Overview Transmission Control Protocol TCP uses a three-way handshake process to establish a connection between two hosts, for which the following steps take place: 1 The host wishing t
Trang 1SYN scan Syskey
SYN scan
A type of stealth scan that makes use of SYN packets
Overview
Transmission Control Protocol (TCP) uses a three-way
handshake process to establish a connection between
two hosts, for which the following steps take place:
1 The host wishing to establish the connection sends
a SYN packet to the target host to request a socket
connection
2 The target host responds with a SYN/ACK that
acknowledges receipt of the original SYN packet
and sends its own SYN to request a socket
3 The originating host replies with an ACK, and a
connection between the two hosts is established
In a SYN scan, an attacker sends a SYN packet to a port
on a target host to see how the host responds If the host
responds with a SYN/ACK packet, this means the tar
geted port is listening (open) and may be targeted for
further attack Meanwhile, the attacker simply drops the
received SYN/ACK packet instead of acknowledging it,
which means a connection is not established with the
target host Alternatively, the attacker might respond
with an RST packet, which can sometimes help prevent
the remote host from logging the connection attempt If
the target port on the remote host is not listening, the
remote host responds with an RST packet instead (or
possibly provides no response, if a firewall blocks RST
packets from leaving the network)
Notes
Because a SYN scan fails to complete a TCP connec
tion that the attacker tries to initiate with the target, it is
sometimes called a “half-open” scan
SYN to port 80
1
2
3
SYN/ACK Drop packet
Attacker
Web server (target)
SYN scan How a SYN scan works
See Also: port scanning, stealth scanning
Syskey
A Microsoft Windows NT utility for strengthening password security
Overview Syskey first was released as a post–Service Pack 2 (SP2) hotfix for Windows NT and later was included as part of Service Pack 3 Syskey helps protect Windows
NT passwords by implementing strong 128-bit encryp
tion for password hashes instead of the previous 40-bit level of encryption Should an attacker compromise a system and extract password hashes from the SAM database, Syskey makes cracking these hashes much more difficult However, implementing Syskey is an irreversible step, and the encryption key must be safely stored since if it is lost or corrupted, the system will be unbootable To provide administrators with flexibility
in protecting this key, Syskey provides three key man
agement options:
● Store the startup key locally on the system: The
disadvantage is that if the system is compromised and the startup key is obtained, an attacker could crack stored passwords
● Store the startup key on a floppy disk: The disad
vantage is that the floppy disk must be inserted each time the system needs to be booted, and if the floppy is lost, the system will be unbootable Man-aging large numbers of such floppies also can be an administrative headache if there are many servers
S
333
Trang 2SYN scan Syskey
SYN scan
A type of stealth scan that makes use of SYN packets
Overview
Transmission Control Protocol (TCP) uses a three-way
handshake process to establish a connection between
two hosts, for which the following steps take place:
1 The host wishing to establish the connection sends
a SYN packet to the target host to request a socket
connection
2 The target host responds with a SYN/ACK that
acknowledges receipt of the original SYN packet
and sends its own SYN to request a socket
3 The originating host replies with an ACK, and a
connection between the two hosts is established
In a SYN scan, an attacker sends a SYN packet to a port
on a target host to see how the host responds If the host
responds with a SYN/ACK packet, this means the tar
geted port is listening (open) and may be targeted for
further attack Meanwhile, the attacker simply drops the
received SYN/ACK packet instead of acknowledging it,
which means a connection is not established with the
target host Alternatively, the attacker might respond
with an RST packet, which can sometimes help prevent
the remote host from logging the connection attempt If
the target port on the remote host is not listening, the
remote host responds with an RST packet instead (or
possibly provides no response, if a firewall blocks RST
packets from leaving the network)
Notes
Because a SYN scan fails to complete a TCP connec
tion that the attacker tries to initiate with the target, it is
sometimes called a “half-open” scan
SYN to port 80
1
2
3
SYN/ACK Drop packet
Attacker
Web server (target)
SYN scan How a SYN scan works
See Also: port scanning, stealth scanning
Syskey
A Microsoft Windows NT utility for strengthening password security
Overview Syskey first was released as a post–Service Pack 2 (SP2) hotfix for Windows NT and later was included as part of Service Pack 3 Syskey helps protect Windows
NT passwords by implementing strong 128-bit encryp
tion for password hashes instead of the previous 40-bit level of encryption Should an attacker compromise a system and extract password hashes from the SAM database, Syskey makes cracking these hashes much more difficult However, implementing Syskey is an irreversible step, and the encryption key must be safely stored since if it is lost or corrupted, the system will be unbootable To provide administrators with flexibility
in protecting this key, Syskey provides three key man
agement options:
● Store the startup key locally on the system: The
disadvantage is that if the system is compromised and the startup key is obtained, an attacker could crack stored passwords
● Store the startup key on a floppy disk: The disad
vantage is that the floppy disk must be inserted each time the system needs to be booted, and if the floppy is lost, the system will be unbootable Man-aging large numbers of such floppies also can be an administrative headache if there are many servers
S
333