GAQM Updated CEH-001 Exam Questions and Answers by harlie

When running a XMAS Scan, if a RST packet is received, the port is considered closed, while no response means it is open|filtered. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400.

A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned.

Example of a three-way handshake followed by a reset:

SourceDestinationSummary

[192.168.0.8][192.168.0.10]TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0 WIN=5840

[192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210 LEN=0 WIN=65535

[192.168.0.8][192.168.0.10]TCP: D=80 S=49389 ACK=58695211 WIN<<2=5840

[192.168.0.8][192.168.0.10]TCP: D=80 S=49389 RST ACK=58695211 WIN<<2=5840

The system is reachable as an active directory domain controller (port 389, LDAP)

The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) -- $port, $your, $user, $pass, $host are variables that hold the port # of a DNS server, an IP, username, and FTP password. $host is set to argument variable 0 (which means the string typed directly after the command). Essentially what happens is it connects to an FTP server and downloads nc.exe (the TCP/IP swiss-army knife -- netcat) and uses nc to open a TCP port spawning cmd.exe (cmd.exe is the Win32 DOS shell on NT/2000/2003/XP), cmd.exe when spawned requires NO username or password and has the permissions of the username it is being executed as (probably guest in this instance, although it could be administrator). The #'s in the script means the text following is a comment, notice the last line in particular, if the # was removed the script would spawn a connection to itself, the host system it was running on.