There are a couple of ways which are known as scanning. Basically it's always a means to get some information which one does not already have. Usually it's about gaining some knowledge about somebodies environment. About what services machines are running and what machines there are at all. Here is the complete overview about scanning techniques:
TCP connect() scanning:
trying to set up an ordinary tcp-connection.
easy detectable by firewalls
TCP SYN scanning:
trying to do an ordinary connect. If a SYN ACK is received, the
connecten is immediately tore down (RST), insted of sending the ACK
to finish the handshake.
some sites don't log this.
TCP FIN scanning:
Just send a FIN packet. Closed ports will send a RST. Listening ports
will just discard the packet.
This scanning does not work on all OSes.
Fragmentation scanning:
Send small IP packets to fragment the TCP header. Some firewalls won't
be able to decode the TCP header any more.
TCP reverse ident scanning:
By asking the identd, you can try to find the user that runs a
certain deamon.
FTP bounce attack:
There was a feature in FTP servers that is sometimes still enabled
in the software. The feature allowed to do proxy connections through
ftp. This is easily done by executing the PORT command to declare
that the proxy was listening on the target box at a certain port
number. If the target host is listening, it will generate a 150 and
226 response. Else it will time out with 425.
This has the advantage to work through firewalls and is quite
difficult to detect.
UDP ICMP port unreachable scanning:
If no service is listening on a UDP port, normally hosts will answer
with a ICMP port unreachable packet.
