Scanning CS391
Overview The TCP protocol: quick overview Scanning Fingerprinting OS Detection.
The TCP Protocol Transmission Control Protocol (the transport layer of the Internet). Connection oriented. Reliable. Point-to-point Flow control
TCP Overview application transport network data link physical application transport network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical logical end-end transport
TCP Header
Flags FlagDescription URG The value of the urgent pointer field is valid. ACK The value of the acknowledgment field is valid. PSH Push the data. RST The connection must be reset. SYN Synchronize sequence numbers during connection. FIN Terminate the connection.
Connection Establsihment
Some Well Known Ports PortProtocolDescription 7Echo Echoes a received datagram back to the sender 9Discard Discards any datagram that is received 11Users Active users 13Daytime Returns the date and the time 17Quote Returns a quote of the day 19Chargen Returns a string of characters 20 FTP, Data File Transfer Protocol (data connection) 21 FTP, Control File Transfer Protocol (control connection) 23TELNET Terminal Network 25SMTP Simple Mail Transfer Protocol 53DNS Domain Name Server 67BOOTP Bootstrap Protocol 79FingerFinger 80HTTP Hypertext Transfer Protocol 111RPC Remote Procedure Call
Scanning Objectives: Determining if the system is alive. Determining if the system is alive. Determining which services are running or listening. Determining which services are running or listening. Detecting the operating system. Detecting the operating system.
System Alive? The major technique is to use ping sweeps or similar techniques. Tools such as fping or supersacn may be used.
What processes are running or listening? Identify both TCP and UDP services running on the target system. Identify applications or versions of services running.
Scan types TCP connection. TCP SYN scan. TCP FIN scan. TCP NULL scan. TCP ACK scans.
tools Netcat. Strobe. Nmap. Superscan
Detecting OS The major technique is known as stack fingerprinting. The general idea is to send packets to the target and analyze the reply. Operating systems differ in their implementation of TCP/IP protocol stack.
Examples FIN probe: OS’s differ in their response to a FIN packet. TCP initial window size: unique for some implementations.
Tools NMAP
inetnum: netname: NESMA descr: National Engineering Services descr: and Marketing Company Ltd. (NESMA) country: SA admin-c: NAR12-RIPENAR12-RIPE tech-c: NTR2-RIPENTR2-RIPE status: ASSIGNED PA mnt-by: NESMA-MNTNESMA-MNT source: RIPE # Filtered person: NESMA ADMIN RIPE address: National Engineering Services and Marketing Company Ltd. address: NESMA - Internet Services address: P.O. Box , Riyadh KSA phone: fax-no: nic-hdl: NAR12-RIPE source: RIPE # Filtered person: NESMA Tech RIPE address: National Engineering Services and Marketing Company Ltd. address: NESMA - Internet Services address: P.O. Box , Riyadh KSA phone: fax-no: nic-hdl: NTR2-RIPE source: RIPE # Filtered % Information related to ' /19AS24731' route: /19 descr: National Engineering Services and Marketing Company Ltd. origin: AS24731AS24731 mnt-by: NESMA-MNTNESMA-MNT source: RIPE # Filtered
Banner Grabbing $ nc HEAD / HTTP/1.0 HTTP/ OK Date: Mon, 16 Jun :53:29 GMT Server: Apache/1.3.3 (Unix) (Red Hat/Linux) Last-Modified: Wed, 07 Oct :18:14 GMT ETag: " b-361b4df6" Accept-Ranges: bytes Content-Length: 1179 Connection: close Content-Type: text/html $
Banner Grabbing HTTP/ OK Server: Microsoft-IIS/5.0 Expires: Tue, 17 Jun :41:33 GMT Date: Mon, 16 Jun :41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 May :32:21 GMT ETag: "b0aac0542e25c31:89d" Content-Length: 7369