Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia
Objectives Discuss scanning and how it is accomplished Identify resources that can be used in scanning Demonstrate how to use scanning tools on Linux to scan remote targets. 2
What is Scanning? 3 Step after footprinting Referred to as port scanning, service scanning, or network scanning Process of scanning a range of IP addresses in order to determine what services/programs are running on networked computers Typically performed using scanning tools like Command line utilities like Fping, Hping, nmap, tcpdump, etc GUI scanners 1. Footprinting 2. Scanning 3. Enumeration 4. Attack Searching vulnerabilities
Types of Port scanning 4 SYN scan—In normal TCP session, first the client sends the server a TCP packet with the SYN flag set. The server responds to this with a packet having both SYN and ACK flags set, acknowledging the SYN. The client then replies with an ACK of its own, completing the connection. With SYN scan the 3-way handshaking is not completed; which means the target never log the “transaction”. After all you don’t want the log to show your IP address. FIN scan—In this scan, a TCP packet with the FIN flag set is sent to the target computer to “see” how it react. Normally, a TCP packet with the FIN flag set is sent to a client when the server is ready to terminate the connection. The client responds with an ACK which acknowledges the disconnect. NULLscan—In a NULL scan, all the packet flags are turned off, that means none of the RST (reset), FIN, SYN, or ACK flags is set. If the ports of the target are closed, the target responds with a TCP RST packet. If the ports are open, the target sends no reply, effectively noting that port number as an open port to the user. ACK scan—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used to identify Web sites that are active, which are normally set not to respond to ICMP pings. Active Web sites respond to the TCP ACK with a TCP RST, giving the user confirmation of the status of a site. TCP Connect scan—The “three-way handshake” process described under TCP SYN above. When one system sends a packet with the SYN flag set, the target device responds with SYN and ACK flags set, and the initiator completes the connection with a packet containing a set ACK flag. Unlike in a SYN scan, the “transaction” is logged. SYN SYN/AC K ACK
Types of Port scanning 5 XMAS scan—In this kind of scan, the FIN, PSH, and URG flags are set. Closed ports respond with a RST packet. Can be used to determine which ports are open. Not getting the RST packet doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet. UDP scan—In this scan, a UDP packet is sent to the target computer. If the computer sends back an ICMP “Port unreachable” message, the port is. Not getting this message doesn’t mean that the port is open because firewalls or other packet filtering devices may be configured to drop the UDP scan packet.
Preparing for Lab 5 6 Instructor will demonstrate the following to help students prepare for Lab 5 Conecting the Linux machine to the Internet Using the Fping utility Installing the Hping utility Using Nmap