Port Scanning
Download
Report
Transcript Port Scanning
PORT SCANNING
Network Security Lab
Lab#5
Penetration testing
Penetration testing is a method of testing a network’s security by
using various tools and techniques common to attackers.
The methodology used is similar to that of an attacker:
enumerate the network,
assess vulnerabilities,
research vulnerabilities for known exploits,
and then use tools available to penetrate the network.
A good penetration test should result in a report that explains the
weaknesses found, lists them from most critical to least critical, and
provides suggestions for improving the network’s security.
Network scan
Enumerating a network to discover what machines are
attached and operating is a useful task for both an intruder
and a system administrator.
The information gained from a network scan assists in the
determination of the actual current layout.
Several tools and techniques exist for both the Windows
and Linux platforms to perform these tests.
Once the devices and their open ports have been
identified, a vulnerability scanner can be used.
The goal of Network scan
One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that
are running.
Once the user knows what hosts are accessible, he or she will then find a means to gather as
much information about the hosts as possible.
Once an attacker has identified the hosts, ports, and services that are available, he or she will
want t identify the operating system that is running on the host.
In addition to identifying the operating system, the attacker will want to gain more information
about the services that are running on the target computer, such as the type of server and
version (for example, Internet Information Services [IIS] version 6 or version 7).
This information is contained in the service’s banner.
The banner is usually sent after an initial connection is made.
This information greatly improves the ability of the attacker to discover vulnerabilities and exploits.
Utilities for network scan
Nmap is a popular scanning utility that is available for download from the
Internet at no cost.
It is a powerful tool that includes many functions.
The Nmap utility can quickly and easily gather information about a
network’s hosts, including their availability, their IP addresses, and their
names.
This is useful information not only for a network administrator, but for a
hacker as well, prior to an attack.
Popular port scanning programs include: Nmap, Netscan Tools, Superscan
and Angry IP Scanner.
NMAP
nmap stands for “network map”.
This open-source scanner was developed by Fyodor (see http://insecure.org/ ).
Nmap is available for Windows and Linux as a GUI and command-line program.It
can do many types of scans and OS identification.
nmap is actually more than just a port scanner.
In addition to listing the open ports on a network, it also tries to construct an
inventory of all the services running in a network.
It also tries to detect as to which operating system is running on each machine, etc.
http://www.youtube.com/watch?v=0PxTAn4g20U
Why nmap
An excellent tool
Long
history of development and support
Continuous development and improvements
“Industry Standard” port scanner
nmap features
Host Discovery: Which host is alive?
Port Scanning : What services are available?
Enumerating the open ports on one or more target computers
Service and Version Detection : Which version is running?
Identifying computers on a network, for example listing the computers which
respond to pings (Ping Sweeps)
Determine the application name and version number
OS Detection: What platforms are served?
Remotely determining the OS and some hardware characteristics of network
devices
Host Discovery
Querying multiple hosts using this method is referred to as
ping sweeps
The most basic step in mapping out a network.
Several Sweeps technique
ICMP Sweeps
Broadcast ICMP
NON Echo ICMP
TCP sweep
UDP sweep
Host Discovery : ICMP Sweeps
Technique
sending an ICMP ECHO request (ICMP type 8)
If an ICMP ECHO reply (ICMP type 0) is received : target is alive;
No response: target is down
Pros & Cons
easy to implement
fairly slow, easy to be blocked
ICMP ECHO request
ICMO ECHO reply
Scanner
a host is alive
Target
ICMP ECHO request
No response
Scanner
a host is down/filtered
Target
Host Discovery : ICMP Sweeps
11
Ping sweeps
Also called an ICMP sweep
Used by attackers to determine the location of a host
Attacker sends a series of ICMP echo request packets in a
range of IP addresses
Ping sweep alone does not cause harm
ARP Probes
Why ARP scan? When you use ICMP ping scan, the OS
needs to send out ARP request to figure out the MAC
address
You are sending millions of ARP request.
Host Discovery : Broadcast ICMP
Sending ICMP ECHO request to the network and/or
broadcast addresses
Windows ignored this
Most routers blocked this
Host Discovery : TCP Sweeps
Sending TCP ACK or TCK SYN packets
The port number can be selected to avoid blocking by
firewall
Usually a good pick would be 21 / 22 / 23 / 25 / 80
But.. firewalls can spoof a RESET packet for an IP
address, so TCP Sweeps may not be reliable.
Host Discovery : UDP Sweeps
Relies on the ICMP PORT UNREACHABLE
Assume the port is opened if no ICMP PORT UNREACHABLE
message is received after sending a UDP datagram
Cons:
Routers can drop UDP packets as they cross the Internet
Many UDP services do not respond when correctly probed
Firewalls are usually configured to drop UDP packets (except for DNS)
UDP sweep relies on the fact that a non-active UDP port will respond with
an ICMP PORT UNREACHABLE message
nmap Host Discovery summary
sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
-sU: UDP Scan
Introduction to port scanning
Ports to a computer are like windows or doors to a
house
Port scanning attacks are much like a burglar
searching all the windows and doors of a house to
look for unlocked entry ways
If a window is left unlocked (like a port being “open”
or not in use), it may be easy for the intruder to enter
the house
Port states
The main goal of port scanning is to find out which
ports are open, which are closed, and which are
filtered.
Port scanning is about testing the states of ports on
a (remote) machine.
Open is the most interesting states, which means
that there is an application listening on that port
waiting for connections
Port Scanning is one of the most popular among the
reconnaissance techniques attackers use.
Example of port assignments
OPEN state
a given port on your machine is open if you are running a server
program on the machine and the port is assigned to the server.
An application is actively accepting connections on this port.
These are ports that attackers are looking for, as every open port is a
potential entry point into the system.
Administrators should try to keep the number of open ports to a minimum in
order to decrease the risk of a successful attack.
Obviously some ports will be open to provide certain services, but these
ports should be protected in some way (e.g. a firewall, TCP wrappers, white
lists of hosts thatmay connect).
Filtered State
This state means that NMAP is not able to determine whether a
port is open or not.
what we mean is that the packets passing through that port
are subject to the filtering rules of a firewall or router rules.
Sometimes the response is an error message or no reply at all.
Closed state
A closed port is accessible, i.e. it receives and responds to
probe packets, but there is no application listening on it.
While not directly exploitable for an attack, they may still
provide other useful information (e.g. that a host is online,
about the operating system a host is running).
If a port on a remote host is closed and your computer sends it
a SYN packet, the remote host will respond back with a RST
packet .
Review of TCP flags
SYN - Initiates a connection
ACK - Acknowledges received data
FIN - Closes a connection
RST - Aborts a connection in response to an error
URG-is used to inform a receiving station that
certain data within a segment is urgent and should
be prioritized
PSH- Used to force data delivery without waiting
for buffers to fill.
Types of Port Scans -Normal TCP Handshake
Client
SYN
Client SYN/ACK
Client
ACK
Server
Server
Server
After this, you are ready to send data
24
Port Scanning
To determine what services are running or in a
LISTENING
Some well known types
TCP Connect Scan
TCP SYN scan
Stealth scan
FTP bounce scan
Port Scanning : TCP Connect Scan
Use basic TCP connection establishment mechanism; complete 3-ways
handshake
Easily to detect by inspecting the system log
SYN
SYN/ACK
Scanner
ACK
Target
a port is opened
SYN
RST/ACK
Scanner
a port is closed
Target
Port Scanning : TCP Connect Scan
Connect scan
Completes
the three-way handshake
Not stealthy--appears in log files
Three states
Closed
Open
Filtered
27
Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open scanning)
send a SYN packet and wait for a response
If an SYN/ACK is received=> the port is LISTENING
immediately tear down the connection by sending a RESET
If an RST/ACK is received =>a non-LISTENING port.
SYN
Scanner
SYN/ACK
RST
a port is opened
Target
SYN
RST/ACK
Scanner
a port is closed
Target
Port Scanning : TCP SYN scan
Client
Client
Client
SYN
SYN/ACK
RST
Server
Server
Server
The server is ready, but the client decided not
to complete the handshake
29
Port Scanning : TCP SYN scan
SYN scan
Stealthy
scan, because session handshakes are never
completed
That keeps it out of some log files
Three states
Closed
Open
Filtered
30
Port Scanning : Stealth Scan
To gather information about target sites while avoiding
detection
Try to hide themselves among normal network traffic
Not to be logged by logging mechanism (stealth)
Techniques
Flag Probe packets (Also called “Inverse mapping”)
Response is sent back only by closed port
By determining what services do not exist, an intruder can infer what
service do exist
Slow scans rate
difficult to detect =>need long history log
CERT reported this technique in CERT® Incident Note IN-98.04
http://www.cert.org/incident_notes/IN-98.04.html
Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets
closed ports : reply with a RESET packet to
wrong state packets
opened ports : ignore any packet in question
Technique
A RST scan
A FIN probe with the FIN TCP flag set
An XMAS probe with : set FIN, URG, ACK,
SYN, RST, PUSH flags set
A NULL probe with no TCP flags set
Probe packet
No response
Scanner
a port is opened
Target
Probe packet
RST/ACK
Scanner
a port is closed
Target
Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control communication connection, ask
the FTP server to initiate an active server data transfer process
Rather slow
Some FTP servers disable the “Proxy” feature, but there are still many who do not
PORT 10,0,0,5,0,22
Scanner
FTP
(10.0.0.4)
Target
(10.0.0.5)
TCP SYN
RST
425 Cannot build data connection
How does NMAP work ?
NMAP can scan TCP and UDP ports.
we are going to restrict ourselves to TCP ports in this lab session.
Popular services, such as http, are registered to a well-known portnumber and NMAP has a file describing the most common protocols
used on the internet.
It identify the operating system that is running on the host. by using
a technique called stack fingerprinting.
Different operating systems implement TCP/IP in slightly different ways.
Though subtle, the differentiation of these responses makes it possible to
determine the operating system.
How does NMAP work ?
The network traffic that is generated by Nmap can
have distinct qualities.
These qualities, such as the number of packets sent or
the timing between packets, do not resemble the
qualities of “normal” traffic. These qualities make up its
signature.
Nmap can be configured to hide its activity over time,
attempting to mask its signature from being easily
discovered.
36
Guide to Network Defense and
Countermeasures, Second Edition
Different types of port scanning
Simple port scanning
Strobe port scanning
Stealth port scanning
SYN scanning
FIN scanning
Null scanning
Simple port scanning
An attacker searches all ports looking for, and noting,
all open ports
Pros
Attacker will see ALL available ports
Cons
Takes a long time to scan all 65,000+ ports
Can be detected fairly easily, due to large number of ports being
scanned
Specific ports that are found to be open may not be useful to attack
Strobe port scanning
An attacker selects a certain range of ports to
check for open ports
Pros
Quicker
than a full scan
Already knows that all searched ports can lead to
vulnerable access points
Cons
Does
not give entire vulnerability profile of target
Is somewhat easy for target to detect
Stealth port scanning
An attacker searches only a few random ports at
once over a long period of time (usually a day or
more). Often jumping between different computers
on a network.
Pros
Hard to detect because individual port scans, from the network’s point
of view, appear to be accidental communication attempts
Cons
Takes a long time (usually a day or more)
FIN scanning
Attackers send erroneous packets to ports and listen for a
response. If a port is closed, the attacker will receive an error
message. However TCP requires that an open port ignores the
erroneous packet. Based on the response, the attacker can
determine the state of the port.
Pros
It is difficult for the target’s computer to recognize this as an attack since the
packets being send are random data
Cons
If the target sends an error message response, it could get dropped or
blocked by a firewall. This will lead the attacker to believe that a closed
port is really open since it did not receive a response.
Null scanning
NULL scan
All
the packet flags are turned off
Two results:
Closed
ports reply with
RST
Open or filtered ports give
no response
42
Types of Port Scans – (XMAS, FIN)
XMAS scan
FIN,
PSH and URG flags are set
Works like a NULL scan – a closed port responds with an
RST packet
NULL, XMAS and FIN scans don't work on Windows
machines
43
Nmap Scan Types
Scan Type
Description
TCP SYN
Send a SYN packet to each port and wait for an ACK
TCP connect
Open a connection to each port.
FIN
Send a FIN packet and wait for a RST, which means the port is closed.
XMAS
Send a packet with the FIN, URG, and PUSH flags set and wait for a
RST, which means the port is closed
NULL
Send a packet with the FIN, URG, and PUSH flags set to zero and wait
for a RST, which means the port is closed.
UDP
Send a 0 byte UDP packet to each port and wait for an ICMP port
unreachable message.
IP Protocol
Send a raw IP protocol header packet without any protocol headers and
wait for an ICMP protocol unavailable message.
Idle scan
Uses a side channel to send a TCP port scan. (I.E. Broadcast node)
ACK Scan
Send an ACK packet to the port and wait for and RST packet.
RPC scan
Floods all open TCP and UDP ports with null RPC packets to determine if
it is an RPC port.
Laws regarding port scanning
Port scanning is NOT illegal
Port
scanning is analogous to ringing someone’s
doorbell to see if they’re home
Port scanning is considered illegal only if a crime is
committed
Rarely
a company may be able to press charges if they’re
being scanned so frequently that it is affecting their
network’s performance
NMAP- Root privileges
Root privileges are needed to start services on a
Unix/Linux system on a port between 1 and 1023
(these are reserved ports).
This is to give users the assurance that the service
was started up by a system administrator and not
any (malicious) user of the system.
Nevertheless, this does not protect against a vicious
system administrator.
Nmap Usage
The simplest way to call NMAP is to provide just an IP address as a
parameter:
Nmap 193.61.29.168
NMAP will do a quick scan of the most popular ports and return with a list
of ports it found and their state.
Keep in mind that the results by NMAP are not always 100% accurate, as
the contacted machines may try to confuse or mislead port scanners
The larger the number of router/gateway boundaries that need to be
crossed, the less reliable the results returned by nmap.
Usage:
nmap [scan types] [options] <host or net …>
Nmap Scan Options
Nmap Scan Options
When we use the command line in the Nmap tool instead of
GUI, we need some option which listed with the command to
define the type of scan methods.
-sP
This option, also known as the “ping scanning” option, is for
ascertaining as to which machines are up in a network.
Under this option, nmap sends out ICMP echo request packets to
every IP address in a network. Hosts that respond are up
To get around this, nmap can also send a TCP ACK packet to (by
default) port 80. If the remote machine responds with a RST back,
then that machine is up.
Another possibility is to send the remote machine a SYN packet and
waiting for a RST or a SYN/ACK.
Nmap Scan Options
-sV
This is also referred to as “Version Detection”.
After nmap figures out which TCP and/or UDP ports are open, it next
tries to figure out what service is actually running at each of those ports.
A file called nmap-services-probes is used to determine the best probes
for detecting various services.
In addition to determine the service protocol (http, ftp, ssh, telnet, etc.),
nmap also tries to determine the application name (such as Apache
httpd, ISC bind, Solaris telnetd, etc.), version number, etc
Nmap Scan Options
-sT : “T” option carries out a TCP connect() scan
-sU : This option sends a dataless UDP header to every
port. As mentioned earlier in this section, the state of
the port is inferred from the ICMP response packet (if
there is such a response at all).
-sS : To carry out a port scan of your own machine, you
could try (called as root) nmap -sS localhost
The “-sS” option carries out a SYN scan
Nmap Scan Options
You can limit the range of ports to scan with the “p” option, as in the following call which will cause
only the first 1024 ports to be scanned:
nmap -p 1-1024 -sT moonshine.ecn.purdue.edu
Behavior of nmap
To change this behavior, the following sort of a call
to nmap may produce richer results (at the cost of
slowing down a scan):
nmap -sS -A -P0 moonshine.ecn.purdue.edu
The ’-P0’ option (the second letter is ’zero’) tells nmap
to not
use ping in order to decide whether a machine is up.
Lab session
In this lab you will:
use Nmap to identify the computers that are on the network,
enumerate the ports on the computers that were located,
and then look at the network traffic generated by these actions.
You will then use Nmap to scan the ports stealthily and compare the
method to the previous scan.
To observe service banners, Telnet will be used to obtain the
banners from IP/port combinations obtained from Nmap scans.
Lap steps
Step 1: Start the Windows 2008 Server and Windows 7 machines. Only log on
to the Windows 7 machine.
Step 2:
Start Wireshark.
Step 3:
Use Nmap to scan the network.
Step 4:
Analyze the output from Wireshark.
Step 5:
Use Nmap to scan open TCP ports.
Step 6:
Use Wireshark to analyze the scan.
Step 7:
Use Nmap to do a stealth scan on the computer.
Step 8:
Use Wireshark to analyze the scan.
Step 9:
Use Nmap to enumerate the operating system of the target computer.
Step 10:
Use Telnet to connect to the web server, FTP server, and SMTP banner.
Step 11:
Log off from the Windows 7 PC.
References
https://engineering.purdue.edu/kak/compsec/NewLectur
es/
http://www.dcs.bbk.ac.uk/~sven/infsec/coursework1.pdf
http://www.dcs.bbk.ac.uk/~sven/infsec/coursework1.pdf
http://discovery.csc.ncsu.edu/Courses/csc474S05/lab/Lab-nmap.html
http://www.ccs.neu.edu/home/noubir/Courses/CSG254/
S09/lab/port_scanning.html
http://www.securesenses.net/2012/04/nmap-portstates-explanation-tcp-syn-ss.html