ASSIGNMENT-1

NETWORK SECURITY

ON

PORT SCANNING

SUBMITTED BY:

KAVEESH NAYAK

ROLL. NO. 11401049 M.TECH (COMPUTER ENGG.)

UNIVERSITY COLLEGE OF ENGINEERING

PUNJABI UNIVERSITY, PATIALA

PUNJAB

1

PORT SCANNING

1. INTRODUCTION

Port scanning is the art of scanning the target system to obtain a list of open ports that are

listening for connections. In other words, port scanning is carried out to determine a list

of open ports on the remote host that have certain services or daemons running. In port

scanning, the attacker connects to various UDP and TCP ports and tries to determine

which ports are in listening mode. This technique of information gathering is crucial for

an attacker because it helps determine the list of open ports on the target system, the

services running on them, and any vulnerability that might exist. In certain cases, port

scanning can also be used to determine the operating system running on the target

system.

Fig. 1 Port scanning process

Port scanning is among the most common information gathering techniques used by

attackers. Indeed, the first step in an attackers quest to break into a remote system will almost always be to conduct a port scan on the target system and obtain a list of open

ports and services running on them.

Port Scanner : A port scanner is a software application designed to probe a server or host

for open ports. This is often used by administrators to verify security policies of their

networks and by attackers to identify running services on a host with the view to

compromise it.

Portsweep : Portsweep means to scan multiple hosts for a specific listening port.

2

2. WHAT ARE PORTS?

There are two type of ports. The first are hardware ports - such as COM1, COM2 and

parallel ports which are the slots behind CPU cabinet of the system that is used to plug in

or connect the hardware. But here we are concerned about the other type of ports which

are software ports. These are the virtual ports that the system uses to pipe information in

and out.

Every open software port has a service or daemon running on it. A service or daemon is a

term used to describe the software running on these ports which provides a certain service

to the users who connect to it. For eg: port 25 is always open on a server handing mail, as

it is the port where the sendmail service runs by default.

Fig. 2 Some common ports

3. TCP/IP BASIC KNOWLEDGE

The design and operation of the Internet is based on the Internet Protocol Suite,

commonly also called TCP/IP. In this system, hosts and host services are referenced

using two components: an address and a port number. There are 65536 distinct and

usable port numbers. Most services use a limited range of numbers.

Some port scanners scan only the most common port numbers, or ports most commonly

associated with vulnerable services, on a given host.

The result of a scan on a port is usually generalized into one of three categories:

1. Open or Accepted: The host sent a reply indicating that a service is listening on the port.

2. Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.

3. Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

3

1. Security and stability concerns associated with the program responsible for delivering the service - Open ports.

2. Security and stability concerns associated with the operating system that is running on the host - Open or Closed ports.

Filtered ports do not tend to present vulnerabilities.

4. CHECK LISTENING PORTS ON WINDOWS

Listening ports can be checked on Windows by entering following command in cmd:

netstat -an | find /i "listening"

4

5.TCP PORT SCANNING:

The traditional example of a port scan technique is the manual port scan. In such a port

scanning technique, the attacker uses the telnet application to manually connect to all

TCP ports on the target system and jots down all information returned. Manual port

scans require a full three way handshake to take place between the attacker and the target

system. All TCP/IP connections are initiated with a three-way handshake. A typical

TCP/IP handshake has following steps:

1. The client sends a SYN packet to the server 2. The server replies with a SYN packet and acknowledges the clients SYN packet

by sending an ACK packet.

3. The client acknowledges the SYN sent by the sender. This three way handshake must take place each time a TCP/IP connection is established

on the Internet. Not surprisingly, manual port scanning using telnet is not the easiest way

to get an open list of ports on a remote system. For one thing, no one wants to telnet to

thousand of remote ports. Besides thanks to the full three way TCP handshake that

occurs, manual port scans are easily detected and logged by the remote system. For this

reason, a number of other port scanning techniques hace been developed:

1. TCP connect scan 2. TCP stealth scan 3. XMAS scan 4. FIN scan 5. NULL scan 6. TCP ACK scan 7. TCP window scan 8. UDP scan

5.1 TCP connect scan: TCP connect is a three-way handshake between the client and the

server. If the three-way handshake takes place, then communication has been established.

5

A client trying to connect to a server on port 80 initializes the connection by sending a

TCP packet with the SYN flag set and the port to which it wants to connect (in this case

port 80). If the port is open on the server and is accepting connections, it responds with a

TCP packet with the SYN and ACK flags set. The connection is established by the client

sending an acknowledgement ACK and RST flag in the final handshake. If this three-way

handshake is completed, then the port on the server is open.

The client sends the first handshake using the SYN flag and port to connect to the server

in a TCP packet. If the server responds with a RST instead of a SYN-ACK, then that

particular port is closed on the server.

5.2 TCP stealth scan:

6

This technique is similar to the TCP connect scan. The client sends a TCP packet with the

SYN flag set and the port number to connect to. If the port is open, the server responds

with the SYN and ACK flags inside a TCP packet. But this time the client sends a RST

flag in a TCP packet and not RST+ACK, which was the case in the TCP connect scan.

This technique is used to avoid port scanning detection by firewalls.

The closed port check is same as that of TCP connect scan. The server responds with an

RST flag set inside a TCP packet to indicate that the port is closed on the server.

5.3 XMAS scan:

7

In the XMAS scan, a TCP packet with the PSH, FIN, and URG flags set, along with the

port to connect to, is sent to the server. If the port is open, then there will be no response

from the server.

If the server responds with the RST flag set inside a TCP packet, the port is closed on the

server.

If the server responds with the ICMP packet with an ICMP unreachable error type 3 and

ICMP code 1, 2, 3, 9, 10, or 13, then the port is filtered and it cannot be inferred from the

response whether the port is open or closed.

8

5.4 FIN scan:

The FIN scan utilizes the FIN flag inside the TCP packet, along with the port number to

connect to on the server. If there is no response from the server, then the port is open.

If the server responds with an RST flag set in the TCP packet for the FIN scan request

packet, then the port is closed on the server.

9

An ICMP packet with ICMP type 3 and code 1, 2, 3, 9, 10, or 13 in response to the FIN

scan packet from the client means that the port is filtered and the port state cannot be

found.

5.5 NULL scan:

In a NULL scan, no flag is set inside the TCP packet. The TCP packet is sent along with

the port number only to the server. If the server sends no response to the NULL scan

packet, then that particular port is open.

10

If the server responds with the RST flag set in a TCP packet, then the port is closed on

the server.

An ICMP error of type 3 and code 1, 2, 3, 9, 10, or 13 means the port is filtered on the

server.

5.6 TCP ACK scan: The TCP ACK scan is not used to find the open or closed state of a

port; rather, it is used to find if a stateful firewall is present on the server or not. It only

tells if the port is filtered or not. This scan type cannot find the open/closed state of the

port.

11

A TCP packet with the ACK flag set and the port number to connect to is sent to the

server. If the server responds with the RSP flag set inside a TCP packet, then the port is

unfiltered and a stateful firewall is absent.

If the server doesnt respond to our TCK ACK scan packet or if it responds with a TCP

packet with ICMP type 3 or code 1, 2, 3, 9, 10, or 13 set, then the port is filtered and a

stateful firewall is present.

5.7 TCP window scan: A TCP window scan uses the same technique as that of TCP ACK

scan. It also sends a TCP packet with the ACK flag set and the port number to connect to.

But this scan type can be used to find the state of the port on the server. In a TCP ACK

scan, an RST indicates an unfiltered state. But in a TCP windows scan, when an RST is

12

received from the server, it then checks the value of the windows size. If the value of

window size is positive, then the port is open on the server.

If the windows size of the TCP packet with the RST flag set to zero, then the port is

closed on the server.

5.8 UDP scan: TCP is a connection-oriented protocol and UDP is a connection-less

protocol.

13

A connection-oriented protocol is a protocol in which a communication channel should

be available between the client and server and only then is a further packet transfer made.

If there is no communication channel between the client and the server, then no further

communication takes place.

A Connection-less protocol is a protocol in which a packet transfer takes place without

checking if there is a communication channel available between the client and the server.

The data is just sent on to the destination, assuming that the destination is available.

The client sends a UDP packet with the port number to connect to. If the server responds

to the client with a UDP packet, then that particular port is open on the server.

14

The client sends a UDP packet and the port number it wants to connect to, but the server

responds with an ICMP port unreachable error type 3 and code 3, meaning that the port is

closed on the server.

If the server responds to the client with an ICMP error type 3 and code 1, 2, 9, 10, or 13,

then that port on the server is filtered.

If the server sends no response to the clients UDP request packet for that port, it can be

concluded that the port on the server is either open or filtered. No final state of the port

can be decided.

15

6. PORT SCANNER TOOLS

Some common port scanner tools are:

1. nmap: Runs on LINUX as well as Windows (link: www.nmap.org)

2. strobe: Runs on UNIX platforms (link:

http://packetstormsecurity.org/UNIX/utilities/strobe-1.04.tgz)

3. Netcat : UNIX based scanner

4. SuperScan: One of the best port-scanners available for Windows OS.

5. ipEye: Runs on Windows OS.

7. TOOLS TO COUNTER PORT SCANNING

Some common tools for prevention of port scanning are:

1. Scanlogd

2. BlackIce

3. Abacus PortSentry

4. NukeNabber