Port Scanning

Introduction Port scanning –techniques that attackers use to discover services they can break into. Idea –sending a message to each port, one at a time. –Based on the type of response, an attacker knows if the port is used. –The used ports can be probed further for weakness.

Port All computers connected to a LAN run various services that listen at some ports. The use of port numbers are not unique. However, some port numbers become standard for certain services. Port numbers are 16-bits unsigned numbers In general, port numbers are divided into two ranges.

Standard ports ( ) –Assigned to services by IANA (internet assigned numbers authority) –Only super-user is allowed to open the ports. –Examples ftp-data 20/udp ftp 21/tcp ssh 22/tcp telnet 23/tcp Time 37/tcp Time 37/udp Whois 43/tcp Imap 143/tcp

Non-Standard Ports (> 1023) –A user program can open any unallocated port higher than –A non-standard port refers to a port whose number is higher than –However, several services in this range is also standard. –Examples: Wins 1512/tcp #(Microsoft Windows internet name service). X /tcp X window system.

–The non-standard ports can also be divided into Registered ports (1024 – 49151) Dynamic/private Ports (49152 – 65535) The service names and ports used in a computer system can be found in the file –/etc/services (UNIX, Linux) –%windir%\system32\drivers\etc\services (window 2000) –%windir%\services (Window 98) List of ports used by Trojans –

Port Scanning Techniques TCP connect() scanning –The most basic form of TCP scanning –The connect() system call provided by the OS is used to open a connection to every interesting port on the machine. –If the port is listening, connect() will be succeed. –Otherwise, the port isn’t reachable.

–don’t need any special privileges. Any user can use it. –Speed Making a separate connect() call for every targeted port in a linear fashion could be slow. Can hasten the scan by using many sockets in parallel. Using non-blocking I/O allows you to set a low time-out period and watch all the sockets at once.

TCP SYN scanning –Often referred to as half-open scanning. Not to open a full TCP connection. –Send a SYN packet, as if a real connection is open. –Then wait for a response. A SYN/ACK indicates the port is listening. –If a SYN/ACK is received, send an RST to tear down the connection immediately. (kernel will do this for you).

–The primary advantage to this canning technique is that fewer sites will log it. –But you need root privileges to build these custom SYN packets. TCP FIN scanning –Sometimes SYN scanning isn’t clandestine enough. –Some firewalls and packet filters watch for SYNs to restricted ports.

–FIN packets may be able to pass through. –Closed ports tend to reply to FIN packet with proper RST. –Open ports tend to ignore the packet in question. –This is required TCP behavior –However, some systems are broken in this regard. They send RST’s regardless of the port state Thus they aren't vulnerable to this type of scan.

TCP reverse ident scanning –The ident protocol (rfc1413) allows for the disclosure of the username of the owner of any process connected via TCP (provided by port 113), even if that process didn’t initiate the connection. –You can for example, connect to the http port and then use identd to find out whether the server is running as root. –This can only be done with a full TCP connection to the target port.

OS Fingerprinting –Guess the remote OS system –sending different types of probes to the host, which will narrow the target operating system. FIN probing to see what kind of response the target has, BOGUS flag probing to see the remote host's reaction to undefined flags sent with a SYN packet, TCP Initial Sequence Number (ISN) sampling to find patterns of ISN numbers, other methods of determining the remote operating system. See

–Example root]# nmap -sT -p 80 -I -O Starting nmap V. 2.54BETA31 ( ) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on spring.itsc.cuhk.edu.hk ( ): Port State Service Owner 80/tcp open http Remote operating system guess: Solaris Uptime days (since Mon Sep 16 12:25: ) Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

root]# nmap -sT -I -O Starting nmap V. 2.54BETA31 ( ) Interesting ports on fortress.cse.cuhk.edu.hk ( ): (The 1542 ports scanned but not shown below are in state: closed) Port State Service Owner 23/tcp open telnet root 70/tcp open gopher root 80/tcp open http nobody 111/tcp open sunrpc root 113/tcp open auth nobody 139/tcp open netbios-ssn root 443/tcp open https nobody 513/tcp open login root 514/tcp open shell root 4045/tcp open lockd root 32771/tcp open sometimes-rpc5 root 32776/tcp open sometimes-rpc15 root Remote operating system guess: Sun Solaris 8 early acces beta through actual release Uptime days (since Wed Oct 2 13:31: ) Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds

Fragmentation scanning –Not a new scanning method in and of itself. –A modification of other techniques. –Instead of just sending the probe packet, you break it into a couple of small IP fragments. –By splitting up the TCP header over several packets, it is harder for packet filters to detect what you are doing.

FTP bounce scan –Take advantage of a vulnerability of FTP protocol. –Requires support for proxy ftp connections. –For example, evil.com can establish a control communication connection to FTP server-PI (protocol interpreter) of target.com. –Then it is able to request the server-PI to initiate an active server-DTP (data transfer process) to send a file ANYWHERE on the internet.

–A port scanner can exploit this to scan TCP ports from a proxy ftp server. –Connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked. –If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.

–Technique Use the PORT command (of FTP) to declare that our passive user-DTP is listening on the target box at a certain port number. LIST the current directory, and the results is sent over the server-DTP channel. If our target host is listening on the port, the transfer will be successful. Otherwise, connection will be refused. Then issue another PORT command to try the next port on the target.

–Advantages Harder to trace Potential to bypass firewalls. –Disadvantages Slow Some FTP server have finally disabled the proxy feature.

UDP ICMP port unreachable scanning –UDP protocol instead of TCP –Protocol is simpler, but the scanning is more difficult Open ports don’t have to send an acknowledgement. Closed ports aren’t even required to send an error packet. –Most hosts do send an ICMP_PORT_UNREACH error when you send a packet to a closed UDP port. Can find out if a port is NOT open.

–Neither UDP packets, nor the ICMP errors are guaranteed to arrive. Retransmission of packets is required for packets that appear to be lost Otherwise, we will have many false positives. –Disadvantages Slow: the ICMP error message rate is limited. Need to be root for access to raw ICMP socket. UDP recvfrom() and write() scanning –Non-root users can’t read port unreachable errors directly.

–But users can learn it indirectly. –For example, a second write() call to a closed port will usually fail. –recvfrom() on non-blocking UDP sockets usually return EAGAIN (try again), if the ICMP error hasn’t been received. –It will return ECONNREFUSED (connection refuse), if ICMP error has been received.

Stealth Scan Simple port scanning can be easily logged by the services listening at the ports. –E.g. they see an incoming connection with no data, thus they log an error. Stealth scan refers to some scanning techniques to avoid being logged. These techniques include fragmented packets, syn scanning, fin scanning etc.

Other stealth scan techniques –Scan slowly Usually a port scanner scan a host rapidly by firing off packets at different ports. Some detector try to recognize these pattern (signature). Thus, scanning very slowly (may take several days) is a stealth scanning techniques. –Firing packets with fake IPs Send a large amount of spoofed “port scans” and only one scan from the real source address (or an address on the same LAN of the source) So that it is difficult to trace the source of the scanner.

Detection of Port Scanning Idea of non-stealth scan detector –Open a socket in SOCK_RAW mode. –Set the protocol type to IPPROTO_IP –Then call recvfrom() to capture the packets –Then analyze the packets –Signature for port scan Several packets to different destination ports from the same source address within a short period of time.

SYN to a non-listening port Of course, there are many other possible signatures. Discovering stealth scans may require kernel level work. A detector can inform us that we have been port-scanned, but the source address may not be reliable. –Attacker may also perform IP address spoofing.

Sometimes, a stupid scanner may leak extra information –If the packets we received have an IP TTL of 255, we can conclude that it was sent from or local network, regardless of what the source address field says. – if TTL is 250, we can only tell that the attacker was no more than 5 hops away.

Demonstration In the class, we will study the log of packets generated by nmap and the responses from the target. –We will study the options -sT (TCP scan) -sS (SYN scan) -sU (UDP scan) -sF (FIN scan) -sT –I –O (ident & fingerprinting) –You are encouraged to try some other options in the security lab. We will also study the source code of ‘scanlogd’ and show how it can detect port scanning.

References Fyodor, “The Art of Port Scanning’, Solar designer, “Designing and Attacking Port Scan Tools”, Phrack Magazine, Vol 8, Issue 53, article 13 of 15. –The program “scanlogd” we have discussed in class is extracted from this paper.