Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port Scanning (based on nmap tool)

Published byRoy Conley Modified over 5 years ago

Similar presentations

Presentation on theme: "Port Scanning (based on nmap tool)"— Presentation transcript:

1 Port Scanning (based on nmap tool)
Lecture – 5 NETW4006-Lecture05 Part 2

2 Content Definition Port Numbers TCP 3 Way-handshake
Different Port Scanning Types Detecting Scan NETW4006-Lecture05 Part 2

3 Port Scanning Attackers: reconnaissance technique to discover available services/open ports send a packet to different ports response indicates state of ports open, closed, filtered type of response: different info about the system (OS) (fingerprinting) Reconnaissance – Investigation Netstat – displays network connection, routing table etc. NETW4006-Lecture05 Part 2

4 Port Numbers part of the addressing information used to identify the senders and receivers of messages ( ) TCP/UDP: source & destination port numbers 16-bit unsigned integer 0 to 1023: well known (ftp=21, telnet=23) 1024 to 49151: registered 49152 to 65535: others – dynamic / private ports Most often used for ephemeral (short-lived) connections; usually for TCP source ports A port is identified for each address and protocol by a 16-bit number, commonly known as the port number. The port number, added to a computer's IP address, completes the destination address for a communications session NETW4006-Lecture05 Part 2

5 Well Known Ports Listed by Internet Assigned Numbers Authority (IANA) at the Information Sciences Institute (ISI) –(responsible for global coordination of the DNS root, IP addressing and Internet protocol resources. ) Requires root privilege on UNIX systems List: Example: ftp 21/tcp File Transfer [Control] ftp 21/udp File Transfer [Control] # Jon Postel ssh 22/tcp SSH Remote Login Protocol ssh 22/udp SSH Remote Login Protocol # Tatu Ylonen telnet 23/tcp Telnet NETW4006-Lecture05 Part 2

6 Registered Ports Listed by IANA, as a convenience to reduce any port number conflicts Used by ordinary user processes or programs executed by ordinary users Example: shockwave2 1257/tcp Shockwave2 NETW4006-Lecture05 Part 2

7 Other Ports (Dynamic/Private 49152 - 65535)
Private and/or dynamic ports. Used by ordinary programs. Commonly used for ephemeral (short-lived) ports. Most commonly for source ports on outgoing connections. NETW4006-Lecture05 Part 2

8 TCP 3Way-Handshake TCP handshaking technique to open connections: SYN-SYN-ACK 2 systems attempting to initiate a connection for communication can negotiate one connection at a time independently of each other. Description Host A sends a TCP SYNchronize packet → Host B Host B receives A's SYN Host B sends SYN → Host A Host A receives B's SYN Host A sends ACKnowledge → Host B Host B receives ACK → TCP connection is established. TCP knows the state of a connection by using the SYN and ACK Once connected, TCP hands off to the application for data transfer and communication (Reference: NETW4006-Lecture05 Part 2

9 TCP connect() Scan With connect() call used by the operating system to initiate a normal TCP connection to a remote device (3-way handshake) No need of any special privileged access: Any user can use it. TCP connect scan is often logged by target host service. NETW4006-Lecture05 Part 2

10 Figures taken from [4]: http://www.networkuptime.com/nmap/index.shtml
TCP connect() Scan Closed Port: Like the TCP SYN scan Open Port: completes the TCP 3W-Handshake (3WHS). Then sends RST. RST – Reset TCP connect() scan completed the 3 way handshake and then immediately sent a rest (RST) packet to close the connection. Figures taken from [4]: NETW4006-Lecture05 Part 2

11 TCP SYN Scan/Half-Open Scan
Send a SYN packet , wait for a response & A SYN/ACK indicates the port is listening if a SYN.ACK is received, send an RST to tear down the connection immediately Requires Root privileges to create raw SYN Often not logged: 3WHAS not completed Root – admin privilage NETW4006-Lecture05 Part 2

12 TCP SYN Scan/Half-Open Scan
Closed Port: No difference with TCP connect scan Open Port: SYN/ACK: port is open SYN/ACK then RST Common scan when open ports on a remote device. It only half opens the TCP connections. NETW4006-Lecture05 Part 2

13 TCP ACK Scan Random TCP ACK sent to destination
If active, RST is returned If not active or the port is filtered, no response to the ACK Useful to see if a firewall is stateful or simple Requires privileged access or send TCP connect() Port 80 is used by default: filtered connection No response means port is filtered. NETW4006-Lecture05 Part 2

14 ICMP Ping Scan ICMP echo (ping) request to destination IP @
If an ICMP echo reply (pong) received, station is active If no response -station not active or connection is filtered ICMP does not have a notion of port numbers, it has types and codes @ means address NETW4006-Lecture05 Part 2

15 ICMP Echo & TCP ACK ICMP echo request + TCP ACK
Response if system alive & if port 80 not filtered NETW4006-Lecture05 Part 2

16 TCP FIN Scan Send a FIN (finish) packet without SYN
For when trying to hide from SYN loggers Requires Root privileges to create raw TCP packet FIN may be dropped by firewall/pass through: no differentiation with open port NETW4006-Lecture05 Part 2

17 TCP FIN Scan Closed Port: Open Port: Reply with RST No reply to FIN
Identifies TCP ports NETW4006-Lecture05 Part 2

18 FTP Bounce Scan connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked Use a FTP vulnerability: proxy No required privileges., Harder to trace, Potential to bypass firewalls. Requires a third host as proxy for FTP (passive) Must be logged in. Slow, Many FTP servers have disable the proxy features Either Anonymous or User, User sends PORT command to FTP server that redirects data towards different host/port! User can send arbitrary data to open ports Don’t accept connections from your FTP server Many FTP servers disable proxy This technique can be generalized to eg. SMTP (spam) Advantages Disadvantages NETW4006-Lecture05 Part 2

19 FTP Bounce Scan Closed Port: Open Port:
Send + List (launch data connection) (or PUT to send arbitrary data) FTP server can’t build the connection Open Port: FTP Transfer is completed NETW4006-Lecture05 Part 2

20 UDP Scan Scan is more difficult No ACK from open ports
Most host send an ICMP_ Port_ Unreached error when you send a packet to a closed UDP port. Reading ICMP packets requires root privileges Can find out if system is alive If ICMP is filtered, no response to UDP ping NETW4006-Lecture05 Part 2

21 UDP Ping Scan Closed Port: Open Port: UDP ping,
If ICMP Port Unreachable system is alive Open Port: If no response: remote system unavailable. Could be incorrect because UDP applications don’t necessarily send a response to empty requests UDP Scan : This type of Scanning is used to determine which UDP ports are open on the target host. In this type of scanning 0 byte udp packet it send to all the specified ports on the taget machine and if we get ICMP unreacheable then the port is assumed to be closed or else it is considered as open. But to its demerit is that sometimes ISP’s often block these ports and so it sometimes throws incorrect results that the ports are open but infact it is not, so you need to be a bit more fortunate about these results. NETW4006-Lecture05 Part 2

22 Other Scan Techniques Stealth scan: refers to scanning techniques that can avoid being logged fragmented packets, SYN scanning, FIN scanning, scan slowly etc identd protocol: gives username of the owner of process connected via TCP Connect http port (80) + use identd Ident (aka auth) protocol use is uncommon NETW4006-Lecture05 Part 2

23 Detect Scan Rapid Scan detected: several packets rapidly sent to different ports from same source SYN to a closed port Port scan logged by the services/application Firewall log scanning A detector can inform is that we have been port scanned, but the source address may have been spoofed. NETW4006-Lecture05 Part 2

Download ppt "Port Scanning (based on nmap tool)"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Cyber Security Network Security. ARP Spoofing A computer connected to an IP/Ethernet has two addresses Address of network card (MAC address) Globally.

Cyber Security Network Security. ARP Spoofing A computer connected to an IP/Ethernet has two addresses Address of network card (MAC address) Globally.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Deff Arnaldy 0818 0296 4763 1.

Deff Arnaldy
Port Scanning Prabhaker Mateti. Mateti, Port Scanning2 Port scanning Attackers wish to discover services they can break into. Attackers wish to discover.

Port Scanning Prabhaker Mateti. Mateti, Port Scanning2 Port scanning Attackers wish to discover services they can break into. Attackers wish to discover.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google