Transcript Port Scanning Techniques

Port Scanning
Introduction
• Port scanning
– techniques that attackers use to discover
services they can break into.
• Idea
– sending a message to each port, one at a time.
– Based on the type of response, an attacker
knows if the port is used.
– The used ports can be probed further for
weakness.
Port
• All computers connected to a LAN run
various services that listen at some ports.
• The use of port numbers are not unique.
• However, some port numbers become
standard for certain services.
• Port numbers are 16-bits unsigned numbers
• In general, port numbers are divided into
two ranges.
• Standard ports (0 - 1023)
– Assigned to services by IANA (internet
assigned numbers authority)
– Only super-user is allowed to open the ports.
– Examples
•
•
•
•
•
•
•
•
ftp-data 20/udp
ftp 21/tcp
ssh 22/tcp
telnet 23/tcp
Time 37/tcp
Time 37/udp
Whois 43/tcp
Imap 143/tcp
• Non-Standard Ports (> 1023)
– A user program can open any unallocated port
higher than 1023.
– A non-standard port refers to a port whose
number is higher than 1023.
– However, several services in this range is also
standard.
– Examples:
• Wins 1512/tcp #(Microsoft Windows internet name
service).
• X11 6000-6063/tcp X window system.
– The non-standard ports can also be divided into
• Registered ports (1024 – 49151)
• Dynamic/private Ports (49152 – 65535)
• The service names and ports used in a
computer system can be found in the file
– /etc/services (UNIX, Linux)
– %windir%\system32\drivers\etc\services
(window 2000)
– %windir%\services (Window 98)
• List of ports used by Trojans
– http://www.simovits.con/nyheter9902.html
Port Scanning Techniques
• TCP connect() scanning
– The most basic form of TCP scanning
– The connect() system call provided by the OS
is used to open a connection to every interesting
port on the machine.
– If the port is listening, connect() will be
succeed.
– Otherwise, the port isn’t reachable.
– don’t need any special privileges. Any user can
use it.
– Speed
• Making a separate connect() call for every targeted
port in a linear fashion could be slow.
• Can hasten the scan by using many sockets in
parallel.
• Using non-blocking I/O allows you to set a low
time-out period and watch all the sockets at once.
• TCP SYN scanning
– Often referred to as half-open scanning.
• Not to open a full TCP connection.
– Send a SYN packet, as if a real connection is
open.
– Then wait for a response.
• A SYN/ACK indicates the port is listening.
– If a SYN/ACK is received, send an RST to tear
down the connection immediately. (kernel will
do this for you).
– The primary advantage to this canning
technique is that fewer sites will log it.
– But you need root privileges to build these
custom SYN packets.
• TCP FIN scanning
– Sometimes SYN scanning isn’t clandestine
enough.
– Some firewalls and packet filters watch for
SYNs to restricted ports.
– FIN packets may be able to pass through.
– Closed ports tend to reply to FIN packet with
proper RST.
– Open ports tend to ignore the packet in question.
– This is required TCP behavior
– However, some systems are broken in this
regard.
• They send RST’s regardless of the port state
• Thus they aren't vulnerable to this type of scan.
• TCP reverse ident scanning
– The ident protocol (rfc1413) allows for the
disclosure of the username of the owner of any
process connected via TCP (provided by port
113), even if that process didn’t initiate the
connection.
– You can for example, connect to the http port
and then use identd to find out whether the
server is running as root.
– This can only be done with a full TCP
connection to the target port.
• OS Fingerprinting
– Guess the remote OS system
– sending different types of probes to the host,
which will narrow the target operating system.
• FIN probing to see what kind of response the target
has,
• BOGUS flag probing to see the remote host's
reaction to undefined flags sent with a SYN packet,
• TCP Initial Sequence Number (ISN) sampling to
find patterns of ISN numbers,
• other methods of determining the remote operating
system.
• See http://www.insecure.org/nmap/nmap-fingerprinting-article.html
– Example
[root@pc89186 root]# nmap -sT -p 80 -I -O www.cuhk.edu.hk
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on spring.itsc.cuhk.edu.hk (137.189.8.146):
Port
State
Service
Owner
80/tcp open
http
Remote operating system guess: Solaris 2.6 - 2.7
Uptime 33.199 days (since Mon Sep 16 12:25:31 2002)
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
[root@pc89186 root]# nmap -sT -I -O www.cse.cuhk.edu.hk
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on fortress.cse.cuhk.edu.hk (137.189.91.192):
(The 1542 ports scanned but not shown below are in state: closed)
Port
State
Service
Owner
23/tcp
open
telnet
root
70/tcp
open
gopher
root
80/tcp
open
http
nobody
111/tcp
open
sunrpc
root
113/tcp
open
auth
nobody
139/tcp
open
netbios-ssn
root
443/tcp
open
https
nobody
513/tcp
open
login
root
514/tcp
open
shell
root
4045/tcp open
lockd
root
32771/tcp open
sometimes-rpc5
root
32776/tcp open
sometimes-rpc15
root
Remote operating system guess: Sun Solaris 8 early acces beta through actual release
Uptime 17.164 days (since Wed Oct 2 13:31:05 2002)
Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds
• Fragmentation scanning
– Not a new scanning method in and of itself.
– A modification of other techniques.
– Instead of just sending the probe packet, you
break it into a couple of small IP fragments.
– By splitting up the TCP header over several
packets, it is harder for packet filters to detect
what you are doing.
• FTP bounce scan
– Take advantage of a vulnerability of FTP
protocol.
– Requires support for proxy ftp connections.
– For example, evil.com can establish a control
communication connection to FTP server-PI
(protocol interpreter) of target.com.
– Then it is able to request the server-PI to
initiate an active server-DTP (data transfer
process) to send a file ANYWHERE on the
internet.
– A port scanner can exploit this to scan TCP
ports from a proxy ftp server.
– Connect to an FTP server behind a firewall, and
then scan ports that are more likely to be
blocked.
– If the ftp server allows reading from and
writing to a directory (such as /incoming), you
can send arbitrary data to ports that you do find
open.
– Technique
• Use the PORT command (of FTP) to declare that
our passive user-DTP is listening on the target box
at a certain port number.
• LIST the current directory, and the results is sent
over the server-DTP channel.
• If our target host is listening on the port, the transfer
will be successful.
• Otherwise, connection will be refused.
• Then issue another PORT command to try the next
port on the target.
– Advantages
• Harder to trace
• Potential to bypass firewalls.
– Disadvantages
• Slow
• Some FTP server have finally disabled the proxy
feature.
• UDP ICMP port unreachable scanning
– UDP protocol instead of TCP
– Protocol is simpler, but the scanning is more
difficult
• Open ports don’t have to send an acknowledgement.
• Closed ports aren’t even required to send an error packet.
– Most hosts do send an ICMP_PORT_UNREACH
error when you send a packet to a closed UDP port.
• Can find out if a port is NOT open.
– Neither UDP packets, nor the ICMP errors are
guaranteed to arrive.
• Retransmission of packets is required for packets
that appear to be lost
• Otherwise, we will have many false positives.
– Disadvantages
• Slow: the ICMP error message rate is limited.
• Need to be root for access to raw ICMP socket.
• UDP recvfrom() and write() scanning
– Non-root users can’t read port unreachable
errors directly.
– But users can learn it indirectly.
– For example, a second write() call to a closed
port will usually fail.
– recvfrom() on non-blocking UDP sockets
usually return EAGAIN (try again), if the
ICMP error hasn’t been received.
– It will return ECONNREFUSED (connection
refuse), if ICMP error has been received.
Stealth Scan
• Simple port scanning can be easily logged
by the services listening at the ports.
– E.g. they see an incoming connection with no
data, thus they log an error.
• Stealth scan refers to some scanning
techniques to avoid being logged.
• These techniques include fragmented
packets, syn scanning, fin scanning etc.
• Other stealth scan techniques
– Scan slowly
• Usually a port scanner scan a host rapidly by firing
off packets at different ports.
• Some detector try to recognize these pattern
(signature).
• Thus, scanning very slowly (may take several days)
is a stealth scanning techniques.
– Firing packets with fake IPs
• Send a large amount of spoofed “port scans” and
only one scan from the real source address (or an
address on the same LAN of the source)
• So that it is difficult to trace the source of the
scanner.
Detection of Port Scanning
• Idea of non-stealth scan detector
–
–
–
–
–
Open a socket in SOCK_RAW mode.
Set the protocol type to IPPROTO_IP
Then call recvfrom() to capture the packets
Then analyze the packets
Signature for port scan
• Several packets to different destination ports from
the same source address within a short period of
time.
• SYN to a non-listening port
• Of course, there are many other possible signatures.
• Discovering stealth scans may require
kernel level work.
• A detector can inform us that we have been
port-scanned, but the source address may
not be reliable.
– Attacker may also perform IP address spoofing.
• Sometimes, a stupid scanner may leak extra
information
– If the packets we received have an IP TTL of
255, we can conclude that it was sent from or
local network, regardless of what the source
address field says.
– if TTL is 250, we can only tell that the attacker
was no more than 5 hops away.
Demonstration
• In the class, we will study the log of packets
generated by nmap and the responses from the
target.
– We will study the options
•
•
•
•
•
-sT (TCP scan)
-sS (SYN scan)
-sU (UDP scan)
-sF (FIN scan)
-sT –I –O (ident & fingerprinting)
– You are encouraged to try some other options in the
security lab.
• We will also study the source code of ‘scanlogd’
and show how it can detect port scanning.
References
• Fyodor, “The Art of Port Scanning’,
http://www.insecure.org/nmap/nmap_doc.html.
• Solar designer, “Designing and Attacking Port
Scan Tools”, Phrack Magazine, Vol 8, Issue 53,
article 13 of 15.
– The program “scanlogd” we have discussed in class
is extracted from this paper.