There are several ways to perform a port scan using IPtables. The most popular ones are ICMP (Internet Control Message Protocol) and Maimon. Depending on your needs, you can use a combination of these methods. This article covers both SYN/FIN and ICMP.
ICMP (Internet Control Message Protocol)
ICMP (Internet Control Message Protocol), also known as TCP or UDP, is a protocol that is used to scan ports and monitor network connections. It is a standard for sending and receiving messages over the Internet. It can be turned on or off quickly. It is also used for troubleshooting purposes and can be useful for network administrators. Using ICMP can be a beneficial tool when a network is experiencing trouble, especially when it is difficult to identify the cause of a problem.
To scan a port with ICMP, first determine which type of port you’re trying to scan. SYN-ACK responses indicate potential open ports, while RST responses indicate closed ports. If no response is received, the port is closed and is most likely not being used by a live computer. An ICMP response that does not show any response can also be treated as a filtered port. ICMP half-open scans are similar to TCP half-open scans. They are useful for finding web servers that don’t respond to ICMP probes.
FIN
The iptables port scan FIN command will scan a TCP port when it receives a FIN packet. This is similar to the XMAS scan, but uses the FIN flag in place of the PSH and URG flags. The FIN port scan can be used in TCP connection, enumeration, or advance scan mode.
FIN scans are not as noticeable to firewalls as SYN scans, which are typically used to end a connection. This type of scan sends a packet with all flags set to indicate that the port is open or closed. Usually, a firewall will look for a SYN packet, which is the most obvious type of a packet. FIN scans, however, do not send a SYN or RST packet.
FIN scans use the principle that orphaned FIN packets should not be acknowledged by the destination. However, if the port is closed, the receiver should receive an RST packet. Therefore, a FIN scan will send a single FIN packet to each target port, waiting for the packets to trickle back.
Maimon
The Maimon iptables port scan is a technique that leverages the implementation detail of certain systems to detect open and closed ports. It is named after Uriel Maimon, who first described the method in Phrack Magazine issue #49 in November 1996. Two years later, Nmap added this technique to its port-scanning capabilities. Using the -sM flag on Nmap, one can perform a Maimon scan on any port and receive two different flags: one flag is FIN and the other is ACK.
The IP ID of the zombie should increase by one or two, and if it does not, then that port is probably closed. Otherwise, the zombie may have ignored the RST packet from the target and sent no packets. If, on the other hand, an extra packet is received, then the port is open.
SYN/FIN
Iptables has several features that can help you with port scanning. The first is a FIN scan, which sends an unsolicited FIN flag to the port in question. The system’s response can reveal a lot about the state of the port and firewall. If the port is closed, it will send back an RST response, while an open port will ignore the FIN packet. The second feature is the XMAS scan, which sends a series of flags to the port. The responses can then be interpreted to help you with port analysis.
The third feature of iptables port scan is its ability to detect known vulnerabilities. This feature works by sending TCP packets with SYN/FIN flags to the target system. The target system will respond by dropping packets destined for open ports and sending back RST/ACK responses for closed ports. This method is useful for bypassing old IDS systems.
NULL
If you want to scan a port without a flag, you can use the NULL flag in iptables. This will send a TCP segment without a header and no other information. It’s similar to the XMAS scan, which sends a TCP packet with no flags.
There are several options you can use in iptables. For instance, if you want to scan for IP addresses, you can specify them in the -t option. You can also specify which packet matching table you want to use by specifying -t. You should specify a name that is long enough to distinguish it from other options.
You can send data-length between one byte and 100 bytes. However, it’s important to note that some systems don’t follow this standard and send RST responses regardless of whether the port is open. For example, Microsoft Windows, many Cisco devices, and IBM OS/400 all send RST responses irrespective of whether the port is open or closed. The Nmap OS detection tests for this quirk.