Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port Scanning CT1406 lab#5.

Similar presentations

Presentation on theme: "Port Scanning CT1406 lab#5."— Presentation transcript:

1 Port Scanning CT1406 lab#5

2 Penetration testing Penetration testing is a method of testing a network’s security by using various tools and techniques common to attackers. The methodology used is similar to that of an attacker: enumerate the network, assess vulnerabilities, research vulnerabilities for known exploits, and then use tools available to penetrate the network. A good penetration test should result in a report that explains the weaknesses found, lists them from most critical to least critical, and provides suggestions for improving the network’s security.

3 Network scan Enumerating a network to discover what machines are attached and operating is a useful task for both an intruder and a system administrator. The information gained from a network scan assists in the determination of the actual current layout. Several tools and techniques exist for both the Windows and Linux platforms to perform these tests. Once the devices and their open ports have been identified, a vulnerability scanner can be used.

4 The goal of Network scan
One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running. Once the user knows what hosts are accessible, he or she will then find a means to gather as much information about the hosts as possible. Once an attacker has identified the hosts, ports, and services that are available, he or she will want t identify the operating system that is running on the host. In addition to identifying the operating system, the attacker will want to gain more information about the services that are running on the target computer, such as the type of server and version (for example, Internet Information Services [IIS] version 6 or version 7). This information is contained in the service’s banner. The banner is usually sent after an initial connection is made. This information greatly improves the ability of the attacker to discover vulnerabilities and exploits.

5 Utilities for network scan
Nmap is a popular scanning utility that is available for download from the Internet at no cost. It is a powerful tool that includes many functions. The Nmap utility can quickly and easily gather information about a network’s hosts, including their availability, their IP addresses, and their names. This is useful information not only for a network administrator, but for a hacker as well, prior to an attack. Popular port scanning programs include: Nmap, Netscan Tools, Superscan and Angry IP Scanner.

6 NMAP nmap stands for “network map”.
This open-source scanner was developed by Fyodor (see ). Nmap is available for Windows and Linux as a GUI and command-line program.It can do many types of scans and OS identification. nmap is actually more than just a port scanner. In addition to listing the open ports on a network, it also tries to construct an inventory of all the services running in a network. It also tries to detect as to which operating system is running on each machine, etc.

7 Why nmap An excellent tool Long history of development and support
Continuous development and improvements “Industry Standard” port scanner

8 nmap features Host Discovery: Which host is alive?
Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps) Port Scanning : What services are available? Enumerating the open ports on one or more target computers Service and Version Detection : Which version is running? Determine the application name and version number OS Detection: What platforms are served? Remotely determining the OS and some hardware characteristics of network devices

9 Host Discovery Querying multiple hosts using this method is referred to as ping sweeps The most basic step in mapping out a network. Several Sweeps technique ICMP Sweeps Broadcast ICMP NON Echo ICMP TCP sweep UDP sweep

10 Host Discovery : ICMP Sweeps
Technique sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is down Pros & Cons easy to implement fairly slow, easy to be blocked Scanner ICMP ECHO request ICMO ECHO reply Target a host is alive Scanner ICMP ECHO request No response a host is down/filtered Target

11 Host Discovery : ICMP Sweeps
Ping sweeps Also called an ICMP sweep Used by attackers to determine the location of a host Attacker sends a series of ICMP echo request packets in a range of IP addresses Ping sweep alone does not cause harm ARP Probes Why ARP scan? When you use ICMP ping scan, the OS needs to send out ARP request to figure out the MAC address You are sending millions of ARP request.

12 Host Discovery : Broadcast ICMP
Sending ICMP ECHO request to the network and/or broadcast addresses Windows ignored this Most routers blocked this

13 Host Discovery : Non-ECHO ICMP
ICMP type 13 messages (TIMESTAMP), Query Current Time ICMP type 17 messages (ADDRESS MASK REQUEST) diskless systems to obtain its subnet mask at bootstrap time (RFC 792)

14 Host Discovery : TCP Sweeps
Sending TCP ACK or TCK SYN packets The port number can be selected to avoid blocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 / 80 But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.

15 Host Discovery : UDP Sweeps
Relies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram Cons: Routers can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets (except for DNS) UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message

16 nmap Host Discovery summary
sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver -sU: UDP Scan

17 Introduction to port scanning
Ports to a computer are like windows or doors to a house Port scanning attacks are much like a burglar searching all the windows and doors of a house to look for unlocked entry ways If a window is left unlocked (like a port being “open” or not in use), it may be easy for the intruder to enter the house

18 Port states The main goal of port scanning is to find out which ports are open, which are closed, and which are filtered. Port scanning is about testing the states of ports on a (remote) machine. Open is the most interesting states, which means that there is an application listening on that port waiting for connections Port Scanning is one of the most popular among the reconnaissance techniques attackers use.

19 Example of port assignments

20 OPEN state a given port on your machine is open if you are running a server program on the machine and the port is assigned to the server. An application is actively accepting connections on this port. These are ports that attackers are looking for, as every open port is a potential entry point into the system. Administrators should try to keep the number of open ports to a minimum in order to decrease the risk of a successful attack. Obviously some ports will be open to provide certain services, but these ports should be protected in some way (e.g. a firewall, TCP wrappers, white lists of hosts thatmay connect).

21 Filtered State This state means that NMAP is not able to determine whether a port is open or not. what we mean is that the packets passing through that port are subject to the filtering rules of a firewall or router rules. Sometimes the response is an error message or no reply at all.

22 Closed state A closed port is accessible, i.e. it receives and responds to probe packets, but there is no application listening on it. While not directly exploitable for an attack, they may still provide other useful information (e.g. that a host is online, about the operating system a host is running). If a port on a remote host is closed and your computer sends it a SYN packet, the remote host will respond back with a RST packet .

23 Review of TCP flags SYN - Initiates a connection
ACK - Acknowledges received data FIN - Closes a connection RST - Aborts a connection in response to an error URG-is used to inform a receiving station that certain data within a segment is urgent and should be prioritized PSH- Used to force data delivery without waiting for buffers to fill.

24 Types of Port Scans -Normal TCP Handshake
Client SYN  Server Client  SYN/ACK Server Client ACK  Server After this, you are ready to send data

25 Port Scanning To determine what services are running or in a LISTENING
Some well known types TCP Connect Scan TCP SYN scan Stealth scan FTP bounce scan

26 Port Scanning : TCP Connect Scan
Use basic TCP connection establishment mechanism; complete 3-ways handshake Easily to detect by inspecting the system log Scanner SYN SYN/ACK ACK Target a port is opened Scanner SYN RST/ACK Target a port is closed

27 Port Scanning : TCP Connect Scan
Completes the three-way handshake Not stealthy--appears in log files Three states Closed Open Filtered

28 Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open scanning) send a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENING immediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port. Scanner SYN SYN/ACK RST Target a port is opened Scanner SYN RST/ACK Target a port is closed

29 Port Scanning : TCP SYN scan
Client SYN  Server Client  SYN/ACK Server Client RST  Server The server is ready, but the client decided not to complete the handshake

30 Port Scanning : TCP SYN scan
Stealthy scan, because session handshakes are never completed That keeps it out of some log files Three states Closed Open Filtered

31 Port Scanning : Stealth Scan
To gather information about target sites while avoiding detection Try to hide themselves among normal network traffic Not to be logged by logging mechanism (stealth) Techniques Flag Probe packets (Also called “Inverse mapping”) Response is sent back only by closed port By determining what services do not exist, an intruder can infer what service do exist Slow scans rate difficult to detect =>need long history log CERT reported this technique in CERT® Incident Note IN-98.04

32 Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets closed ports : reply with a RESET packet to wrong state packets opened ports : ignore any packet in question Technique A RST scan A FIN probe with the FIN TCP flag set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags set Scanner Probe packet No response a port is opened Target Scanner Probe packet RST/ACK a port is closed Target

33 Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer process Rather slow Some FTP servers disable the “Proxy” feature, but there are still many who do not PORT 10,0,0,5,0,22 ( ) ( ) TCP SYN RST 425 Cannot build data connection Scanner FTP Target

34 How does NMAP work ? NMAP can scan TCP and UDP ports.
we are going to restrict ourselves to TCP ports in this lab session. Popular services, such as http, are registered to a well-known port-number and NMAP has a file describing the most common protocols used on the internet. It identify the operating system that is running on the host. by using a technique called stack fingerprinting. Different operating systems implement TCP/IP in slightly different ways. Though subtle, the differentiation of these responses makes it possible to determine the operating system.

35 How does NMAP work ? The network traffic that is generated by Nmap can have distinct qualities. These qualities, such as the number of packets sent or the timing between packets, do not resemble the qualities of “normal” traffic. These qualities make up its signature. Nmap can be configured to hide its activity over time, attempting to mask its signature from being easily discovered.

36 Guide to Network Defense and Countermeasures, Second Edition

37 Different types of port scanning
Simple port scanning Strobe port scanning Stealth port scanning SYN scanning FIN scanning Null scanning

38 Simple port scanning An attacker searches all ports looking for, and noting, all open ports Pros Attacker will see ALL available ports Cons Takes a long time to scan all 65,000+ ports Can be detected fairly easily, due to large number of ports being scanned Specific ports that are found to be open may not be useful to attack

39 Strobe port scanning An attacker selects a certain range of ports to check for open ports Pros Quicker than a full scan Already knows that all searched ports can lead to vulnerable access points Cons Does not give entire vulnerability profile of target Is somewhat easy for target to detect

40 Stealth port scanning An attacker searches only a few random ports at once over a long period of time (usually a day or more). Often jumping between different computers on a network. Pros Hard to detect because individual port scans, from the network’s point of view, appear to be accidental communication attempts Cons Takes a long time (usually a day or more)

41 FIN scanning Attackers send erroneous packets to ports and listen for a response. If a port is closed, the attacker will receive an error message. However TCP requires that an open port ignores the erroneous packet. Based on the response, the attacker can determine the state of the port. Pros It is difficult for the target’s computer to recognize this as an attack since the packets being send are random data Cons If the target sends an error message response, it could get dropped or blocked by a firewall. This will lead the attacker to believe that a closed port is really open since it did not receive a response.

42 Null scanning NULL scan All the packet flags are turned off
Two results: Closed ports reply with RST Open or filtered ports give no response

43 Types of Port Scans – (XMAS, FIN)
XMAS scan FIN, PSH and URG flags are set Works like a NULL scan – a closed port responds with an RST packet NULL, XMAS and FIN scans don't work on Windows machines

44 Nmap Scan Types Scan Type Description TCP SYN
Send a SYN packet to each port and wait for an ACK TCP connect Open a connection to each port. FIN Send a FIN packet and wait for a RST, which means the port is closed. XMAS Send a packet with the FIN, URG, and PUSH flags set and wait for a RST, which means the port is closed NULL Send a packet with the FIN, URG, and PUSH flags set to zero and wait for a RST, which means the port is closed. UDP Send a 0 byte UDP packet to each port and wait for an ICMP port unreachable message. IP Protocol Send a raw IP protocol header packet without any protocol headers and wait for an ICMP protocol unavailable message. Idle scan Uses a side channel to send a TCP port scan. (I.E. Broadcast node) ACK Scan Send an ACK packet to the port and wait for and RST packet. RPC scan Floods all open TCP and UDP ports with null RPC packets to determine if it is an RPC port.

45 Laws regarding port scanning
Port scanning is NOT illegal Port scanning is analogous to ringing someone’s doorbell to see if they’re home Port scanning is considered illegal only if a crime is committed Rarely a company may be able to press charges if they’re being scanned so frequently that it is affecting their network’s performance

46 NMAP- Root privileges Root privileges are needed to start services on a Unix/Linux system on a port between 1 and (these are reserved ports). This is to give users the assurance that the service was started up by a system administrator and not any (malicious) user of the system. Nevertheless, this does not protect against a vicious system administrator.

47 Nmap Usage nmap [scan types] [options] <host or net …> Usage:
The simplest way to call NMAP is to provide just an IP address as a parameter: Nmap NMAP will do a quick scan of the most popular ports and return with a list of ports it found and their state. Keep in mind that the results by NMAP are not always 100% accurate, as the contacted machines may try to confuse or mislead port scanners The larger the number of router/gateway boundaries that need to be crossed, the less reliable the results returned by nmap. Usage: nmap [scan types] [options] <host or net …>

48 Nmap Scan Options

49 Nmap Scan Options When we use the command line in the Nmap tool instead of GUI, we need some option which listed with the command to define the type of scan methods. -sP This option, also known as the “ping scanning” option, is for ascertaining as to which machines are up in a network. Under this option, nmap sends out ICMP echo request packets to every IP address in a network. Hosts that respond are up To get around this, nmap can also send a TCP ACK packet to (by default) port 80. If the remote machine responds with a RST back, then that machine is up. Another possibility is to send the remote machine a SYN packet and waiting for a RST or a SYN/ACK.

50 Nmap Scan Options -sV This is also referred to as “Version Detection”.
After nmap figures out which TCP and/or UDP ports are open, it next tries to figure out what service is actually running at each of those ports. A file called nmap-services-probes is used to determine the best probes for detecting various services. In addition to determine the service protocol (http, ftp, ssh, telnet, etc.), nmap also tries to determine the application name (such as Apache httpd, ISC bind, Solaris telnetd, etc.), version number, etc

51 Nmap Scan Options -sT : “T” option carries out a TCP connect() scan
-sU : This option sends a dataless UDP header to every port. As mentioned earlier in this section, the state of the port is inferred from the ICMP response packet (if there is such a response at all). -sS : To carry out a port scan of your own machine, you could try (called as root) nmap -sS localhost The “-sS” option carries out a SYN scan

52 nmap -p 1-1024 -sT
Nmap Scan Options You can limit the range of ports to scan with the “- p” option, as in the following call which will cause only the first 1024 ports to be scanned: nmap -p sT

53 Behavior of nmap To change this behavior, the following sort of a call to nmap may produce richer results (at the cost of slowing down a scan): nmap -sS -A -P0 The ’-P0’ option (the second letter is ’zero’) tells nmap to not use ping in order to decide whether a machine is up.

54 Lab session In this lab you will:
use Nmap to identify the computers that are on the network, enumerate the ports on the computers that were located, and then look at the network traffic generated by these actions. You will then use Nmap to scan the ports stealthily and compare the method to the previous scan. To observe service banners, Telnet will be used to obtain the banners from IP/port combinations obtained from Nmap scans.

55 Lap steps Step 1: Start the Windows 2008 Server and Windows 7 machines. Only log on to the Windows 7 machine. Step 2: Start Wireshark. Step 3: Use Nmap to scan the network. Step 4: Analyze the output from Wireshark. Step 5: Use Nmap to scan open TCP ports. Step 6: Use Wireshark to analyze the scan. Step 7: Use Nmap to do a stealth scan on the computer. Step 8: Use Wireshark to analyze the scan. Step 9: Use Nmap to enumerate the operating system of the target computer. Step 10: Use Telnet to connect to the web server, FTP server, and SMTP banner. Step 11: Log off from the Windows XP Professional PC.

56 References
nmap.html lab/port_scanning.html explanation-tcp-syn-ss.html

Download ppt "Port Scanning CT1406 lab#5."

Similar presentations

Ads by Google