Embed Size (px)
Citation preview
PORT SCANNING CT1406 lab#5
Penetration testing
Penetration testing is a method of testing a network’s security by using various tools and techniques common to attackers.
The methodology used is similar to that of an attacker: enumerate the network, assess vulnerabilities, research vulnerabilities for known exploits, and then use tools available to penetrate the network.
A good penetration test should result in a report that explains the weaknesses found, lists them from most critical to least critical, and provides suggestions for improving the network’s security.
Network scan
Enumerating a network to discover what machines are attached and operating is a useful task for both an intruder and a system administrator.
The information gained from a network scan assists in the determination of the actual current layout.
Several tools and techniques exist for both the Windows and Linux platforms to perform these tests.
Once the devices and their open ports have been identified, a vulnerability scanner can be used.
The goal of Network scan
One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running.
Once the user knows what hosts are accessible, he or she will then find a means to gather as much information about the hosts as possible.
Once an attacker has identified the hosts, ports, and services that are available, he or she will want t identify the operating system that is running on the host.
In addition to identifying the operating system, the attacker will want to gain more information about the services that are running on the target computer, such as the type of server and version (for example, Internet Information Services [IIS] version 6 or version 7).
This information is contained in the service’s banner. The banner is usually sent after an initial connection is made. This information greatly improves the ability of the attacker to discover vulnerabilities
and exploits.
Utilities for network scan Nmap is a popular scanning utility that is available for
download from the Internet at no cost.
It is a powerful tool that includes many functions.
The Nmap utility can quickly and easily gather information about a network’s hosts, including their availability, their IP addresses, and their names.
This is useful information not only for a network administrator, but for a hacker as well, prior to an attack.
Popular port scanning programs include: Nmap, Netscan Tools,
Superscan and Angry IP Scanner.
NMAP
nmap stands for “network map”.
This open-source scanner was developed by Fyodor (see http://insecure.org/ ).
Nmap is available for Windows and Linux as a GUI and command-line program.It can do many types of scans and OS identification.
nmap is actually more than just a port scanner.
In addition to listing the open ports on a network, it also tries to construct an inventory of all the services running in a network.
It also tries to detect as to which operating system is running on each machine, etc.
:// . . / ? =0 4 20http www youtube com watch v PxTAn g U
Why nmap
An excellent tool Long history of development and support Continuous development and
improvements “Industry Standard” port scanner
nmap features
Host Discovery: Which host is alive? Identifying computers on a network, for example listing the
computers which respond to pings (Ping Sweeps)
Port Scanning : What services are available? Enumerating the open ports on one or more target computers
Service and Version Detection : Which version is running? Determine the application name and version number
OS Detection: What platforms are served? Remotely determining the OS and some hardware characteristics
of network devices
Host Discovery
Querying multiple hosts using this method is referred to as ping sweeps
The most basic step in mapping out a network.
Several Sweeps technique ICMP Sweeps Broadcast ICMP NON Echo ICMP TCP sweep UDP sweep
Host Discovery : ICMP Sweeps
Technique sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is down
Pros & Cons easy to implement fairly slow, easy to be blocked
Scanner Target
ICMP ECHO request
ICMO ECHO reply
Scanner Target
a host is alive
a host is down/filtered
ICMP ECHO request
No response
11
Host Discovery : ICMP Sweeps Ping sweeps
Also called an ICMP sweep Used by attackers to determine the location of a
host Attacker sends a series of ICMP echo request
packets in a range of IP addresses Ping sweep alone does not cause harm
ARP Probes Why ARP scan? When you use ICMP ping scan,
the OS needs to send out ARP request to figure out the MAC address
You are sending millions of ARP request.
Host Discovery : Broadcast ICMP
Sending ICMP ECHO request to the network and/or broadcast addresses Windows ignored this Most routers blocked this
Host Discovery : TCP Sweeps
Sending TCP ACK or TCK SYN packets The port number can be selected to avoid
blocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 /
80
But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.
Host Discovery : UDP Sweeps
Relies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT
UNREACHABLE message is received after sending a UDP datagram
Cons: Routers can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets
(except for DNS) UDP sweep relies on the fact that a non-active UDP port
will respond with an ICMP PORT UNREACHABLE message
nmap Host Discovery summary
sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given
ports -PE/PP/PM: ICMP echo, timestamp, and netmask request
discovery probes -PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default:
sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver -sU: UDP Scan
Introduction to port scanning Ports to a computer are like windows or
doors to a house Port scanning attacks are much like a
burglar searching all the windows and doors of a house to look for unlocked entry ways
If a window is left unlocked (like a port being “open” or not in use), it may be easy for the intruder to enter the house
Port states
The main goal of port scanning is to find out which ports are open, which are closed, and which are filtered.
Port scanning is about testing the states of ports on a (remote) machine.
Open is the most interesting states, which means that there is an application listening on that port waiting for connections
Port Scanning is one of the most popular among the reconnaissance techniques attackers use.
Example of port assignments
OPEN state
a given port on your machine is open if you are running a server program on the machine and the port is assigned to the server.
An application is actively accepting connections on this port.
These are ports that attackers are looking for, as every open port is a potential entry point into the system.
Administrators should try to keep the number of open ports to a minimum in order to decrease the risk of a successful attack.
Obviously some ports will be open to provide certain services, but these ports should be protected in some way (e.g. a firewall, TCP wrappers, white lists of hosts thatmay connect).
Filtered State
This state means that NMAP is not able to determine whether a port is open or not.
what we mean is that the packets passing through that port are subject to the filtering rules of a firewall or router rules.
Sometimes the response is an error message or no reply at all.
Closed state
A closed port is accessible, i.e. it receives and responds to probe packets, but there is no application listening on it.
While not directly exploitable for an attack, they may still provide other useful information (e.g. that a host is online, about the operating system a host is running).
If a port on a remote host is closed and your computer sends it a SYN packet, the remote host will respond back with a RST packet .
Review of TCP flags
SYN - Initiates a connection ACK - Acknowledges received data FIN - Closes a connection RST - Aborts a connection in response to an
error URG-is used to inform a receiving station
that certain data within a segment is urgent and should be prioritized
PSH- Used to force data delivery without waiting for buffers to fill.
24
Types of Port Scans -Normal TCP Handshake
Client SYN ServerClient SYN/ACK ServerClient ACK Server
After this, you are ready to send data
Port Scanning
To determine what services are running or in a LISTENING
Some well known types TCP Connect Scan TCP SYN scan Stealth scan FTP bounce scan
Port Scanning : TCP Connect Scan
Use basic TCP connection establishment mechanism; complete 3-ways handshake
Easily to detect by inspecting the system log
Scanner Target
SYN
SYN/ACK
ACK
Scanner Target
SYN
RST/ACK
a port is opened
a port is closed
27
Port Scanning : TCP Connect Scan Connect scan
Completes the three-way handshake Not stealthy--appears in log files Three states
Closed
Open
Filtered
Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open scanning) send a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENING
immediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port.
Scanner Target
SYN
SYN/ACK
Scanner Target
SYN
RST/ACK
a port is closed
a port is opened
RST
29
Port Scanning : TCP SYN scan
Client SYN ServerClient SYN/ACK ServerClient RST Server
The server is ready, but the client decided not to complete the handshake
30
Port Scanning : TCP SYN scan
SYN scan Stealthy scan, because session handshakes
are never completed That keeps it out of some log files Three states
Closed
Open
Filtered
Port Scanning : Stealth Scan
To gather information about target sites while avoiding detection Try to hide themselves among normal network traffic Not to be logged by logging mechanism (stealth)
Techniques Flag Probe packets (Also called “Inverse mapping”)
Response is sent back only by closed port By determining what services do not exist, an intruder can
infer what service do exist Slow scans rate
difficult to detect =>need long history logCERT reported this technique in CERT® Incident Note IN-98.04http://www.cert.org/incident_notes/IN-98.04.html
Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets
closed ports : reply with a RESET packet to wrong state packets
opened ports : ignore any packet in question
Technique A RST scan A FIN probe with the FIN TCP flag
set An XMAS probe with : set FIN, URG,
ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags set
Scanner Target
Probe packet
No response
Scanner Target
RST/ACK
a port is closed
a port is opened
Probe packet
Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer process
Rather slow Some FTP servers disable the “Proxy” feature, but there are still
many who do not
PORT 10,0,0,5,0,22
(10.0.0.4) (10.0.0.5)
TCP SYN
RST
425 Cannot build data connection
Scanner FTP Target
How does NMAP work ?
NMAP can scan TCP and UDP ports. we are going to restrict ourselves to TCP ports in this lab session.
Popular services, such as http, are registered to a well-known port-number and NMAP has a file describing the most common protocols used on the internet.
It identify the operating system that is running on the host. by using a technique called stack fingerprinting.
Different operating systems implement TCP/IP in slightly different ways.
Though subtle, the differentiation of these responses makes it possible to determine the operating system.
How does NMAP work?
The network traffic that is generated by Nmap can have distinct qualities.
These qualities, such as the number of packets sent or the timing between packets, do not resemble the qualities of “normal” traffic. These qualities make up its signature.
Nmap can be configured to hide its activity over
time, attempting to mask its signature from being easily discovered.
Guide to Network Defense and Countermeasures, Second Edition36
Different types of port scanning Simple port scanning Strobe port scanning Stealth port scanning SYN scanning FIN scanning Null scanning
Simple port scanning
An attacker searches all ports looking for, and noting, all open ports Pros
Attacker will see ALL available ports Cons
Takes a long time to scan all 65,000+ ports Can be detected fairly easily, due to large number of
ports being scanned Specific ports that are found to be open may not be
useful to attack
Strobe port scanning
An attacker selects a certain range of ports to check for open ports Pros
Quicker than a full scan Already knows that all searched ports can lead
to vulnerable access points Cons
Does not give entire vulnerability profile of target
Is somewhat easy for target to detect
Stealth port scanning
An attacker searches only a few random ports at once over a long period of time (usually a day or more). Often jumping between different computers on a network. Pros
Hard to detect because individual port scans, from the network’s point of view, appear to be accidental communication attempts
Cons Takes a long time (usually a day or more)
FIN scanning
Attackers send erroneous packets to ports and listen for a response. If a port is closed, the attacker will receive an error message. However TCP requires that an open port ignores the erroneous packet. Based on the response, the attacker can determine the state of the port. Pros
It is difficult for the target’s computer to recognize this as an attack since the packets being send are random data
Cons If the target sends an error message response, it could get
dropped or blocked by a firewall. This will lead the attacker to believe that a closed port is really open since it did not receive a response.
42
Null scanning
NULL scan All the packet flags are turned off Two results:
Closed ports reply with RST
Open or filtered ports give no response
43
Types of Port Scans – (XMAS, FIN)
XMAS scan FIN, PSH and URG flags are set Works like a NULL scan – a closed port
responds with an RST packet NULL, XMAS and FIN scans don't work on
Windows machines
Nmap Scan TypesScan Type Description
TCP SYN Send a SYN packet to each port and wait for an ACK
TCP connect
Open a connection to each port.
FIN Send a FIN packet and wait for a RST, which means the port is closed.
XMAS Send a packet with the FIN, URG, and PUSH flags set and wait for a RST, which means the port is closed
NULL Send a packet with the FIN, URG, and PUSH flags set to zero and wait for a RST, which means the port is closed.
UDP Send a 0 byte UDP packet to each port and wait for an ICMP port unreachable message.
IP Protocol Send a raw IP protocol header packet without any protocol headers and wait for an ICMP protocol unavailable message.
Idle scan Uses a side channel to send a TCP port scan. (I.E. Broadcast node)
ACK Scan Send an ACK packet to the port and wait for and RST packet.
RPC scan Floods all open TCP and UDP ports with null RPC packets to determine if it is an RPC port.
Laws regarding port scanning Port scanning is NOT illegal
Port scanning is analogous to ringing someone’s doorbell to see if they’re home
Port scanning is considered illegal only if a crime is committed Rarely a company may be able to press
charges if they’re being scanned so frequently that it is affecting their network’s performance
NMAP- Root privileges
Root privileges are needed to start services on a Unix/Linux system on a port between 1 and 1023 (these are reserved ports).
This is to give users the assurance that the service was started up by a system administrator and not any (malicious) user of the system.
Nevertheless, this does not protect against a vicious system administrator.
Nmap Usage The simplest way to call NMAP is to provide just an IP address as a
parameter:Nmap 193.61.29.168
NMAP will do a quick scan of the most popular ports and return with a list of ports it found and their state.
Keep in mind that the results by NMAP are not always 100% accurate, as the contacted machines may try to confuse or mislead port scanners
The larger the number of router/gateway boundaries that need to be crossed, the less reliable the results returned by nmap.
Usage:
nmap [scan types] [options] <host or net …>
Nmap Scan Options
Nmap Scan Options
When we use the command line in the Nmap tool instead of GUI, we need some option which listed with the command to define the type of scan methods.
-sP This option, also known as the “ping scanning” option, is
for ascertaining as to which machines are up in a network.
Under this option, nmap sends out ICMP echo request packets to every IP address in a network. Hosts that respond are up
To get around this, nmap can also send a TCP ACK packet to (by default) port 80. If the remote machine responds with a RST back, then that machine is up.
Another possibility is to send the remote machine a SYN packet and waiting for a RST or a SYN/ACK.
Nmap Scan Options
-sV
This is also referred to as “Version Detection”.
After nmap figures out which TCP and/or UDP ports are open, it
next tries to figure out what service is actually running at each of
those ports.
A file called nmap-services-probes is used to determine the best
probes for detecting various services.
In addition to determine the service protocol (http, ftp, ssh, telnet,
etc.), nmap also tries to determine the application name (such as
Apache httpd, ISC bind, Solaris telnetd, etc.), version number, etc
Nmap Scan Options
-sT : “T” option carries out a TCP connect() scan
-sU : This option sends a dataless UDP header to every port. As mentioned earlier in this section, the state of the port is inferred from the ICMP response packet (if there is such a response at all).
-sS : To carry out a port scan of your own machine, you could try (called as root) nmap -sS localhost The “-sS” option carries out a SYN scan
Nmap Scan Options
You can limit the range of ports to scan with the “-p” option, as in the following call which will cause only the first 1024 ports to be scanned:
nmap -p 1-1024 -sT moonshine.ecn.purdue.edu
Behavior of nmap
To change this behavior, the following sort of a call to nmap may produce richer results (at the cost of slowing down a scan):
nmap -sS -A -P0 moonshine.ecn.purdue.eduThe ’-P0’ option (the second letter is ’zero’)
tells nmap to notuse ping in order to decide whether a
machine is up.
Lab session
In this lab you will: use Nmap to identify the computers that are on the network,
enumerate the ports on the computers that were located,
and then look at the network traffic generated by these actions.
You will then use Nmap to scan the ports stealthily and compare the method to the previous scan.
To observe service banners, Telnet will be used to obtain the banners from IP/port combinations obtained from Nmap scans.
Lap steps
Step 1: Start the Windows 2008 Server and Windows 7 machines. Only log on to the Windows 7 machine.
Step 2: Start Wireshark. Step 3: Use Nmap to scan the network. Step 4: Analyze the output from Wireshark. Step 5: Use Nmap to scan open TCP ports. Step 6: Use Wireshark to analyze the scan. Step 7: Use Nmap to do a stealth scan on the computer. Step 8: Use Wireshark to analyze the scan. Step 9: Use Nmap to enumerate the operating system of the
target computer. Step 10: Use Telnet to connect to the web server, FTP server, and
SMTP banner. Step 11: Log off from the Windows XP Professional PC.
References
https://engineering.purdue.edu/kak/compsec/NewLectures/
http://www.dcs.bbk.ac.uk/~sven/infsec/coursework1.pdf
http://www.dcs.bbk.ac.uk/~sven/infsec/coursework1.pdf
http://discovery.csc.ncsu.edu/Courses/csc474-S05/lab/Lab-nmap.html
http://www.ccs.neu.edu/home/noubir/Courses/CSG254/S09/lab/port_scanning.html
http://www.securesenses.net/2012/04/nmap-port-states-explanation-tcp-syn-ss.html
