set) packet, sends it to the server computer. This package of the server that receives connection request SYN packet and confirm that the SYN flag is removed again (set) package (SYN-ACK packet) to the client computer. In the third stage server SYN-ACK packet sent by the computing client sends a packet indicating that the computer server receives this packet (ACK) .


TCP Connect Scan

This scan is done with all the aforementioned logon process above and when signing disconnect and gives information to us port is open. The best part of the scan type, the sessions have taken place in the bad side against the system opened sends the logon request if record all sessions of the system to get the IP information database as well as to one test is open. Just in case you need to be sure it is inevitable or is a type of scan performed on risk but gives accurate results.

SYN scan

the above mentioned, we need to scan without opening session for us not to take the risk. This type of scan is often referred to as half-open scanning. Reason sending SYN flagged packets, the first two stages of the logon process described above and SYN / despite ACK the flag of package-making process to successfully after the RST / ACK flag is to reject the opening of the session by sending a packet. It concluded that the port is open SYN / ACK packet flag decision is taken. RST / ACK packet flag is sent to reset the packet session. Thus, the session is likely to exceed the record because the opening is reduced.


one of the methods that we can use if we want to use a port scan is a scan Fi login process. If a system is one of the Finnish port of a packet sent to port the system flagged off according to RFC793 sends a reply on the RST. Contact information of the port will remain open.

SYN / FIN Scanning Using IP Fragments

in aslıı Scan this type is not a new method. SYN and FIN is a type of improved method. In this method, instead of sending a research package package is sent as two smaller three IP fragments. In short TCP packets to complicate the job of heading the pack filtreleşici and to divide the various packages to lack of understanding of the work performed.

TCP Xmas Tree Scan

Christmas tree means port of the target system in this type of scan from Fin No
more data from sender, URG Urgent Pointer field Significant and PUSH Push
Function flagl package sent according to RFC 793 and closed the port of RST
reply is expected. Missed ports are still open. TCP Null Scan This is a type of scan sends a packet carrying no flag Unlike the Xmas Tree. RFC 793 by RST answer comes from off the port of the system. TCP ACK Scan rationale static or dynamic packet filtering firewall on the connection of this type of screening is to remember first started sides. If we consider that some firewalls allow connections to pass unhindered through those approved Acknowledgment field Significant ACK packet firewall or router and may be able to reach your goal. In this way Firewall We won port scan chance the target reaching the target, bypassing.
TCP ftp proxy (Bounce Attack) Scanning RFC 959 definitions according to the FTP protocol is a remarkable feature, which allow the proxy ftp connections. In such scan type it uses open created by this feature. Because this feature from, my FTP server-PI (protocol interpreter) via the control communication link can be established. With this connection, the server-PI anywhere on the network can send a file server-DTP (data transfer process) request can be active. This is especially clear when we connect to a ftpy connected servers behind the firewall for that very provision scan their ports
is dangerous bit scanning. Because it would have been a firewall bypass.

TCP Windows scan

This scan type TCP Windows scan some taking into account the flaws in the report
that there is or is filtered is open the port in the operating system


this screening method of the RPC (Remote Procedure Call – remote procedure calls)
from the port understanding the processes running and their versions might be our chance.
UDP Scan from the port is closed by sending UDP packets to the destination port this technique “ICMP port
unreachable” is based on the receipt of the message. If the port does not come this message
is understood to be open. This process is quite slow when you need to act. Especially
in doing that scene out of a filtering device that intensive process.
Ident Scan built on a protocol defined in RFC 1413 ident protocol, which
is a type of scan. It used with other scans. On the target system
is active Identd the full list of services running on the system and running these services
are made to achieve the names of users. Identd is not active this
type of scan is dysfunctional. These are intended to illustrate that only a port scanner works. You never have to do them manually


TCP / IP is possible to learn by questioning the remote system running OS
So why do we need? because if you have Windows in the example step if Linux Windows attack types, we apply the Linux onslaught type
nmap remote system sends FIN packets to open ports in RFC 793, according should not answer this pack for Windows NT as the operating system to this or to that package to other versions of
F / answers with ACK income if HP -UX-if the CISCO-Linux using the RESET answer comes
in several ways: in the target system Banner capture, Active TCP fingerprints
detection, passive TCP detect fingerprints and finally operating using ICMP
you check the whois system as saptamadır.alternatif system and a ton if you call it in the net for program there or that deal not bear human brother problem, open, or tell the underside of the eU, what do you use questions

Banner Capture

the basis of this technique with the input message to the connected port on some systems
is based on the encounter. But after it logged simple addition
may need to work with the method to determine the operating system. In the following example
the University of Washington connecting to the FTP server using the server SYST
gave the command and obtain a little information about the operating system type.

Trying …
Connected to localhost.localdomain (
Escape character is ‘^]’.
220 localhost .localdo Romain FTP server (Version wi-2.6.1-16) ready.
215 UNIX Type: L8

Active TCP fingerprints detection

given sending some TCP packets to the basic idea of the operating system
to examine the answers and thus to determine the operating system. Packets will be sent
within a play with various flags, playing with fragmentation sign, ack value
is sent with information such as playing or service type. The package comes in return
to look at the flag in answer, sent to or look at the window size and received

What is IP Spoofing?

You will be connected to another system with Internet or networked system, but you want to hide that this connection has been made by you. Your identity when connecting to it (the TCP / IP protocols identity you are in the IP address), you in the wrong. Now that this makes the process is called IP Spoofing means that the connection makes downloading your IP address on the computer to show different process IP spoofing.

IP spoofing METHODS:

IP Spoofing is done in two ways. Proxy / Socks servers using, or wha has processed by IP packets. Proxy / SOCKS server is a simple method to use. More web / IRC connections are used to hide the IP to. IP packets are very effective Spoofing IP made by wha has processed and used in general DoS attacks or session-hijacking method.


IN to hold in your IP address of the site you visit nternetd login, you can help make a connection through a proxy server by entering the browser’s connection settings you use. In this way, while you are actually connected to the proxy server, proxy server will be connected to the target computer for you. Example:

System: 1059 -> my proxy: 8080
my proxy: 1039 -> target: 80

First, our system (mysyste I) we want to use proxy`y (MyProxy), is connected to the proxy port. Proxy port 80, 3128, may be different ports like 8080. This connection is established, our system with a higher protocol (HTTP, HTTPS), the target that you want to connect (mytarget) sends the proxy`y information about the computer. Proxy` in what we send him our connect to the target computer, information from it conveys our system. Thus the target computer’s connection to log IPS Proxy`N not going our history. Some proxy software alone does not have the full functionality of IP storage in this regard.Our request for sending us to the opposite side, there are those who add to our ıpmizi in the HTTP header. Examination of the case revealed that the connection was really Logar who were asked to name. There is also a danger that the use of the proxy associated with hides your IP address. Your IP address, the destination computer iletilmes to be held in proxy logs. So the target computer admin, apply the log of the proxy server IP has to find you.

If you’re not surfing the web in our IP address, we may use other TCP socks server we want to spoof the connection. Socks server usually accepts connections from 1080. port and offers the user many more options to the proxy server. Socks server using telnet, ftp, you can connect to any server that accepts TCP connections such as IRC. SOCKS server to communicate with our system uses the socks protocol after making a TCP connection. Example:

I benım port: 1075 -> my port 1080
my port: 1043 -> My goal: ftp

like the socks proxy server before the connection is still connected to our system. The connection that you want to help our system notifies socks socks server protocol. SOCKS server is connected to the computer target our place in our system. In this way, it would still have access to the target computer IP address. Socks server on the target server to stop IP Spoofing method can control. So the connection checks before accepting the connection request coming from a socks server. If the connection comes from a socks server does not accept the connection. Especially in the IRC server for prohibiting IP Spoof with socks server, you can see that this control.

IP Package for editing to

this simple proxy / socks method is to editing the most effective IP Spoofing method packages, thinks a lot of work. If the advanced TCP / IP If you have information, edited the idea of IP packets that are not foreign to you. That if you edit the source address of IP packets, you get spoofed IP packets made. UDP / TCP / ICMP / IGMP packets structures, 3-way handshake to explain the comparison much detail for the many I have just what by wha has processed the IP packet, how I spoke about the possible


usually make IP spoofing when not needed TCP connection, the determination of the resources made DoS attacks This is to prevent. CODE, jolt, a DoS attack by changing the source address of the packet sent as papasmurf, confidentiality of sources is provided. You can find the program that works of the source code written for Linux address.

TCP Session Hijacking:

Hacking in some cases we may need to connect to the target server with a different address our own IP address. For example, we have to get a web server. To update the file server sysadmin company’s local network and lease line you are allowing the customers who buy xxxx static IP addresses. So the firewall in front of web servers, allowing only xxxx from the address of the incoming request to the FTP server port. In such a case a hacker ftp root / admin despite knowing the password to enter the system is required to have the XXXX IP address. To achieve this connection should create a fake IP address xxxx is defined in the hacker system. Against our problem arises: we can change the source address by wha has processed the package we sent, but the answers will be given to the server where to send the received packets? Of course, server response will be sent to a fake IP address we provide. TCP assuming you know the connection control of protocol by such a condition on the server and correct answers corresponding to the package that we could get (and Seq # Acker # s) to how I think you can guess that it is difficult to be sent.

Mysyste I
(spoofed packet xxxx: 1027) -> target: 80
( target: 1405 -> xxxx: 1027

If the incoming (lost) we create a fake session we give the correct answer to the package. this is called session hijacking. Hijacking also made spoof is divided into two blind and active spoof. the xxxx address specified in the example of a machine in your local network I think it is. such packets are sent to a state xxxx addresses take the sniff method, you need seq #, if you resend spoofed packets to the target machine after learning ack # s work without error to fake session. can be seen with the incoming packets sniffer method is called active spoof. But if the package is sent to the xxxx address If you are in a situation can not be taken with sniffer method, ie if it is not your same local network packets on the network hub or switch used instead, then you need to make blind spoof. Blind spoofd trial and error and the packet is sent to the server via seq guess you need to find the # number. If you search the Internet in IP Spoofing word you reached this resource. Do not ask in vain that I do not find.


About The Author

I am Ethical Hacker, Penetration tester, and Security Professional. I am an OWASP International Member. I have previously experience to work with Big corporate, Government and well-funded startups. My Company SECUPENT () is multiple award winning Cyber Security and Outsourcing Company. I am not only can save you from known vulnerabilities, also can protect you from 0day exploits and attacks from 3rd party threats.

Related Posts

Leave a Reply

Your email address will not be published.