-=[Port Check Through TCP SEQ Number Looping : HPing]=- ======================================================= Triosec , SecNiche Security As we already TCP Sequence Number termed to be as one of the crucial part of packet crafting. Being in a process of penetration testing it is advised to leverage as much information of target with minimum intrusion elements. ============ Discussion ============ The point of talk is to check the port status with the incoming TCP sequence from the target. It is one of the reliable technique in determining the port status. No doubt from standard a debugged response from the target will provide you the status of flags efficiently. Sometimes with simple TCP Sequence check the port structure can be verified. We are going to prove this by HPing packet crafting to dissect the TCP sequence number. Our target is to check number of ports in between range [18-25].So we will try this one by crafting HPING packet. [~/oknock] 0 % hping2 -S -r 172.31.1.10 -p ++18 -M 4000 -J -Q HPING 172.31.1.10 (eth0 172.31.1.10): S set, 40 headers + 0 data bytes 0 +0 E..(.4.............f............ P...:......... 0 +0 E..(.5.............f............ P...:......... 0 +0 E..(.6.............f............ P...:......... 3997206322 +3997206322 E..,.7@............f.....@.2.... .@.l......... 0 +297760973 E..(.8.............f............ P...:......... 0 +0 E..(.9.............f............ P...:......... 0 +0 E..(.:.............f............ P...:......... 0 +0 E..(.;.............f............ P...:......... --- 172.31.1.10 hping statistic --- 13 packets tramitted, 13 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.4/0.9 ms If you see then the fourth packet is showing positive sequence TCP Sequence number in positive.So the fourth packet from sequence ++18 will be port 21 which is undertaking acknowledgement and three way handshake is done. This reliably shows the open state of port 21 where as rest of ports are showing 0 increase which means "Reset" flag is sent as response. Lets see whether port 21 is open or not. [~/oknock] 0 % nmap -P0 172.31.1.10 -p 21 -A --max-retries 4 Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-02 15:13 IST Interesting ports on iws10.iiita.ac.in (172.31.1.10): PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd The nmap scan shows postive result. So a simple TCP SEQ Looping with incrementing port number can give reliable information of port status. Lets cross analyze it with R packet : [~/oknock] 0 % hping2 -R -r 172.31.1.10 -p ++18 -M 4000 -J -Q HPING 172.31.1.10 (eth0 172.31.1.10): R set, 40 headers + 0 data bytes --- 172.31.1.10 hping statistic --- 11 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Still no response , ofcourse nothing be sent in there as flag is "R". ---- 0kn0ck