1

INTERNET SECURITYSCANNING

Deff Arnaldydeff_arnaldy@yahoo.com0818 0296 4763

2

OVERVIEW

Art of Port Scanning Various Scanning Techniques OS Fingerprinting Nmap - Introduction Nmap with Linux and Windows Basic Commands and Operations Useful Scanning Techniques

3

ART OF PORT SCANNING

Scanning is the first phase of active hacking and is used to locate target systems or networks for later attack

Enumeration is the follow-on step once scanning is complete and is used to identify computer names, usernames, and shares

Scanning and enumeration are discussed together in this chapter because many hacking tools perform both steps simultaneously

4

Scanning is the process of locating systems that are alive and responding on the network.

Ethical hackers use scanning to identify target systems’ IP addresses.

Scanning is also used to determine whether a system is on the network and available.

Scanning tools are used to gather information about a system such as IP addresses, the operating system, and services running on the target computer.

5

Table 3.1 lists the three types of scanning.

6

Port Scanning Port scanning is the process of identifying

open and available TCP/IP ports on a system.

Port-scanning tools enable a hacker to learn about the services available on a given system. Each service or application on a machine is associated with a well-known port number

7

Network Scanning Network scanning is a procedure for

identifying active hosts on a network, either to attack them or as a network security assessment.

Hosts are identified by their individual IP addresses. Network-scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses.

8

Vulnerability Scanning Vulnerability scanning is the process of proactively

identifying the vulnerabilities of computer systems on a network.

Generally, a vulnerability scanner first identifies the operating system and version number, including service packs that may be installed. Then, the scanner identifies weaknesses or vulnerabilities in the operating system.

During the later attack phase, a hacker can exploit those weaknesses in order to gain access to the system.

9

PORT SCANNING

Attackers wish to discover services they can break into.

Security audit: Why are certain ports open?

sending a packet to each port, one at a time. Based on the type of response, an attacker

knows if the port is used. The used ports can be probed further for

weakness.

10

PORT NUMBERS

An abstraction of the OS + Net Stds Part of UDP and TCP packets

UDP and TCP port numbers are disjoint Typical to use the same port number for both UDP

and TCP service E.g., 80/TCP and 80/UDP for www

16-bit unsigned integer Well Known Ports (0 .. 1023) Registered Ports (1024 .. 49151) Dynamic and/or Private Ports (49152 .. 65535). http://www.iana.org/assignments/ port-numbers

11

SOCKETS

12

socket()

bind()

listen()

read()

close()

socket()

connect()

read()

write()

close()

blocks until server receivesa connect request from client

data

data

Server

Clientaccept()

write()

connect negotiation

Socket calls for connection-oriented communication

13

socket()

bind()

sendto()

close()

socket()

bind()

recvfrom()

sendto()

close()

blocks until serverreceives data from client data

data

Server

Client

recvfrom()

Socket calls for connectionless communication

14

WELL KNOWN: 0 - 1023

Only root-privileged programs are allowed to open these ports.

Examples ftp-data 20/udp ftp 21/tcp ssh 22/tcp telnet 23/tcp Time 37/tcp Time 37/udp Whois 43/tcp Imap 143/tcp

15

REGISTERED: 1024 ..49151

Ordinary programs/users can use these shockwave2 1257/tcp Shockwave 2

shockwave2 1257/udp Shockwave 2 x11 6000-6063/tcp X Window System

x11 6000-6063/udp X Window System

16

DYNAMIC/PRIVATE: 49152 .. 65535

Ordinary programs can use these

17

STATE OF A PORT

Open A service process is listening at the port.  The OS

receives packets arriving at this port and gives the messages to the service process.  If the OS receives a SYN at an open port, this is the first packet of the three way handshake.

Closed No process is listening at the port.  If the OS

receives a SYN at a closed port, an RST is sent. Filtered

A packet filter is listening at the port.

18

TCP CONNECT(0) SCANNING

Try connect()-ing to every port If the port is listening, connect() will succeed. Otherwise, the port isn’t reachable.

No need for any special privileges. Any user can use it.

Speed - slow. Scanner can be identified.

19

TCP SYN SCANNING

Often referred to as half-open scanning. Send a SYN packet Wait for a response.

A SYN/ACK indicates the port is listening. If a SYN/ACK is received, send an RST to

tear down the connection immediately. Most sites do not log these. Need root privileges to build SYN

packets.

20

TCP FIN SCANNING

Send a FIN packet (without a preceding SYN etc.)

FIN packets may pass through firewalls Closed ports reply with RST. Open ports ignore the FIN packet. Some hosts violate RFC.

Reply with RST’s regardless of the port state

Thus, are not vulnerable to this scan.

21

TCP REVERSE IDENTD SCANNING

identd protocol (rfc1413): Disclose the username of the owner of any process connected via TCP, even if that process didn’t initiate the connection.

Example: connect to the http port (80), and then use identd to find out whether the server is running as root.

Must have full TCP connection to the port.

22

FRAGMENTATION SCANNING

Not a new scanning method in and of itself. A modification of other techniques.

Split the probe packet into IP fragments.

By splitting up the TCP header over several packets, it is harder for packet filters to detect a probe.

23

FTP BOUNCE SCAN

A port scanner can exploit this to scan TCP ports form a proxy ftp server.

Connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked.

If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.

24

FTP BOUNCE SCAN

Take advantage of a vulnerability of FTP protocol.

Requires support for proxy ftp connections. For example, evil.com can establish a control

communication connection to FTP server-PI (protocol interpreter) of target.com.

Then it is able to request the server-PI to initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet.

25

FTP BOUNCE SCAN

Use the PORT command (of FTP) to declare that our passive user-DTP is listening on the target box at a certain port number.

LIST the current directory, and the results is sent over the server-DTP channel.

If our target host is listening on the port, the transfer will be successful.

Otherwise, connection will be refused. Then issue another PORT command to try the

next port on the target.

26

FTP BOUNCE SCAN

Advantages Harder to trace Potential to bypass firewalls.

Disadvantages Slow Many FTP servers have (finally) disabled

the proxy feature.

27

UDP SCANS

UDP is simpler, but the scanning is more difficult

Open ports do not have to send an ACK.

Closed ports are not required to send an error packet. Most hosts send an ICMP_PORT_UNREACH

error when you send a packet to a closed UDP port.

Can find out if a port is NOT open.

28

UDP SCANS

Neither UDP packets, nor the ICMP errors are guaranteed to arrive.

Slow: the ICMP error message rate is limited.

Need to be root for access to raw ICMP socket.

Non-root users cannot read port unreachable errors directly.

29

UDP SCANS

But users can learn it indirectly. For example, a second write() call to a

closed port will usually fail. recvfrom() on non-blocking UDP sockets

usually return EAGAIN (try again), if the ICMP error hasn’t been received.

It will return ECONNREFUSED (connection refuse), if ICMP error has been received.

30

STEALTH SCAN

Simple port scanning can be easily logged by the services listening at the ports. E.g. they see an incoming connection with

no data, thus they log an error. Stealth scan refers to scanning

techniques that can avoid being logged.

These techniques include fragmented packets, SYN scanning, FIN scanning etc.

31

STEALTH SCAN

Scan slowly A port scanner typically scans a host too rapidly Some detectors recognize these “signatures”. So, scanning very slowly (e.g., over several days)

is a stealth technique. Firing packets with fake IPs

Flood with spoofed scans and embed one scan from the real source (network) address.

32

SIGNATURES OF A PORT SCAN

Several packets to different destination ports from the same source within a “short period” of time.

SYN to a non-listening port

33

DETECTION OF PORT SCANNING

Open a socket SOCK_RAW mode. protocol type IPPROTO_IP

recvfrom() to capture the packets Discovering stealth scans requires

kernel level work. A detector can inform us that we have

been port-scanned, but the source address may have been spoofed.

34

SCANNER LEAKS

If the packets we received have an IP TTL of 255, we can conclude that it was sent from or local network, regardless of what the source address field says.

if TTL is 250, we can only tell that the attacker was no more than 5 hops away.

35

Although scanning can quickly identify which hosts are listening and active on a network, it is also a quick way to be identified by an intrusion detection system (IDS)

Scanning tools probe TCP/IP ports looking for open ports and IP addresses, and these probes can be recognized by most security intrusion detection tools

36

Depending on the type of scanning application and the speed of the scan, an IDS will detect the scanning and flag it as an IDS event.

Some of the tools for scanning have different modes to attempt to defeat an IDS and are more likely to be able to scan undetected

37

Scanning Methodology

38

SCANNING TECHNIQUES

Ping Sweep Techniques ICMP scanning, or a ping sweep, is the

process of sending an ICMP request or ping to all hosts on the network to determine which ones are up and responding to pings.

ICMP began as a protocol used to send test and error messages between hosts on the Internet.

39

The benefit of ICMP scanning It can be run in parallel, meaning all

systems are scanned at the same time; thus it can run quickly on an entire network.

Most hacking tools include a ping sweep option, which essentially means performing an ICMP request to every host on the network.

Systems that respond with a ping response are alive and listening on the network.

40

Sample Exercise

41

Detecting Ping Sweeps Almost any IDS or intrusion prevention system (IPS) system will

detect and alert the security administrator to a ping sweep occurring on the network.

Most firewall and proxy servers block ping responses so a hacker can’t accurately determine whether systems are available using a ping sweep alone.

More intense port scanning must be used if systems don’t respond to a ping sweep. Just because a ping sweep doesn’t return any active hosts on the network doesn’t mean they aren’t available—you need to try an alternate method of identification.

Remember, hacking takes time, patience, and persistence.

42

Scanning Ports and Identifying Services Port scanning is the method used to check

for open ports. The process of port scanning involves

probing each port on a host to determine which ports are open.

Port scanning generally yields more valuable information than a ping sweep about the host and vulnerabilities on the system.

43

Service identification is the third step in the CEH scanning methodology; it’s usually performed using the same tools as port scanning.

By identifying open ports, a hacker can usually also identify the services associated with that port number.

44

Port-Scan Countermeasures Countermeasures are processes or toolsets

used by security administrators to detect and possibly thwart port scanning of hosts on their network

The following list of countermeasures should be implemented to prevent a hacker from acquiring information during a port scan:

Proper security architecture, such as implementation of IDS and firewalls, should be followed.

45

Ethical hackers use their toolset to test the scanning countermeasures that have been

implemented. Once a firewall is in place, a port-scanning tool should be run against hosts on the network to determine whether the firewall correctly detects and stops the port-scanning activity.

The firewall should be able to detect the probes sent by port-scanning tools. The fire- wall should carry out stateful inspections, which means it examines the data of the packet and not just the TCP header to determine whether the traffic is allowed to pass through the firewall.

46

Network IDS should be used to identify the OS-detection method used by some common hackers tools.

Only needed ports should be kept open. The rest should be filtered or blocked.

The staff of the organization using the systems should be given appropriate training on security awareness. They should also know the various security policies they’re required to follow.

47

nmap Command Switches Nmap is a free, open source tool that

quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection.

Nmap has the benefit of scanning a large number of machines in a single session. It’s supported by many operating systems, including Unix, Windows, and Linux.

48

49

50

Scan Types

51

52

REFFERENSI

Prabhaker Mateti McClure S., Joel S. Hacking Exposed

5th . Graves Kimberly. Certified Ethical

Hacker. Study Guide. Wiley Publishing.Inc.

53

SELESAI ….