Listen to this Post

Introduction:
Network reconnaissance is the silent, critical first phase of any cyber attack, where attackers map your defenses without triggering alarms. By analyzing real packet captures from a simulated port scan, we can demystify how adversaries probe networks, identify live hosts, and discover open ports using non-communicative, crafted packets. This hands-on analysis transforms abstract theory into tangible defensive knowledge, revealing the very patterns security tools must detect to prevent breaches.
Learning Objectives:
- Understand the methodology behind host discovery and port scanning from a packet-level perspective.
- Learn to execute and analyze common scan types (ICMP, SYN, ACK) using command-line tools.
- Develop the skills to identify scanning patterns in Wireshark and configure basic network defenses against them.
You Should Know:
1. Host Discovery: The Digital Doorbell
Before targeting ports, an attacker must confirm a host is online. This is done using probe packets, primarily ICMP Echo (ping) and Timestamp requests. A reply indicates a live host. Modern security often blocks ICMP, so attackers may use alternative methods like TCP SYN packets to port 80 or 443.
Step-by-Step Guide:
On Linux Attacker: Use `ping` or `nmap` for host discovery.
Basic ICMP ping ping -c 4 192.168.1.105 Nmap Ping Scan (-sn prevents port scan) nmap -sn 192.168.1.0/24
In Wireshark: Apply the filter icmp. Observe the Echo Request (Type 8) and, if not filtered, the Echo Reply (Type 0). No reply suggests the host is down or ICMP is blocked.
Defensive Takeaway: Monitor for ICMP flood or unusual ICMP types. Consider host-based firewalls to drop ICMP requests on sensitive servers.
2. The SYN Scan: Knocking on Every Port
The TCP SYN scan is the most common stealth scan. It initiates a connection by sending a SYN packet but never completes the three-way handshake upon receiving a SYN-ACK, leaving a “half-open” connection.
Step-by-Step Guide:
On Linux Attacker: Execute a SYN scan with Nmap.
Standard SYN scan (-sS). Requires root/sudo privileges. sudo nmap -sS -p 21,22,80,443,1000-2000 192.168.1.105
In Wireshark: Use the filter tcp.flags.syn==1 and tcp.flags.ack==0. Look for a series of SYN packets from one source to multiple destination ports on a single IP. The response reveals the state:
SYN-ACK: The port is open.
RST: The port is closed.
No response/ICMP error: The port is filtered by a firewall.
Defensive Takeaway: Use Intrusion Detection Systems (IDS) like Snort or Suricata to detect rapid succession SYN packets from a single source to multiple ports.
3. Half-Open Scans and Stealth Implications
A half-open scan (SYN scan) is stealthier than a full connect scan because it doesn’t establish a full connection, potentially avoiding application logs.
Step-by-Step Guide:
Analysis: In Wireshark, track a single conversation. For an open port, you’ll see `
` -> `[SYN, ACK]` -> <code>[bash]</code>. The attacker's `RST` packet aborts the connection after receiving the SYN-ACK, preventing the `[bash]` that would complete the handshake. Defensive Command (Linux): Use `iptables` to limit the rate of new SYN connections. [bash] Limit new SYN connections to 10 per second per source IP, burstable to 20. sudo iptables -A INPUT -p tcp --syn -m limit --limit 10/second --limit-burst 20 -j ACCEPT sudo iptables -A INPUT -p tcp --syn -j DROP
Windows Analog: Use PowerShell with the NetSecurity module to create firewall rules limiting connections.
4. Probing Defenses with ACK and Timestamp Scans
These scans map firewall rules and infer operating systems. An ACK packet sent to a port should elicit a RST from an unfiltered host (whether open or closed). No response suggests a stateful firewall is filtering. TCP Timestamp options can help deduce system uptime or OS.
Step-by-Step Guide:
On Linux Attacker:
ACK scan (-sA) sudo nmap -sA -p 80,443 192.168.1.105 TCP Timestamp query (using Nmap's TCP scan with a specific option) sudo nmap -sT --script smb-os-discovery 192.168.1.105
In Wireshark: Filter for tcp.flags.ack==1 and tcp.flags.syn==0. A stream of ACK packets with no preceding SYN/SYN-ACK conversation is suspicious. Look for RST replies.
Defensive Takeaway: Properly configured stateful firewalls should drop unsolicited ACK packets. Logging these dropped packets can provide early warning of reconnaissance.
- From Analysis to Action: Building a Detection Rule
The ultimate goal is to translate packet analysis into automated detection.
Step-by-Step Guide:
Snort IDS Rule Example: Create a rule to detect rapid SYN scanning.
Alert on more than 15 SYN packets to different ports from one source in 2 seconds alert tcp any any -> $HOME_NET any (msg:"Possible SYN Scan"; flags:S; flow:stateless; detection_filter: track by_src, count 15, seconds 2; sid:1000001; rev:1;)
Wireshark IO Graph: Use Statistics > IO Graph. Apply a filter like `tcp.flags.syn==1 && tcp.flags.ack==0` and view the packets/second trend. A sharp, short spike indicates a scan.
Practice Lab: Set up a lab with two VMs (Kali Linux attacker, Metasploitable victim). Capture the traffic while running scans and practice writing filters and simple rules.
What Undercode Say:
- Reconnaissance is a Conversation of One: Effective scanning is not about communication but about interpreting unilateral probes—the echoes of your own network’s defenses.
- Defense Lies in Anomaly Detection: No single dropped packet is an alarm. Defense is built by profiling normal traffic and identifying deviations: unusual packet rates, malformed flag combinations, and traffic without established sessions.
The hands-on dissection of packets bridges the gap between theoretical vulnerability and practical threat. By understanding the exact byte-by-byte behavior of scans, defenders can move beyond signature-based detection and start building behavioral profiles of network reconnaissance, enabling earlier and more accurate threat identification. This shifts security from a reactive to a proactive stance.
Prediction:
The future of network attack and defense will be dominated by AI-driven slow/low-and-slow scans that blend reconnaissance into normal traffic patterns over days or weeks, making traditional threshold-based detection obsolete. Defensive AI will need to evolve to perform continuous, microscopic behavioral analysis of packet sequences and timing, not just volumes. Furthermore, the increasing encryption of traffic (TLS 1.3) will push deep packet inspection to endpoints, making host-based detection logs and egress traffic analysis the new primary hunting grounds for spotting the subtle anomalies left by the silent scout.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Gagan Vishwanath – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


