« BSNL Broadband – Connecting 2 computers to the MT882 ADSL Modem
Raw Sockets – Packets with Winpcap »

Tcp Syn Portscan with Winpcap and Raw Sockets

Port Scanning searches for open ports on a remote system. The basic logic for a portscanner would be to connect to the port we want to check. If the socket gives a valid connection without any error then the port is open , closed otherwise (or inaccessible, or filtered).

This basic technique is called TCP Connect Port Scanning in which we use something like a loop to connect to ports one by one and check for valid connections on the socket. But this technique has many drawbacks.

It is slow as well as detectable. Slow means that it takes some time for connect() function to return and detectable since this technique leaves a lot of entries in the firewall logs of the remote system.

TCP-Syn Port scanning is a technique which intends to cure these two problems. The mechanism behind it is the handshaking which takes place while establishing a connection. It sends syn packets and waits for an syn+ack reply. If such a reply is received then the port is open otherwise keep waiting till timeout and report the port as closed. Quite simple! In the TCP connect technique the connect() function sends a ack after receiving syn+ack and this establishes a complete connection. But in Syn scanning the complete connection is not made. This results in :
1. Faster scans
2. Incomplete connections so less detectable

TCP Connect Port Scan looks like :

You -> Send Syn packet -> Host:port
Host -> send syn/ack packet -> You
You -> send ack packet -> Host
… and connection is established

TCP-Syn Port scan looks like
You -> send syn packet ->Host:port
Host -> send syn/ack or rst packet or nothing depending on the port status -> You
… stop and analyse the reply the host send : if syn/ack then port open closed/filtered otherwise.

Results are almost as accurate as that of TCP connection and the scan is extremely faster.

So the process is :
1. Send a Syn packet to a port A
2. Wait for a reply of Syn+Ack till timeout
3. Syn+Ack reply means the port is open , Rst packet means port is closed , and otherwise it might be inaccessible or in a filtered state.

Coding>>

We shall code a TCP-Syn Port scanner on windows using winsock api. The tools we need are :
VC++ 6.0 , Winpcap and Ethereal(Optional : for better understanding).

Winpcap is a raw packet driver for windows platform which has features for sniffing(packet capturing) and sending raw packets.

Now onto the program logic.

1. Take a hostname to scan.
2. Start a sniffer thread of winpcap sniffer which shall sniff for all incoming packets and pick up those which are from hostname and are syn+ack packets.
3. start sending syn packets to ports in a loop. to make syn packets we need raw packet feature of winpcap

4. if the sniffer thread receives a syn/ack packet from the host then get the source port of the packet and report the packet as open.
5. Keep looping as long as you have nothing else to do.
The Code

Coming Soon…

Popularity: 4% [?]

One Response to “Tcp Syn Portscan with Winpcap and Raw Sockets”

  1. I ‘m really admire your simple and logic roadmap about “Tcp Syn Portscan “.
    I desire of the project sourcecode,because a simple test.
    Could you send me (jinxinliu@gmail.com).I’m very appreciate for that,It will be a great thanks.Thank you.

Leave a Reply