Hands-On Ethical Hacking and Network Defense

Chapter 5Port Scanning

Hands-On Ethical Hacking and Network Defense 2

Objectives

• Describe port scanning

• Describe different types of port scans

• Describe various port-scanning tools

• Explain what ping sweeps are used for

• Explain how shell scripting is used to automate security tasks

Hands-On Ethical Hacking and Network Defense 3

Introduction to Port Scanning

• Port Scanning• Finds out which services are offered by a host• Identifies vulnerabilities

• Open services can be used on attacks• Identify a vulnerable port• Launch an exploit

• Scan all ports when testing• Not just well-known ports

Hands-On Ethical Hacking and Network Defense 4

Hands-On Ethical Hacking and Network Defense 5

Introduction to Port Scanning (continued)

• Port scanning programs report• Open ports• Closed ports• Filtered ports• Best-guess assessment of which OS is

running

Hands-On Ethical Hacking and Network Defense 6

Types of Port Scans

• SYN scan• Stealthy scan

• Connect scan• Completes the three-way handshake

• NULL scan• Packet flags are turned off

• XMAS scan• FIN, PSH and URG flags are set

Hands-On Ethical Hacking and Network Defense 7

Types of Port Scans (continued)

• ACK scan• Used to past a firewall

• FIN scan• Closed port responds with an RST packet

• UDP scan• Closed port responds with ICMP “Port

Unreachable” message

Hands-On Ethical Hacking and Network Defense 8

Using Port-Scanning Tools

• Nmap

• Unicornscan

• NetScanTools Pro 2004

• Nessus

Hands-On Ethical Hacking and Network Defense 9

Nmap

• Originally written for Phrack magazine

• One of the most popular tools

• GUI version• Xnmap

• Open source tool

• Standard tool for security professionals

Hands-On Ethical Hacking and Network Defense 10

Hands-On Ethical Hacking and Network Defense 11

Unicornscan

• Developed in 2004• Ideal for large networks• Scans 65,535 ports in three to seven seconds• Handles port scanning using • TCP• ICMP• IP

• Optimizes UDP scanning

Hands-On Ethical Hacking and Network Defense 12

NetScanTools Pro 2004

• Robust easy-to-use commercial tool• Supported OSs• *NIX• Windows

• Types of tests• Database vulnerabilities• E-mail account vulnerabilities• DHCP server discovery• IP packets and name servers• OS fingerprinting

Hands-On Ethical Hacking and Network Defense 13

Hands-On Ethical Hacking and Network Defense 14

Hands-On Ethical Hacking and Network Defense 15

Nessus

• First released in 1998

• Open source tool

• Uses a client/server technology

• Conducts testing from different locations

• Can use different OSs for client and network

Hands-On Ethical Hacking and Network Defense 16

Nessus (continued)

• Server• Any *NIX platform

• Client• Can be UNIX or Windows

• Functions much like a database server

• Ability to update security checks plug-ins• Scripts

• Some plug-ins are considered dangerous

Hands-On Ethical Hacking and Network Defense 17

Hands-On Ethical Hacking and Network Defense 18

Nessus (continued)

• Finds services running on ports• Finds vulnerabilities associated with

identified services

Hands-On Ethical Hacking and Network Defense 19

Hands-On Ethical Hacking and Network Defense 20

Conducting Ping Sweeps

• Ping sweeps• Identify which IP addresses belong to active

hosts• Ping a range of IP addresses

• Problems• Computers that are shut down cannot

respond• Networks may be configured to block ICMP

Echo Requests• Firewalls may filter out ICMP traffic

Hands-On Ethical Hacking and Network Defense 21

FPing• Ping multiple IP addresses simultaneously• www.fping.com/download• Command-line tool• Input: multiple IP addresses• Entered at a shell• -g option

• Input file with addresses• -f option

Hands-On Ethical Hacking and Network Defense 22

Hands-On Ethical Hacking and Network Defense 23

Hands-On Ethical Hacking and Network Defense 24

Hping• Used to bypass filtering devices• Allows users to fragment and manipulate IP packets

• www.hping.org/download

• Powerful tool• All security testers must be familiar with tool

• Supports many parameters (command options)

Hands-On Ethical Hacking and Network Defense 25

Hands-On Ethical Hacking and Network Defense 26

Hands-On Ethical Hacking and Network Defense 27

Hands-On Ethical Hacking and Network Defense 28

Crafting IP Packets

• Packet components• Source IP address• Destination IP address• Flags

• Crafting packets helps you obtain more information about a service

• Tools• Fping• Hping

Hands-On Ethical Hacking and Network Defense 29

Understanding Shell Scripting

• Modify tools to better suit your needs

• Script• Computer program that automates tasks• Time-saving solution

Hands-On Ethical Hacking and Network Defense 30

Scripting Basics

• Similar to DOS batch programming

• Script or batch file• Text file• Contains multiple commands

• Repetitive commands are good candidate for scripting

• Practice is the key

Hands-On Ethical Hacking and Network Defense 31

Hands-On Ethical Hacking and Network Defense 32

Hands-On Ethical Hacking and Network Defense 33

Summary

• Port scanning• Also referred as service scanning• Process of scanning a range of IP address• Determines what services are running

• Port scan types• SYN• ACK• FIN• UDP• Others: Connect, NULL, XMAS

Hands-On Ethical Hacking and Network Defense 34

Summary (continued)

• Port scanning tools• Nmap• Nessus• Unicornscan

• Ping sweeps• Determine which computers are “alive”

• Shell scripting• Helps with automating tasks