Transcript Chapter 5
Hands-On Ethical Hacking
and Network Defense
Chapter 5
Port Scanning
Objectives
•
•
•
•
•
Describe port scanning
Describe different types of port scans
Describe various port-scanning tools
Explain what ping sweeps are used for
Explain how shell scripting is used to
automate security tasks
Hands-On Ethical Hacking and Network Defense
2
Introduction to Port
Scanning
• Port Scanning
• Finds out which services are offered by a host
• Identifies vulnerabilities
• Open services can be used on attacks
• Identify a vulnerable port
• Launch an exploit
• Scan all ports when testing
• Not just well-known ports
Hands-On Ethical Hacking and Network Defense
3
Hands-On Ethical Hacking and Network Defense
4
Introduction to Port
Scanning (continued)
• Port scanning programs report
•
•
•
•
Open ports
Closed ports
Filtered ports
Best-guess assessment of which OS is
running
Hands-On Ethical Hacking and Network Defense
5
Types of Port Scans
• SYN scan
• Stealthy scan
• Connect scan
• Completes the three-way handshake
• NULL scan
• Packet flags are turned off
• XMAS scan
• FIN, PSH and URG flags are set
Hands-On Ethical Hacking and Network Defense
6
Types of Port Scans
(continued)
• ACK scan
• Used to past a firewall
• FIN scan
• Closed port responds with an RST packet
• UDP scan
• Closed port responds with ICMP “Port
Unreachable” message
Hands-On Ethical Hacking and Network Defense
7
Using Port-Scanning Tools
•
•
•
•
Nmap
Unicornscan
NetScanTools Pro 2004
Nessus
Hands-On Ethical Hacking and Network Defense
8
Nmap
• Originally written for Phrack magazine
• One of the most popular tools
• GUI version
• Xnmap
• Open source tool
• Standard tool for security professionals
Hands-On Ethical Hacking and Network Defense
9
Hands-On Ethical Hacking and Network Defense
10
Unicornscan
• Developed in 2004
• Ideal for large networks
• Scans 65,535 ports in three to seven
seconds
• Handles port scanning using
• TCP
• ICMP
• IP
• Optimizes UDP scanning
Hands-On Ethical Hacking and Network Defense
11
NetScanTools Pro 2004
• Robust easy-to-use commercial tool
• Supported OSs
• *NIX
• Windows
• Types of tests
•
•
•
•
Database vulnerabilities
E-mail account vulnerabilities
DHCP server discovery
IP packets and name servers
Hands-On Ethical Hacking and Network Defense
12
Hands-On Ethical Hacking and Network Defense
13
Hands-On Ethical Hacking and Network Defense
14
Nessus
•
•
•
•
•
First released in 1998
Open source tool
Uses a client/server technology
Conducts testing from different locations
Can use different OSs for client and
network
Hands-On Ethical Hacking and Network Defense
15
Nessus (continued)
• Server
• Any *NIX platform
• Client
• Can be UNIX or Windows
• Functions much like a database server
• Ability to update security checks plug-ins
• Scripts
• Some plug-ins are considered dangerous
Hands-On Ethical Hacking and Network Defense
16
Hands-On Ethical Hacking and Network Defense
17
Nessus (continued)
• Finds services running on ports
• Finds vulnerabilities associated with
identified services
Hands-On Ethical Hacking and Network Defense
18
Hands-On Ethical Hacking and Network Defense
19
Conducting Ping Sweeps
• Ping sweeps
• Identify which IP addresses belong to active
hosts
• Ping a range of IP addresses
• Problems
• Computers that are shut down cannot
respond
• Networks may be configured to block ICMP
Echo Requests
• Firewalls may filter out ICMP traffic
Hands-On Ethical Hacking and Network Defense
20
FPing
•
•
•
•
Ping multiple IP addresses simultaneously
www.fping.com/download
Command-line tool
Input: multiple IP addresses
• Entered at a shell
• -g option
• Input file with addresses
• -f option
Hands-On Ethical Hacking and Network Defense
21
Hands-On Ethical Hacking and Network Defense
22
Hands-On Ethical Hacking and Network Defense
23
Hping
• Used to bypass filtering devices
• Allows users to fragment and manipulate IP packets
• www.hping.org/download
• Powerful tool
• All security testers must be familiar with tool
• Supports many parameters (command options)
Hands-On Ethical Hacking and Network Defense
24
Hands-On Ethical Hacking and Network Defense
25
Hands-On Ethical Hacking and Network Defense
26
Hands-On Ethical Hacking and Network Defense
27
Crafting IP Packets
• Packet components
• Source IP address
• Destination IP address
• Flags
• Crafting packets helps you obtain more
information about a service
• Tools
• Fping
• Hping
Hands-On Ethical Hacking and Network Defense
28
Understanding Shell Scripting
• Modify tools to better suit your needs
• Script
• Computer program that automates tasks
• Time-saving solution
Hands-On Ethical Hacking and Network Defense
29
Scripting Basics
• Similar to DOS batch programming
• Script or batch file
• Text file
• Contains multiple commands
• Repetitive commands are good candidate
for scripting
• Practice is the key
Hands-On Ethical Hacking and Network Defense
30
Hands-On Ethical Hacking and Network Defense
31
Hands-On Ethical Hacking and Network Defense
32
Summary
• Port scanning
• Also referred as service scanning
• Process of scanning a range of IP address
• Determines what services are running
• Port scan types
•
•
•
•
•
SYN
ACK
FIN
UDP
Others: Connect, NULL, XMAS
Hands-On Ethical Hacking and Network Defense
33
Summary (continued)
• Port scanning tools
• Nmap
• Nessus
• Unicornscan
• Ping sweeps
• Determine which computers are “alive”
• Shell scripting
• Helps with automating tasks
Hands-On Ethical Hacking and Network Defense
34