Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Network Scanning.

Published byKolton Holroyd Modified over 9 years ago

Similar presentations

Presentation on theme: "IP Network Scanning."— Presentation transcript:

1 IP Network Scanning

2 What is IP network scanning? Example Tool Scanning types
Outline What is IP network scanning? Concepts, motivation Example Tool nmap Scanning types Host discovery port scanning Version detection OS detection

3 What is Scanning? Method to gather information regarding the devices running on the network Typically to discover services or servers on a network Which hosts are up? Which services are offering? Do not confuse with “host vulnerability scanner” which further explore a computer by testing for common vulnerabilities (nessus, SAINT)

4 Why Scanning? Network Security assessment
Evaluation and Auditing the security Firewall Penetration Test (Policy auditing) IDS proof/evaluation Identifying unexpected new servers Identifying open ports for proactively protect the network (Network and security admin) attacking it (Hackers)

5 nmap [scan types] [options] <host or net …>
A well known and free security scanner written by Fyodor ( First released Sept 1, 1997 in Phrack 51 “The Art of Port Scanning” ( Many updates since then: OS Detection ( Version scanning ARP Scanning Version 5.00 as of this doc Usage: nmap [scan types] [options] <host or net …>

6 Why nmap An excellent tool Long history of development and support
Continuous development and improvements “Industry Standard” port scanner

7 nmap features Host Discovery: Which host is alive?
Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps) Port Scanning : What services are available? Enumerating the open ports on one or more target computers Service and Version Detection : Which version is running? Determine the application name and version number OS Detection: What platforms are served? Remotely determining the OS and some hardware characteristics of network devices

8 Host Discovery Querying multiple hosts using this method is referred to as ping sweeps The most basic step in mapping out a network. Several Sweeps technique ICMP Sweeps Broadcast ICMP NON Echo ICMP TCP sweep UDP sweep

9 Host Discovery : ICMP Sweeps
Technique sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is down Pros & Cons easy to implement fairly slow, easy to be blocked Scanner ICMP ECHO request ICMO ECHO reply Target a host is alive Scanner ICMP ECHO request No response a host is down/filtered Target

10 Host Discovery : Broadcast ICMP
Sending ICMP ECHO request to the network and/or broadcast addresses Windows ignored this Most routers blocked this

11 Host Discovery : Non-ECHO ICMP
ICMP type 13 messages (TIMESTAMP), Query Current Time ICMP type 17 messages (ADDRESS MASK REQUEST) diskless systems to obtain its subnet mask at bootstrap time (RFC 792)

12 Host Discovery : TCP Sweeps
Sending TCP ACK or TCK SYN packets The port number can be selected to avoid blocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 / 80 But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.

13 Host Discovery : UDP Sweeps
Relies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram Cons: Routers can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets (except for DNS) UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message

14 nmap Host Discovery summary
sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver -sU: UDP Scan

15 Port Scanning To determine what services are running or in a LISTENING
Some well known types TCP Connect Scan TCP SYN scan Stealth scan FTP bounce scan

16 Port Scanning : TCP Connect Scan
Use basic TCP connection establishment mechanism; complete 3-ways handshake Easily to detect by inspecting the system log Scanner SYN SYN/ACK ACK Target a port is opened Scanner SYN RST/ACK Target a port is closed

17 Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open scanning) send a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENING immediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port. Scanner SYN SYN/ACK RST Target a port is opened Scanner SYN RST/ACK Target a port is closed

18 Port Scanning : Stealth Scan
To gather information about target sites while avoiding detection Try to hide themselves among normal network traffic Not to be logged by logging mechanism (stealth) Techniques Flag Probe packets (Also called “Inverse mapping”) Response is sent back only by closed port By determining what services do not exist, an intruder can infer what service do exist Slow scans rate difficult to detect =>need long history log CERT reported this technique in CERT® Incident Note IN-98.04

19 Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets closed ports : reply with a RESET packet to wrong state packets opened ports : ignore any packet in question Technique A RST scan A FIN probe with the FIN TCP flag set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags set Scanner Probe packet No response a port is opened Target Scanner Probe packet RST/ACK a port is closed Target

20 Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer process Rather slow Some FTP servers disable the “Proxy” feature, but there are still many who do not PORT 10,0,0,5,0,22 ( ) ( ) TCP SYN RST 425 Cannot build data connection Scanner FTP Target

21 Port Scanning with nmap
SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p ; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio>

22 Services and Versions Detection
The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses

23 Operating System Detection
Banner, DNS HINFO and … TCP/IP fingerprinting (IP stack implementation will response differently) FIN probe, Bogus Flag probe TCP initial sequence number sampling, TCP initial window, ACK value ICMP error quenching, message quoting, ICMP echo integrity IP: DF, TOS, Fragmentation

24 OS Detection : Examples
ACK : sending FIN|PSH|URG to a closed port most OS : ACK with the same sequence number Windows: ACK with sequence number+1 Type of Service: Probing with an ICMP_PORT_UNREACHABLE message most OS : TOS = 0 Linux : TOS= 0xC0

25 Version and OS Detection with nmap
SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) OS DETECTION:   -O: Enable OS detection   --osscan-limit: Limit OS detection to promising targets   --osscan-guess: Guess OS more aggressively

26 Port Scanning Detection
For Administrators to detect scanning Logs suspicious packets Identifies connections not properly terminated Records ports usage

27 Port Scanning Detection
For hacker to dodge from detection Randomize the sequence of ports to prevent detection Slow scan: exceed the site detection threshold in IDS, 2 packets/day/site! Decoy: spoofed address in attack Coordinated Scans: multiple scanners probe the same host or network

Download ppt "IP Network Scanning."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Port Scanning CT1406 lab#5.

Port Scanning CT1406 lab#5.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.

Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Description “Nmap stands for Network Mapper. Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.

Description “Nmap stands for "Network Mapper". Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google