Presentation on theme: "PORT SCANNING CT1406 lab#5. Penetration testing Penetration testing is a method of testing a network’s security by using various tools and techniques."— Presentation transcript:
PORT SCANNING CT1406 lab#5
Penetration testing Penetration testing is a method of testing a network’s security by using various tools and techniques common to attackers. The methodology used is similar to that of an attacker: enumerate the network, assess vulnerabilities, research vulnerabilities for known exploits, and then use tools available to penetrate the network. A good penetration test should result in a report that explains the weaknesses found, lists them from most critical to least critical, and provides suggestions for improving the network’s security.
Network scan Enumerating a network to discover what machines are attached and operating is a useful task for both an intruder and a system administrator. The information gained from a network scan assists in the determination of the actual current layout. Several tools and techniques exist for both the Windows and Linux platforms to perform these tests. Once the devices and their open ports have been identified, a vulnerability scanner can be used.
The goal of Network scan One of the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running. Once the user knows what hosts are accessible, he or she will then find a means to gather as much information about the hosts as possible. Once an attacker has identified the hosts, ports, and services that are available, he or she will want t identify the operating system that is running on the host. In addition to identifying the operating system, the attacker will want to gain more information about the services that are running on the target computer, such as the type of server and version (for example, Internet Information Services [IIS] version 6 or version 7). This information is contained in the service’s banner. The banner is usually sent after an initial connection is made. This information greatly improves the ability of the attacker to discover vulnerabilities and exploits.
Utilities for network scan Nmap is a popular scanning utility that is available for download from the Internet at no cost. It is a powerful tool that includes many functions. The Nmap utility can quickly and easily gather information about a network’s hosts, including their availability, their IP addresses, and their names. This is useful information not only for a network administrator, but for a hacker as well, prior to an attack. Popular port scanning programs include: Nmap, Netscan Tools, Superscan and Angry IP Scanner.
NMAP nmap stands for “network map”. This open-source scanner was developed by Fyodor (see ).http://insecure.org/ Nmap is available for Windows and Linux as a GUI and command-line program.It can do many types of scans and OS identification. nmap is actually more than just a port scanner. In addition to listing the open ports on a network, it also tries to construct an inventory of all the services running in a network. It also tries to detect as to which operating system is running on each machine, etc.
Why nmap An excellent tool Long history of development and support Continuous development and improvements “Industry Standard” port scanner
nmap features Host Discovery: Which host is alive? Identifying computers on a network, for example listing the computers which respond to pings (Ping Sweeps) Port Scanning : What services are available? Enumerating the open ports on one or more target computers Service and Version Detection : Which version is running? Determine the application name and version number OS Detection: What platforms are served? Remotely determining the OS and some hardware characteristics of network devices
Host Discovery Querying multiple hosts using this method is referred to as ping sweeps The most basic step in mapping out a network. Several Sweeps technique ICMP Sweeps Broadcast ICMP NON Echo ICMP TCP sweep UDP sweep
Host Discovery : ICMP Sweeps Technique sending an ICMP ECHO request (ICMP type 8) If an ICMP ECHO reply (ICMP type 0) is received : target is alive; No response: target is down Pros & Cons easy to implement fairly slow, easy to be blocked Scanner Target ICMP ECHO request ICMO ECHO reply Scanner Target a host is alive a host is down/filtered ICMP ECHO request No response
11 Host Discovery : ICMP Sweeps Ping sweeps Also called an ICMP sweep Used by attackers to determine the location of a host Attacker sends a series of ICMP echo request packets in a range of IP addresses Ping sweep alone does not cause harm ARP Probes Why ARP scan? When you use ICMP ping scan, the OS needs to send out ARP request to figure out the MAC address You are sending millions of ARP request.
Host Discovery : Broadcast ICMP Sending ICMP ECHO request to the network and/or broadcast addresses Windows ignored this Most routers blocked this
Host Discovery : Non-ECHO ICMP ICMP type 13 messages (TIMESTAMP), Query Current Time ICMP type 17 messages (ADDRESS MASK REQUEST) diskless systems to obtain its subnet mask at bootstrap time (RFC 792)
Host Discovery : TCP Sweeps Sending TCP ACK or TCK SYN packets The port number can be selected to avoid blocking by firewall Usually a good pick would be 21 / 22 / 23 / 25 / 80 But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.
Host Discovery : UDP Sweeps Relies on the ICMP PORT UNREACHABLE Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram Cons: Routers can drop UDP packets as they cross the Internet Many UDP services do not respond when correctly probed Firewalls are usually configured to drop UDP packets (except for DNS) UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message
nmap Host Discovery summary sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO [protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers : Specify custom DNS servers --system-dns: Use OS's DNS resolver -sU: UDP Scan
Introduction to port scanning Ports to a computer are like windows or doors to a house Port scanning attacks are much like a burglar searching all the windows and doors of a house to look for unlocked entry ways If a window is left unlocked (like a port being “open” or not in use), it may be easy for the intruder to enter the house
Port states The main goal of port scanning is to ﬁnd out which ports are open, which are closed, and which are ﬁltered. Port scanning is about testing the states of ports on a (remote) machine. Open is the most interesting states, which means that there is an application listening on that port waiting for connections Port Scanning is one of the most popular among the reconnaissance techniques attackers use.
Example of port assignments
OPEN state a given port on your machine is open if you are running a server program on the machine and the port is assigned to the server. An application is actively accepting connections on this port. These are ports that attackers are looking for, as every open port is a potential entry point into the system. Administrators should try to keep the number of open ports to a minimum in order to decrease the risk of a successful attack. Obviously some ports will be open to provide certain services, but these ports should be protected in some way (e.g. a ﬁrewall, TCP wrappers, white lists of hosts thatmay connect).
Filtered State This state means that NMAP is not able to determine whether a port is open or not. what we mean is that the packets passing through that port are subject to the ﬁltering rules of a firewall or router rules. Sometimes the response is an error message or no reply at all.
Closed state A closed port is accessible, i.e. it receives and responds to probe packets, but there is no application listening on it. While not directly exploitable for an attack, they may still provide other useful information (e.g. that a host is online, about the operating system a host is running). If a port on a remote host is closed and your computer sends it a SYN packet, the remote host will respond back with a RST packet.
Review of TCP flags SYN - Initiates a connection ACK - Acknowledges received data FIN - Closes a connection RST - Aborts a connection in response to an error URG-is used to inform a receiving station that certain data within a segment is urgent and should be prioritized PSH- Used to force data delivery without waiting for buffers to fill.
24 Types of Port Scans -Normal TCP Handshake Client SYN Server Client SYN/ACKServer Client ACK Server After this, you are ready to send data
Port Scanning To determine what services are running or in a LISTENING Some well known types TCP Connect Scan TCP SYN scan Stealth scan FTP bounce scan
Port Scanning : TCP Connect Scan Use basic TCP connection establishment mechanism; complete 3-ways handshake Easily to detect by inspecting the system log Scanner Target SYN SYN/ACK ACK Scanner Target SYN RST/ACK a port is opened a port is closed
27 Port Scanning : TCP Connect Scan Connect scan Completes the three-way handshake Not stealthy--appears in log files Three states Closed Open Filtered
Port Scanning : TCP SYN scan Do not establish a complete connection (Half Open scanning) send a SYN packet and wait for a response If an SYN/ACK is received=> the port is LISTENING immediately tear down the connection by sending a RESET immediately tear down the connection by sending a RESET If an RST/ACK is received =>a non-LISTENING port. Scanner Target SYN SYN/ACK Scanner Target SYN RST/ACK a port is closed a port is opened RST
29 Port Scanning : TCP SYN scan Client SYN Server Client SYN/ACKServer Client RST Server The server is ready, but the client decided not to complete the handshake
30 Port Scanning : TCP SYN scan SYN scan Stealthy scan, because session handshakes are never completed That keeps it out of some log files Three states Closed Open Filtered
Port Scanning : Stealth Scan To gather information about target sites while avoiding detection Try to hide themselves among normal network traffic Not to be logged by logging mechanism (stealth) Techniques Flag Probe packets (Also called “ Inverse mapping ” ) Response is sent back only by closed port Response is sent back only by closed port By determining what services do not exist, an intruder can infer what service do exist By determining what services do not exist, an intruder can infer what service do exist Slow scans rate difficult to detect =>need long history log difficult to detect =>need long history log CERT reported this technique in CERT® Incident Note IN
Port Scanning : Stealth Mapping RFC793: to handle wrong state packets closed ports : reply with a RESET packet to wrong state packets opened ports : ignore any packet in question Technique A RST scan A FIN probe with the FIN TCP flag set An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set A NULL probe with no TCP flags set Scanner Target Probe packet No response Scanner Target RST/ACK a port is closed a port is opened Probe packet
Port Scanning : FTP Bounce scanning Connects to an FTP server, and establishes a control communication connection, ask the FTP server to initiate an active server data transfer process Rather slow Some FTP servers disable the “ Proxy ” feature, but there are still many who do not PORT 10,0,0,5,0,22 ( ) ( ) TCP SYN RST 425 Cannot build data connection Scanner FTP Target
How does NMAP work ? NMAP can scan TCP and UDP ports. we are going to restrict ourselves to TCP ports in this lab session. Popular services, such as http, are registered to a well-known port-number and NMAP has a file describing the most common protocols used on the internet. It identify the operating system that is running on the host. by using a technique called stack fingerprinting. Different operating systems implement TCP/IP in slightly different ways. Though subtle, the differentiation of these responses makes it possible to determine the operating system.
How does NMAP work ? The network traffic that is generated by Nmap can have distinct qualities. These qualities, such as the number of packets sent or the timing between packets, do not resemble the qualities of “normal” traffic. These qualities make up its signature. Nmap can be configured to hide its activity over time, attempting to mask its signature from being easily discovered.
Guide to Network Defense and Countermeasures, Second Edition 36
Different types of port scanning Simple port scanning Strobe port scanning Stealth port scanning SYN scanning FIN scanning Null scanning
Simple port scanning An attacker searches all ports looking for, and noting, all open ports Pros Attacker will see ALL available ports Cons Takes a long time to scan all 65,000+ ports Can be detected fairly easily, due to large number of ports being scanned Specific ports that are found to be open may not be useful to attack
Strobe port scanning An attacker selects a certain range of ports to check for open ports Pros Quicker than a full scan Already knows that all searched ports can lead to vulnerable access points Cons Does not give entire vulnerability profile of target Is somewhat easy for target to detect
Stealth port scanning An attacker searches only a few random ports at once over a long period of time (usually a day or more). Often jumping between different computers on a network. Pros Hard to detect because individual port scans, from the network’s point of view, appear to be accidental communication attempts Cons Takes a long time (usually a day or more)
FIN scanning Attackers send erroneous packets to ports and listen for a response. If a port is closed, the attacker will receive an error message. However TCP requires that an open port ignores the erroneous packet. Based on the response, the attacker can determine the state of the port. Pros It is difficult for the target’s computer to recognize this as an attack since the packets being send are random data Cons If the target sends an error message response, it could get dropped or blocked by a firewall. This will lead the attacker to believe that a closed port is really open since it did not receive a response.
42 Null scanning NULL scan All the packet flags are turned off Two results: Closed ports reply with RST Open or filtered ports give no response
43 Types of Port Scans – (XMAS, FIN) XMAS scan FIN, PSH and URG flags are set Works like a NULL scan – a closed port responds with an RST packet NULL, XMAS and FIN scans don't work on Windows machines
Nmap Scan Types Scan TypeDescription TCP SYNSend a SYN packet to each port and wait for an ACK TCP connectOpen a connection to each port. FINSend a FIN packet and wait for a RST, which means the port is closed. XMASSend a packet with the FIN, URG, and PUSH flags set and wait for a RST, which means the port is closed NULLSend a packet with the FIN, URG, and PUSH flags set to zero and wait for a RST, which means the port is closed. UDPSend a 0 byte UDP packet to each port and wait for an ICMP port unreachable message. IP ProtocolSend a raw IP protocol header packet without any protocol headers and wait for an ICMP protocol unavailable message. Idle scanUses a side channel to send a TCP port scan. (I.E. Broadcast node) ACK ScanSend an ACK packet to the port and wait for and RST packet. RPC scanFloods all open TCP and UDP ports with null RPC packets to determine if it is an RPC port.
Laws regarding port scanning Port scanning is NOT illegal Port scanning is analogous to ringing someone’s doorbell to see if they’re home Port scanning is considered illegal only if a crime is committed Rarely a company may be able to press charges if they’re being scanned so frequently that it is affecting their network’s performance
NMAP- Root privileges Root privileges are needed to start services on a Unix/Linux system on a port between 1 and 1023 (these are reserved ports). This is to give users the assurance that the service was started up by a system administrator and not any (malicious) user of the system. Nevertheless, this does not protect against a vicious system administrator.
Nmap Usage The simplest way to call NMAP is to provide just an IP address as a parameter: Nmap NMAP will do a quick scan of the most popular ports and return with a list of ports it found and their state. Keep in mind that the results by NMAP are not always 100% accurate, as the contacted machines may try to confuse or mislead port scanners The larger the number of router/gateway boundaries that need to be crossed, the less reliable the results returned by nmap. Usage: nmap [scan types] [options] nmap [scan types] [options]
Nmap Scan Options
When we use the command line in the Nmap tool instead of GUI, we need some option which listed with the command to define the type of scan methods. -sP This option, also known as the “ping scanning” option, is for ascertaining as to which machines are up in a network. Under this option, nmap sends out ICMP echo request packets to every IP address in a network. Hosts that respond are up To get around this, nmap can also send a TCP ACK packet to (by default) port 80. If the remote machine responds with a RST back, then that machine is up. Another possibility is to send the remote machine a SYN packet and waiting for a RST or a SYN/ACK.
Nmap Scan Options -sV This is also referred to as “Version Detection”. After nmap ﬁgures out which TCP and/or UDP ports are open, it next tries to ﬁgure out what service is actually running at each of those ports. A ﬁle called nmap-services-probes is used to determine the best probes for detecting various services. In addition to determine the service protocol (http, ftp, ssh, telnet, etc.), nmap also tries to determine the application name (such as Apache httpd, ISC bind, Solaris telnetd, etc.), version number, etc
Nmap Scan Options -sT : “T” option carries out a TCP connect() scan -sU : This option sends a dataless UDP header to every port. As mentioned earlier in this section, the state of the port is inferred from the ICMP response packet (if there is such a response at all). -sS : To carry out a port scan of your own machine, you could try (called as root) nmap -sS localhost The “-sS” option carries out a SYN scan
Nmap Scan Options You can limit the range of ports to scan with the “- p” option, as in the following call which will cause only the ﬁrst 1024 ports to be scanned: nmap -p sT moonshine.ecn.purdue.edu
Behavior of nmap To change this behavior, the following sort of a call to nmap may produce richer results (at the cost of slowing down a scan): nmap -sS -A -P0 moonshine.ecn.purdue.edu The ’-P0’ option (the second letter is ’zero’) tells nmap to not use ping in order to decide whether a machine is up.
Lab session In this lab you will: use Nmap to identify the computers that are on the network, enumerate the ports on the computers that were located, and then look at the network traffic generated by these actions. You will then use Nmap to scan the ports stealthily and compare the method to the previous scan. To observe service banners, Telnet will be used to obtain the banners from IP/port combinations obtained from Nmap scans.
Lap steps Step 1: Start the Windows 2008 Server and Windows 7 machines. Only log on to the Windows 7 machine. Step 2: Start Wireshark. Step 3: Use Nmap to scan the network. Step 4: Analyze the output from Wireshark. Step 5: Use Nmap to scan open TCP ports. Step 6: Use Wireshark to analyze the scan. Step 7: Use Nmap to do a stealth scan on the computer. Step 8: Use Wireshark to analyze the scan. Step 9: Use Nmap to enumerate the operating system of the target computer. Step 10: Use Telnet to connect to the web server, FTP server, and SMTP banner. Step 11: Log off from the Windows XP Professional PC.