1. Xmas Tree Scan Detection with Snort Presented by: Aqila Dissanayake University of Windsor dissanaa@uwindsor.ca Olalekan Kadri University of Windsor kadrio@uwindsor.ca

2. Presentation Outline Definition of Port Scan History of Port Scanning Well known Port Scanning Technique Why Study Port Scanning Technique? Ports TCP And TCP flags Xmas Tree Scan Packet Design for Xmas Tree Scan The Experiment References

3. Port Scanning “A port scan is a method used by intruders to discover the services running on a target machine” [1]. By simply checking whether a given port is opened or closed an attacker can determine whether to attack that machine on that specific port or not. “For example, if the intruder finds that port 143 (the IMAP port) is open; she may proceed to find out what version of IMAP is running on the target machine. If the version is vulnerable, she may be able to gain super user access to the machine using an exploit” [1].

4. History of Port Scanning In the early days of computing port scanning was not widely used. Even after powerful port scanners such as the Network Mapper (Nmap) came into use port scanning did not receive wide usage. The reason for this was that even with Nmap people needed root privileges to construct and receive raw network packets that were used to do port scanning on Unix/Linux systems. (Open source software like Nmap first came into use in Linux based systems.) In those days people did not have their own Unix/Linux box; most people had a shared shell account [2]. These days not only is Nmap available for Windows systems, computers are much cheaper than they used to be. So people can use Nmap in their Windows box or use it in their own Linux box.

5. Also, these days various scanning tools are widely available over the internet and the internet itself has become much faster because of increasing bandwidth. This has led to a tremendous increase in network activities including port scanning. Search engines like Google only add fuel to the scenario by providing a simple and easy way to look for tools to conduct network reconnaissance and locate advanced knowledge about network protocols and the internet which makes port scans much more successful and stealthy. Nowadays port scans have become much easier to perform because of various software tools available over the internet. One can simply download such a tool from the internet and run it to scan whole networks in a matter of minutes.

6. The most well known port scanning techniques TCP connect scan TCP SYN scan TCP FIN scan TCP null scan TCP window scan TCP ACK scan TCP Maimon scan Xmas tree scan UDP scan IP protocol scan FTP bounce scan Idle scan

7. Since port scanning techniques are used to conduct reconnaissance in networks, these can be considered as the early steps an intruder takes before the actual attack. So, if we can catch network reconnaissance attacks, it will be much easier to prevent the actual attack from taking place. Why study port scanning techniques?

8. Port “A software port is a virtual data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location” [3]. Examples are TCP and UDP ports which are used to exchange data between computers on a network. Port numbers are unique within a computer system [4]. A Port number is a 16-bit unsigned integer. Therefore the number of available ports will be 2^16 which is 65536 ports or from port 0 to 65535.

9. Normally, ports can be divided into three distinct categories. They are –Well Known Ports – Port 0 – 1023 [4] –Registered Ports – Port 1024 – 49151 [4] –Dynamic and/or Private Ports – Port 49152 -65535 [4]

10. Well Known Ports “The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users” [5]. An attempt by an underprivileged user to open a port in the range of 0 to 1023 will fail [4]. A list of commonly used well known ports are [7]. Port 20 – FTP, data Port 21 – FTP, control Port 22 – SSH Port 23 – Telnet Port 25 – SMTP Port 53 – DNS Port 80 - HTTP

11. TCP & TCP Flags “The Transmission Control Protocol (TCP) is one of the core protocols of the internet protocol suite” [8]. “TCP is a connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols which support multi-network applications” [9]. In TCP 8 bits are allocated for flags. Most of the scanning techniques listed earlier in this document make use of these flags to carry out port scanning. Mostly, each TCP based scan set these flags to different values or combination of values in order to do the scanning.

13. Xmas Tree Scan The Xmas tree scan exploits a subtle loophole in the TCP RFC to differentiate between open and closed ports [2]. “If the [destination] port state is CLOSED, an incoming segment not containing a RST causes a RST to be sent in response” [2]. When scanning systems compliant with the TCP RFC text, any packet not containing SYN, RST, or ACK bits will result –in a returned RST if the port is closed –and no response at all if the port is open [2]. “As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK” [2]. Nmap exploits this with the Xmas tree scan.

14. Closed Port In a Xmas tree scan, if a RST packet is received, the port is considered closed. This is illustrated by the diagram below. Adapted from http://www.networkuptime.com/nmap/page3- 5.shtml

15. Open/Filtered Port A no response means it is open or filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received. This scenario of not receiving a response is displayed below. Adapted from http://www.networkuptime.com/nmap/page3-5.shtml

16. “The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers” [2]. Furthermore the Xmas tree scan is stealthier than a regular SYN scan [2]. Luckily though, intrusion detection products can be configured to detect these types of reconnaissance scans. Snort intrusion detection system will alert on a Xmas tree scan which we tested.

17. Since there are systems that do not follow RFC 793, some systems send RST responses to the probes regardless of whether the port is open or not [2]. This will result in all ports being labeled as closed. This behavior is shown by Microsoft Windows and many Cisco devices [2]. However, this scan will work against most UNIX based system [2]. Also, these scans can't distinguish open ports from certain filtered ones, leaving one with the response open or filtered [2].

18. Packet Design for the Xmas Tree Scan In the project we used Nmap to do the actual scan. But, the packets required for the Xmas tree scan be easily constructed using a packet making tool such as CommView. A TCP packet contains certain flags which should be activated to do a Xmas tree scan. A Xmas tree scan sends a TCP packet to a remote device with the URG, PUSH, and FIN flags set [10]. “This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree” [10].

19. So in CommView we need to set the flags of a TCP packet to match 00101001. CommView provides the packet information in hexa-Decimal, so we needed to calculate the hexa-decimal value of the binary value 00101001 which came to be 29.

21. Conducting the actual Xmas Tree Scan

23. 200 packets/s, 10000 total

24. 400 packets/s, 10000 total

25. 600 packets/s, 10000 total

26. 800 packets/s, 10000 total

27. 1000 packets/s, 10000 total

28. References Network Probes Explained: Understanding Port Scans and Ping Sweeps, Linux Journal, December 1st 2000, “http://www.linuxjournal.com/article/4234” Port scanning techniques, Insecure.org, “http://insecure.org/nmap/man/man-port- scanning-techniques.html” Computer port, Wikipedia.com, “http://en.wikipedia.org/wiki/Computer_port_%28software%29“ Port scanning, www.cs.wright.edu, “http://www.cs.wright.edu/~pmateti/Courses/499/Probing/“ Port numbers, Iana.org, “http://www.iana.org/assignments/port-numbers” Registered Port, Wikipedia.com, “http://en.wikipedia.org/wiki/Registered_port” Well known IP ports, 0 through 999, www.networksorcery.com, “http://www.networksorcery.com/enp/protocol/ip/ports00000.htm” Transmission Control Protocol, Wikipedia.com, “http://en.wikipedia.org/wiki/Transmission_Control_Protocol” RFC 793, Faqs.org, “http://www.faqs.org/rfcs/rfc793.html” Xmas tree scan, www.networkuptime.com, “http://www.networkuptime.com/nmap/page3-5.shtml”