Control Bits: 6 bits (from left to right): U URG: Urgent Pointer field significant A ACK: Acknowledgment field significant P PSH: Push Function R RST: Reset the connection S SYN: Synchronize sequence numbers F FIN: No more data from sender Normal ftp connection: ======================== tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 08:29:29.560053 eth0 < iegatea0.ie.cuhk.edu.hk.4338 > ntec5.ie.cuhk.edu.hk.ftp: S 1701985851:1701985851(0) win 32120 (DF) 4500 003c 8027 4000 4006 e1da 89bd 61ea E..<.'@.@.....a. 89bd 6355 10f2 0015 6572 3e3b 0000 0000 ..cU....er>;.... a002 7d78 e626 0000 0204 05b4 0402 080a ..}x.&.......... 012b 55ce 0000 0000 0103 0300 .+U......... 08:29:29.560308 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.4338: S 1655124700:1655124700(0) ack 1701985852 win 30660 (DF) 4500 003c d583 4000 4006 8c7e 89bd 6355 E..<..@.@..~..cU 89bd 61ea 0015 10f2 62a7 32dc 6572 3e3c ..a.....b.2.er>< a012 77c4 2311 0000 0204 05b4 0402 080a ..w.#........... 039f 2f96 012b 55ce 0103 0300 ../..+U..... 08:29:29.560476 eth0 < iegatea0.ie.cuhk.edu.hk.4338 > ntec5.ie.cuhk.edu.hk.ftp: . 1:1(0) ack 1 win 32120 (DF) 4500 0034 8028 4000 4006 e1e1 89bd 61ea E..4.(@.@.....a. 89bd 6355 10f2 0015 6572 3e3c 62a7 32dd ..cU....er> ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.4338: P 1:81(80) ack 1 win 31856 (DF) [tos 0x10] 4510 0084 d58c 4000 4006 8c1d 89bd 6355 E.....@.@.....cU 89bd 61ea 0015 10f2 62a7 32dd 6572 3e3c ..a.....b.2.er>< 8018 7c70 e39e 0000 0101 080a 039f 2f99 ..|p........../. 012b 55ce 3232 3020 6e74 6563 3520 4654 .+U.220 ntec5 FT 5020 7365 7276 6572 2028 5665 7273 696f P server (Versio 6e20 7775 2d32 2e36 2e30 2831 2920 4d6f n wu-2.6.0(1) Mo 6e20 4665 6220 3238 2031 303a 3330 3a33 n Feb 28 10:30:3 3620 4553 5420 3230 3030 2920 7265 6164 6 EST 2000) read 792e 0d0a y... 08:29:29.590463 eth0 < iegatea0.ie.cuhk.edu.hk.4338 > ntec5.ie.cuhk.edu.hk.ftp: . 1:1(0) ack 81 win 32120 (DF) [tos 0x10] 4510 0034 802b 4000 4006 e1ce 89bd 61ea E..4.+@.@.....a. 89bd 6355 10f2 0015 6572 3e3c 62a7 332d ..cU....er> ntec5.ie.cuhk.edu.hk.ftp: P 1:13(12) ack 81 win 32120 (DF) [tos 0x10] 4510 0040 8037 4000 4006 e1b6 89bd 61ea E..@.7@.@.....a. 89bd 6355 10f2 0015 6572 3e3c 62a7 332d ..cU....er> ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.4338: . 81:81(0) ack 13 win 31856 (DF) [tos 0x10] 4510 0034 d58e 4000 4006 8c6b 89bd 6355 E..4..@.@..k..cU 89bd 61ea 0015 10f2 62a7 332d 6572 3e48 ..a.....b.3-er>H 8010 7c70 49fe 0000 0101 080a 039f 30fe ..|pI.........0. 012b 5736 .+W6 08:29:33.161632 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.4338: P 81:115(34) ack 13 win 31856 (DF) [tos 0x10] 4510 0056 d58f 4000 4006 8c48 89bd 6355 E..V..@.@..H..cU 89bd 61ea 0015 10f2 62a7 332d 6572 3e48 ..a.....b.3-er>H 8018 7c70 3373 0000 0101 080a 039f 30fe ..|p3s........0. 012b 5736 3333 3120 5061 7373 776f 7264 .+W6331 Password 2072 6571 7569 7265 6420 666f 7220 7368 required for sh 6c61 6d2e 0d0a lam... 08:29:33.173589 eth0 < iegatea0.ie.cuhk.edu.hk.4338 > ntec5.ie.cuhk.edu.hk.ftp: . 13:13(0) ack 115 win 32120 (DF) [tos 0x10] 4510 0034 8038 4000 4006 e1c1 89bd 61ea E..4.8@.@.....a. 89bd 6355 10f2 0015 6572 3e48 62a7 334f ..cU....er>Hb.3O 8010 7d78 48d2 0000 0101 080a 012b 5738 ..}xH........+W8 039f 30fe ..0. 9 packets received by filter TCP connect() scan ==================== tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 08:30:48.705559 eth0 < iegatea0.ie.cuhk.edu.hk.1659 > ntec5.ie.cuhk.edu.hk.ftp: S 1773392341:1773392341(0) win 32120 (DF) 4500 003c 85c6 4000 4006 dc3b 89bd 61ea E..<..@.@..;..a. 89bd 6355 067b 0015 69b3 d1d5 0000 0000 ..cU.{..i....... a002 7d78 39d7 0000 0204 05b4 0402 080a ..}x9........... 012b 74b9 0000 0000 0103 0300 .+t......... 08:30:48.705616 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.1659: S 1736812573:1736812573(0) ack 1773392342 win 30660 (DF) 4500 003c dbd3 4000 4006 862e 89bd 6355 E..<..@.@.....cU 89bd 61ea 0015 067b 6785 a81d 69b3 d1d6 ..a....{g...i... a012 77c4 ddb7 0000 0204 05b4 0402 080a ..w............. 039f 4e80 012b 74b9 0103 0300 ..N..+t..... 08:30:48.705767 eth0 < iegatea0.ie.cuhk.edu.hk.1659 > ntec5.ie.cuhk.edu.hk.ftp: . 1:1(0) ack 1 win 32120 (DF) 4500 0034 85c9 4000 4006 dc40 89bd 61ea E..4..@.@..@..a. 89bd 6355 067b 0015 69b3 d1d6 6785 a81e ..cU.{..i...g... 8010 7d78 06c9 0000 0101 080a 012b 74b9 ..}x.........+t. 039f 4e80 ..N. 08:30:48.709908 eth0 < iegatea0.ie.cuhk.edu.hk.1659 > ntec5.ie.cuhk.edu.hk.ftp: F 1:1(0) ack 1 win 32120 (DF) 4500 0034 85fd 4000 4006 dc0c 89bd 61ea E..4..@.@.....a. 89bd 6355 067b 0015 69b3 d1d6 6785 a81e ..cU.{..i...g... 8011 7d78 06c8 0000 0101 080a 012b 74b9 ..}x.........+t. 039f 4e80 ..N. 08:30:48.709951 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.1659: . 1:1(0) ack 2 win 30660 (DF) 4500 0034 dc0a 4000 4006 85ff 89bd 6355 E..4..@.@.....cU 89bd 61ea 0015 067b 6785 a81e 69b3 d1d7 ..a....{g...i... 8010 77c4 0c7b 0000 0101 080a 039f 4e81 ..w..{........N. 012b 74b9 .+t. 08:30:48.914047 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.1659: P 1:81(80) ack 2 win 30660 (DF) [tos 0x10] 4510 0084 dcc0 4000 4006 84e9 89bd 6355 E.....@.@.....cU 89bd 61ea 0015 067b 6785 a81e 69b3 d1d7 ..a....{g...i... 8018 77c4 a2de 0000 0101 080a 039f 4e95 ..w...........N. 012b 74b9 3232 3020 6e74 6563 3520 4654 .+t.220 ntec5 FT 5020 7365 7276 6572 2028 5665 7273 696f P server (Versio 6e20 7775 2d32 2e36 2e30 2831 2920 4d6f n wu-2.6.0(1) Mo 6e20 4665 6220 3238 2031 303a 3330 3a33 n Feb 28 10:30:3 3620 4553 5420 3230 3030 2920 7265 6164 6 EST 2000) read 792e 0d0a y... 08:30:48.914232 eth0 < iegatea0.ie.cuhk.edu.hk.1659 > ntec5.ie.cuhk.edu.hk.ftp: R 1773392343:1773392343(0) win 0 [tos 0x10] 4510 0028 86af 0000 ff06 5c56 89bd 61ea E..(......\V..a. 89bd 6355 067b 0015 69b3 d1d7 0000 0000 ..cU.{..i....... 5004 0000 950b 0000 0000 0000 0000 P............. ( Client sent FIN and RST just after the three ways handshake packets) 7 packets received by filter if ftp port is closed, the target host will response a RST to the scanner 03:09:54.396198 eth0 < iegatea0.ie.cuhk.edu.hk.2104 > ntec5.ie.cuhk.edu.hk.ftp: S 3972553286:3972553286(0) win 32120 (DF) 4500 003c 7631 4000 4006 ebd0 89bd 61ea E.. ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.2104: R 0:0(0) ack 3972553287 win 0 4500 0028 1fc6 0000 ff06 c34f 89bd 6355 E..(.......O..cU 89bd 61ea 0015 0838 0000 0000 ecc8 5a47 ..a....8......ZG 5014 0000 87b9 0000 P....... TCP SYN scan known as "half-open" scanning ============================================== tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 08:32:36.230139 eth0 < iegatea0.ie.cuhk.edu.hk.48637 > ntec5.ie.cuhk.edu.hk.ftp: S 881297155:881297155(0) win 3072 4500 0028 761b 0000 3a06 31fb 89bd 61ea E..(v...:.1...a. 89bd 6355 bdfd 0015 3487 8703 0000 0000 ..cU....4....... 5002 0c00 518b 0000 0000 0000 0000 P...Q......... 08:32:36.230188 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.48637: S 1841839911:1841839911(0) ack 881297156 win 31624 (DF) 4500 002c e385 4000 4006 7e8c 89bd 6355 E..,..@.@.~...cU 89bd 61ea 0015 bdfd 6dc8 3f27 3487 8704 ..a.....m.?'4... 6012 7b88 20e2 0000 0204 0218 `.{. ....... 08:32:36.230333 eth0 < iegatea0.ie.cuhk.edu.hk.48637 > ntec5.ie.cuhk.edu.hk.ftp: R 881297156:881297156(0) win 0 4500 0028 86db 0000 ff06 5c3a 89bd 61ea E..(......\:..a. 89bd 6355 bdfd 0015 3487 8704 0000 0000 ..cU....4....... 5004 0000 5d88 0000 0000 0000 0000 P...]......... (The three ways handshake is torn down by the RST flag in the third packet) 3 packets received by filter if ftp port is closed, the target host will response a RST to the scanner 03:09:13.196068 eth0 < iegatea0.ie.cuhk.edu.hk.50277 > ntec5.ie.cuhk.edu.hk.ftp: S 3656412003:3656412003(0) win 3072 4500 0028 eae2 0000 2e06 c933 89bd 61ea E..(.......3..a. 89bd 6355 c465 0015 d9f0 6b63 0000 0000 ..cU.e....kc.... 5002 0c00 c159 0000 0000 0000 0000 P....Y........ 03:09:13.196142 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.50277: R 0:0(0) ack 3656412004 win 0 4500 0028 1b44 0000 ff06 c7d1 89bd 6355 E..(.D........cU 89bd 61ea 0015 c465 0000 0000 d9f0 6b64 ..a....e......kd 5014 0000 cd46 0000 P....F.. Stealth FIN Scanning ===================== tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 08:33:34.008240 eth0 < iegatea0.ie.cuhk.edu.hk.45248 > ntec5.ie.cuhk.edu.hk.ftp: F 0:0(0) win 1024 4500 0028 99f2 0000 2c06 1c24 89bd 61ea E..(....,..$..a. 89bd 6355 b0c0 0015 0000 0000 0000 0000 ..cU............ 5001 0400 2254 0000 0000 0000 0000 P..."T........ 08:33:34.096788 eth0 < iegatea0.ie.cuhk.edu.hk.45249 > ntec5.ie.cuhk.edu.hk.ftp: F 0:0(0) win 1024 4500 0028 fef9 0000 2c06 b71c 89bd 61ea E..(....,.....a. 89bd 6355 b0c1 0015 0000 0000 0000 0000 ..cU............ 5001 0400 2253 0000 0000 0000 0000 P..."S........ 08:33:34.826919 eth0 < iegatea0.ie.cuhk.edu.hk.45248 > ntec5.ie.cuhk.edu.hk.ftp: F 0:0(0) win 1024 4500 0028 8e88 0000 2c06 278e 89bd 61ea E..(....,.'...a. 89bd 6355 b0c0 0015 0000 0000 0000 0000 ..cU............ 5001 0400 2254 0000 0000 0000 0000 P..."T........ 08:33:34.916918 eth0 < iegatea0.ie.cuhk.edu.hk.45249 > ntec5.ie.cuhk.edu.hk.ftp: F 0:0(0) win 1024 4500 0028 bfdd 0000 2c06 f638 89bd 61ea E..(....,..8..a. 89bd 6355 b0c1 0015 0000 0000 0000 0000 ..cU............ 5001 0400 2253 0000 0000 0000 0000 P..."S........ (just sent the FIN flag packet to the victim and wait for on reply if the port is open) 4 packets received by filter if ftp port is closed, the target host will response a RST to the scanner 03:08:36.341029 eth0 < iegatea0.ie.cuhk.edu.hk.35559 > ntec5.ie.cuhk.edu.hk.ftp: F 0:0(0) win 2048 4500 0028 81eb 0000 2d06 332b 89bd 61ea E..(....-.3+..a. 89bd 6355 8ae7 0015 0000 0000 0000 0000 ..cU............ 5001 0800 442d 0000 0000 0000 0000 P...D-........ 03:08:36.341278 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.35559: R 0:0(0) ack 0 win 0 4500 0028 1679 0000 ff06 cc9c 89bd 6355 E..(.y........cU 89bd 61ea 0015 8ae7 0000 0000 0000 0000 ..a............. 5014 0000 4c1a 0000 P...L... Stealth Xmas Tree Scanning =========================== tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 08:34:30.502449 eth0 < iegatea0.ie.cuhk.edu.hk.59725 > ntec5.ie.cuhk.edu.hk.ftp: FP 0:0(0) win 3072 urg 0 4500 0028 53f4 0000 3a06 5422 89bd 61ea E..(S...:.T"..a. 89bd 6355 e94d 0015 0000 0000 0000 0000 ..cU.M.......... 5029 0c00 e19e 0000 0000 0000 0000 P)............ 08:34:30.597610 eth0 < iegatea0.ie.cuhk.edu.hk.59726 > ntec5.ie.cuhk.edu.hk.ftp: FP 0:0(0) win 3072 urg 0 4500 0028 376b 0000 3a06 70ab 89bd 61ea E..(7k..:.p...a. 89bd 6355 e94e 0015 0000 0000 0000 0000 ..cU.N.......... 5029 0c00 e19d 0000 0000 0000 0000 P)............ 08:34:30.777562 eth0 < iegatea0.ie.cuhk.edu.hk.59725 > ntec5.ie.cuhk.edu.hk.ftp: FP 0:0(0) win 3072 urg 0 4500 0028 8ded 0000 3a06 1a29 89bd 61ea E..(....:..)..a. 89bd 6355 e94d 0015 0000 0000 0000 0000 ..cU.M.......... 5029 0c00 e19e 0000 0000 0000 0000 P)............ 08:34:30.857596 eth0 < iegatea0.ie.cuhk.edu.hk.59726 > ntec5.ie.cuhk.edu.hk.ftp: FP 0:0(0) win 3072 urg 0 4500 0028 7e48 0000 3a06 29ce 89bd 61ea E..(~H..:.)...a. 89bd 6355 e94e 0015 0000 0000 0000 0000 ..cU.N.......... 5029 0c00 e19d 0000 0000 0000 0000 P)............ 4 packets received by filter if ftp port is closed, the target host will response a RST to the scanner 03:07:40.835169 eth0 < iegatea0.ie.cuhk.edu.hk.57810 > ntec5.ie.cuhk.edu.hk.ftp: FP 0:0(0) win 2048 urg 0 4500 0028 1099 0000 3906 987d 89bd 61ea E..(....9..}..a. 89bd 6355 e1d2 0015 0000 0000 0000 0000 ..cU............ 5029 0800 ed19 0000 0000 0000 0000 P)............ 03:07:40.835262 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.57810: R 0:0(0) ack 0 win 0 4500 0028 10bb 0000 ff06 d25a 89bd 6355 E..(.......Z..cU 89bd 61ea 0015 e1d2 0000 0000 0000 0000 ..a............. 5014 0000 f52e 0000 P....... tealth Null Scanning ====================== tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 08:35:27.146441 eth0 < iegatea0.ie.cuhk.edu.hk.58977 > ntec5.ie.cuhk.edu.hk.ftp: . 0:0(0) win 4096 4500 0028 3368 0000 3706 77ae 89bd 61ea E..(3h..7.w...a. 89bd 6355 e661 0015 0000 0000 0000 0000 ..cU.a.......... 5000 1000 e0b3 0000 0000 0000 0000 P............. 08:35:27.228245 eth0 < iegatea0.ie.cuhk.edu.hk.58978 > ntec5.ie.cuhk.edu.hk.ftp: . 0:0(0) win 4096 4500 0028 5774 0000 3706 53a2 89bd 61ea E..(Wt..7.S...a. 89bd 6355 e662 0015 0000 0000 0000 0000 ..cU.b.......... 5000 1000 e0b2 0000 0000 0000 0000 P............. 08:35:28.679076 eth0 < iegatea0.ie.cuhk.edu.hk.58977 > ntec5.ie.cuhk.edu.hk.ftp: . 0:0(0) win 4096 4500 0028 981d 0000 3706 12f9 89bd 61ea E..(....7.....a. 89bd 6355 e661 0015 0000 0000 0000 0000 ..cU.a.......... 5000 1000 e0b3 0000 0000 0000 0000 P............. 08:35:28.758461 eth0 < iegatea0.ie.cuhk.edu.hk.58978 > ntec5.ie.cuhk.edu.hk.ftp: . 0:0(0) win 4096 4500 0028 0ee7 0000 3706 9c2f 89bd 61ea E..(....7../..a. 89bd 6355 e662 0015 0000 0000 0000 0000 ..cU.b.......... 5000 1000 e0b2 0000 0000 0000 0000 P............. 4 packets received by filter if ftp port is closed, the target host will response a RST to the scanner tcpdump -x -s 3000 -l host firewall and port 21 | tcpf Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 03:06:55.973446 eth0 < iegatea0.ie.cuhk.edu.hk.35627 > ntec5.ie.cuhk.edu.hk.ftp: . 0:0(0) win 2048 4500 0028 51fd 0000 2906 6719 89bd 61ea E..(Q...).g...a. 89bd 6355 8b2b 0015 0000 0000 0000 0000 ..cU.+.......... 5000 0800 43ea 0000 0000 0000 0000 P...C......... 03:06:55.973944 eth0 > ntec5.ie.cuhk.edu.hk.ftp > iegatea0.ie.cuhk.edu.hk.35627: R 0:0(0) ack 0 win 0 4500 0028 0a4b 0000 ff06 d8ca 89bd 6355 E..(.K........cU 89bd 61ea 0015 8b2b 0000 0000 0000 0000 ..a....+........ 5014 0000 4bd6 0000 P...K...