Port Scanning for Active Reconnaissance

Port Scanning for Active Reconnaissance

Table of Contents

Port Scanning .................................................................................................................................. 2

TCP Communication Flags -1 .......................................................................................................... 4

TCP Communication Flags -2 .......................................................................................................... 5

TCP Three-way Handshake ............................................................................................................. 6

Nmap ............................................................................................................................................... 9

Nmap Basic Scans.......................................................................................................................... 10

Nmap FIN, NULL, and Xmas Scans ................................................................................................ 13

Nmap ACK Scan – Firewall Rule sets ............................................................................................. 14

Nmap Idle Scan ............................................................................................................................. 16

Nmap Window, RPC, and List Scans ............................................................................................. 18

Nmap UDP, IP, and FTP Bounce Scans .......................................................................................... 19

Nmap Decoy, OS Fingerprinting, and Version .............................................................................. 20

OS Fingerprinting with Nmap Example ......................................................................................... 22

Other Nmap Options ..................................................................................................................... 25

hping ............................................................................................................................................. 26

hping Example ............................................................................................................................... 27

SuperScan ...................................................................................................................................... 28

Notices .......................................................................................................................................... 30

of 30

Port Scanning

52Digital Forensics Preparation 52

The process of identifying open and available TCP or UDP ports on a system

Port Scanning tools enable a pen tester to learn about what services are running on a host.

Each service on a system is typically associated with a well known port number.

• Telnet (23)• HTTP (80)• POP3 (110)

Common Tools

• NMAP• HPING

Port Scanning

Why is it valuable to know what services are

running?

**052 So, port scanning. It's a process of identifying open available TCP or UDP ports on a system. It enables a pen tester to learn what services are running on a host. And port scanning is an interesting thing because a lot of times you'll find ports that are open. And without knowing anything else, just by knowing the number of the port that are open, you'll be able to tell what service is running behind that port. ICANN, I think, puts out a list of common port names and what services are associated with those

of 30

ports. It's not a prescriptive-- it's no prescriptive, meaning that you could really run any service on any port that you wanted to. But it is a general guideline. And in my experience, it's pretty accurate that every time you see, as an example, port 23 open, you're probably going to find a Telnet server running behind that port. You could, if you wanted to, put a web server on port 23. But not too many people do that. And yeah, it's kind of going against the standard if you want to think about it that way. Web servers, for the most part, on two main ports, port 80 for unencrypted stuff, and 443 for encrypted stuff. Mail servers, if they're running POP3, it's on 110. But basically, the intent here, as we do port scanning, is try to figure out what ports are open. And then once we figure out those ports are open, we're going to try and query the services behind them to see if we can figure out service versions. Maybe we can get banners from those services that are running to figure out if we can match an exploit to those services that are running. So, that's the intent here.

of 30

TCP Communication Flags -1


TCP Flags are a critical part of scanning


TCP Packet Structure

**053 We have an eye chart for you guys. But basically, this is how TCP communication is laid out. And these are the flags that we're talking about here. There's different parts of the actual TCP packet that get sent, and bits get flipped on or off depending on which flags we want to turn on and off. And this is how port scanning works, by switching these bits and bytes around, changing these as it does requests to each different port to figure out if a port is there, to figure out if a service is open if it's listening and responding. Here are the different flags. I'm not going to go through all of them. As you can see, there's one, two, three, four, five, six by three. So, there's

of 30

eighteen different flags that could possibly be.



URG Urgent indicates data is sent out of band

ACK Acknowledgement set in response to a TCP packet with the SYN flag set

PSH Push forces delivery of data without care for buffering

RST Reset forces termination of session

SYN Synchronize set during initial session establishment

FIN Finish used to properly close a session


**054 The intent here is not to delve into the RFC about how TCP packets work, but just to provide reference material about the different types of flags that are out there. Here's another chart describing that one.

of 30

TCP Three-way Handshake


Transport Control Protocol (TCP)

Three-way handshake (TCP Flags)

TCP Three-way Handshake

Open Communication

Open Ack

Data

Data Ack

Close Communication

Close Ack

SYN

SYN-ACK

ACK

**055 It is important to understand, when we're talking about TCP ports, how transmission control protocol works. Anyone feel like taking a stab at describing it or know off the top of their head how it works generally speaking? Remember, TCP is a stateful and connection based protocol, meaning that instead of just sending random data to a port, like what happens with UDP, and hoping someone's listening, basically connection, with transmission control protocol, with TCP, you have to first establish a connection. And then you can send data across that channel. And then you can proceed. So, our port scanners have to basically follow this accepted protocol, have to follow TCP as

of 30

implemented on the devices listening. It works basically by sending a syn first as the bottom portion of the slide says, a syn first, or a synchronization packet. It will receive, hopefully, if the devices are RFC compliant, a syn ack, or synchronization or acknowledge packet back, and then finally the last acknowledge packet. So, syn, syn ack, ack is how the three-way handshake, is what it is called, with TCP works. Once that connection is made, then you can start to send data back and forth. That's how the three-way handshake works. If I were to just send a syn pack-- so, let's say I'm trying to port scan-- we'll use people here as an example. And I'm a port scanner, and Jason, you're a port. If I were to send a syn packet to you, and I don't hear anything back, what do you think I could conclude about him as a port? We just turned you into a port. Student: Offline. Instructor: Offline? Maybe. Student: Or blocked by a firewall. Instructor: Or blocked by a firewall, maybe. Sure, what else? Student: Or that there's no service there. Instructor: There might not be a service there. Yeah, so if-- so the IP might be there and responding to ICMP packets, but maybe there's no

of 30

service listening behind that port. Exactly right. It could be blocked by a firewall. Whatever's listening there might just, for whatever reason, not follow the RFC, which happens from time to time. They're not RFC compliant, which is a good way of fooling port scanners. If I send a syn to Jason, and I get a syn ack back, what can I conclude? Student: It's answering. Student: There is a service. Instructor: Yeah, there's some service there. There's something listening on that TCP port. And I probably want to investigate it a little bit further. So, that's generally how port scanners work and the philosophy that they take. If they send a syn packet, and they get a syn ack back, that port's open. There's something listening there. Let's investigate a little bit further.

of 30

Nmap


A very powerful free, open-source tool for network examination

Features

• Port scanning, OS detection, version detection, ping sweep, etc.• Ability to scan a large number of machines at once• Supported by numerous operating systems

Nmap

**056 So, Nmap is a great tool to do this. You can use Nmap for a lot of different things. For port scanning, to figure out what ports are open, you can determine-- you can use Nmap to determine what operating system a remote IP address is running a lot of times. You can determine what service versions are running on different ports a lot of times. So, a lot of times with Nmap, I could scan a remote host. I could tell just from a scan that it's a Windows 7 machine, that it's service pack 3, that it hasn't been rebooted in a couple days, and that there's open shares that I could connect to and see what's on the shared drive there. A lot of times, this is the type of information you'll get back just from

of 30

a simple port scan without any credentials. So, that's port scanning. That's Nmap.

Nmap Basic Scans


-sS SYN Stealth Scan Performs a scan using the initial TCP handshake but sends a RST instead of ACK

Since a full TCP connection is never made (due to the RST) hosts will not log the connection.

-sT TCP Scan Performs a scan using the full TCP handshake

Very reliable results but very loud and will most likely be logged by most hosts due to the full connection on each listening port.

• Combine with –i option to query for process owner

-sP Ping Scan Performs a routine ICMP ping of the host

Nmap Basic Scans

**057 Nmap is very, very complex tool. Actually, to go out and download it and install it, there's quite a bit of libraries that it's based off of now because it's gotten taken hold of by academia. And there's a lot research and heuristics that are built into Nmap, its discovery engine, to figure out exactly which services and which ports are behind-- excuse me, which services are behind which ports. So as such, because it's such a big tool, it's so well contributed to in the open source world, there's lots of documentation about it. There's books literally hundreds of pages of

of 30

long about Nmap, how it works, how to configure it, how to use scans on it. The intent here today is not to make you guys Nmap ninjas, but just show you a couple different flags you can use when you're using Nmap to kick of basic scans. So, the dash s capital S is a quick way to perform a syn scan. It'll perform a scan using initial TCP handshake. But instead of doing the syn, syn ack, ack, it does a syn, hopefully gets a syn ack back, and then will send a reset. So, since the TCP connection is a full three-way handshake is never made, sometimes hosts don't log that connection. It's a way to get around basically firewall or intrusion detection programs, intrusion detection services. So, it's a quick way to do it. But the scanner will still know that the port is open. So, essentially, you'll get a port scan back, but you won't be detected, which is awesome for attackers. sT is telling Nmap to do a full TCP handshake. You get really good results, but on the network, we use the term very loud. We like-- it basically means we create a lot of network traffic when we're doing a scan like this, especially if we're scanning all of the ports on a host if we don't know that they're open. Does anyone know how many possible ports a computer could have on it listening? Student: Sixty-five thousand.

of 30

Instructor: Yeah, sixty-five thousand five hundred and thirty-six. I'm going to do math in public here. Is that two to the sixteenth? Student: Yeah. Instructor: Sixteenth. Student: Sixteen bytes. Instructor: So, two to the sixteenth, so sixty-five thousand five hundred and thirty-six possible ports. With a port scanner, if we were to scan sixty-five thousand five hundred and thirty-six ports on one host, that's quite a bit of network traffic. If we had sixty-five thousand lines, that's a ton of data for a network defender to look through and a ton of traffic that someone's here scanning me. I can see the port scanning going across the network. Multiply that by how many hosts you're scanning, and you can quickly create a metric ton of-- a lot of network traffic with a simple Nmap scan, especially if you have a lot of hosts. SP will do a ping scan. It'll do ICMP echo requests instead of these TCP connections.

of 30

Nmap FIN, NULL, and Xmas Scans


Look for closed ports rather than open ports Do not work on Windows hosts

• Due to Microsoft not following the RFC 793 to the letter of the law– Requires closed ports to respond with a RST and open ports to not

respond to the following types of scans– Windows does not respond with the proper flags set so all ports will

come back as open.

Nmap FIN, NULL, and Xmas Scans

-sF -FIN Scan Sends packets with FIN flag set

-sN -NULL Scan Sends packets with NO flags set

-sX -Xmas Scan Sends packets with FIN, URG, & PSH. Gets its name from many flags “lit”, like a Christmas tree

**058 Nmap has also has built into it a couple different types of scans. I wouldn't say that they've patented these names, but they're just-- they have one scan called a Christmas scan. Basically, it will turn all those flags we talked about, if you use the sX flag when you start Nmap, it will basically turn all those flags on. Does anyone know why it's called a-- oh, it says it right there. It's called a Christmas tree scan because it will light up your intrusion detection system like a Christmas tree because all these flag, which aren't supposed to be turned on, are turned on. So, it's called a Christmas scan. And then all-- these two others, the sF and the sN, basically are ways of abusing the RFC. RFC stands for request for comments. RFC 793 is

of 30

basically the way that TCP is described on the Internet. It's how TCP should be implemented. Now, it's up to devices whether or not they follow that, whether they answer requests according to the RFC or not. Nmap, being a good scanner and doing what it should do for us, sometimes will follow it. But you can tell it not to follow the RFC if you want. And that's using these three. So, just basically messing with the flags that it sends with the fin scan, null scans, sometimes can give you information about whether or not ports are up or not.

Nmap ACK Scan – Firewall Rule sets


-sA - ACK Scan• Used to map firewall rules and can distinguish between stateful

and stateless firewalls• Sends ACK packets to a host to determine if the port is

filtered/unfiltered– If the host responds with a RSTo The host is not being filtered by a firewall.

– If nothing comes backo The port is "filtered“ or there is a firewall preventing the RST

from coming back.• Can help determine if a firewall is stateless (just blocks

incoming SYN packets) or stateful (tracks connections and also blocks unsolicited ACK packets)

Nmap ACK Scan – Firewall Rule sets

**059 Okay, the ack scans, this is a good way to determine whether there's a firewall in between the IP that you're scanning and yourself.

of 30

Basically, it turns on the ack flags and just the ack flags, and takes note of how our host responds. If it responds with a reset command-- so, you're not doing the syn, syn ack, ack. You're just sending the ack. If it responds with a reset, which is according to the RFC what's supposed to happen if you get an unsolicited ack packet, if you respond with a reset, you're following the RFC. And you can tell that the host is not being filtered by a firewall. If you get nothing back, but you know the host is alive, and you know the port's up, it's safe to say that that port is filtered. And there's probably a firewall in between you and that device you're trying to scan. It can just help you make determinations on what's going on the network, how they have stuff defended, and what's going on.

of 30

Nmap Idle Scan


-sI - Idle Scan• TCP scan that sends spoofed packets to a target and observes

the response to the Zombie (spoofed computer)

Nmap Idle Scan

**060 All right, idle scans, I can honestly say I have never done an idle scan in my life. But it's basically a way to spoof your source address as a scanner. You basically have to have a third host out there that's willing to accept packets. And you start your idle scan against a target. And you spoof your source address. So, let's use a quick example here. Say, I'll use-- just because you're in the front row, Jason. Jason, you're my target that I actually want to scan. But because I'm going to spoof my source address, I'm going to make the traffic look like it's coming from someone else. Kyle, you're going to be my spoofed host. And so, when I do an idle scan with Nmap, basically I'll send all these

of 30

packets, however they are, whether I'm doing a fin scan, whatever. I'll send them all to Jason. He'll respond to them. But because I have a spoofed source address, instead of sending the responses to me, he'll send them to Kyle instead. So, basically, we have hiding your true source IP address. And if you're working against a network defense team that might be out to block people that are on the network or remove them from the network or block an IP address, it's a good way to hide your IP. I can honestly say that I've never done one of these, too because unless you control both IP addresses, there's no point in doing one. So, either way you're going to get one of your targets caught by a network defense team, either the one that's sending it or the one it's going to. So, I don't find it too useful. I have seen people like anonymous use this in like distributed denial of service attacks because if you can spoof source IP addresses, say I wanted to-- in this same example, say I wanted to take down Kyle's computer. And he wasn't the guy that I controlled. I could spoof my source IP address to Jason. And as he responds to that Nmap scan, he's sending all the requests to Kyle instead. Now, say we did that on a network where I scanned a whole network and spoofed my source IP address. Then all of a sudden, every host on

of 30

the network was responding to Kyle with all the responses from that Nmap scan. A quick way to overwhelm him and basically do a distributed denial of service attack. Most hosts protect against this type of stuff now. But in concept, that's a basic way of how to perform something like that.

Nmap Window, RPC, and List Scans


Nmap Window, RPC, and List Scans

-sW Window Scan Same as an ACK scan (-sA) but can determine if the port is “open” by analyzing the TCP window size set in the packet by the OS

-sR RPC Scan Scans host’s port to determine if the service is an RPC service, and which program and/or version is installed

-sL List Scan Prints a list of IPs that will be scanned but does not actually send any packets

**061 Okay, a few more, Window scan, RPC scan, and a list scan, list scan actually doesn't do anything. It doesn't actually send any packets. It just gives you a list. So, you can give it like a CIDR notation, a range of IP addresses. And it'll print you out a list of every host that it would scan. That's a good way if you want to make a list of all your included hosts.

of 30

Nmap UDP, IP, and FTP Bounce Scans


Nmap UDP, IP, and FTP Bounce Scans

-sU UDP Scan Scans for open UDP ports. Default is to scan for the internet’s top 1000 UDP ports

• You can customize the scan with the –p to limit or modify the default scan or use.

-sO IP Protocol Scan

Determines which IP protocols are supported by the target host by sending raw IP packets minus additional protocol headers

-b FTP Bounce Scan

Exploits of the FTP protocol where the attacker utilizes the PORT command to request access to ports indirectly through use of a “proxy” ftp system

• Used to mask the true source of the attacker

**062 This is just some options to go with Nmap. Okay, lots more scans here. I can honestly say as well, I haven't used many of these. They're not too commonly used just because they're a little bit obscure. And most of these types of scans have been defended against, whether at the protocol level, or the network level. They're kind of remnants of what used to work in early 2000s or late '90s.

of 30

Nmap Decoy, OS Fingerprinting, and Version


-D <decoy1,decoy2,[ME], …> Used when attempting to hide from an IDS

Produces scan traffic from “decoy” IPs allowing your IP and scan to hide in the noise

-O - OS Fingerprinting Attempts to determine the target host’s OS and version/patch level• OS detection is more effective if the target

host has at least one open and one closed TCP port.

• Use the --osscan-limit option to prevent Nmap from scanning hosts that do not even meet this criteria.

-sV - Version Scan Attempts to determine the service and Version of the service using the port

Nmap Decoy, OS Fingerprinting, and Version

**063 Okay, you can do decoy scans. The dash O flag with Nmap, I find does still work a lot. It allows you to do OS fingerprinting. It'll basically let Nmap try to determine whether it's a Linux system on the other end, a Cisco device, a Windows device. If it can figure out what operating system it is, what version of that operating system. This has actually gotten much more reliable as the years go on, which is interesting. But it'll give you a quick way to determine, I don't know, what to do next. If you know a host is a Windows host, you can probably

of 30

target your exploits more specifically for them. And then one of my favorite ones, this actually uses-- there's a scripting engine built into NSE-- built into Nmap, called the NSE, the Nmap scripting engine. And it will basically try to figure out service versions. And when you're matching your exploits, you have to know which service version you're going against. So, Nmap can provide a lot of information. so, if I know that I'm running-- if I scan someone with an SV scan, and I see they're running an FTP server called war FTP, and it's an old version, and there's a vulnerability for it, then I can go about selecting that exploit, putting it in my exploitation program, whatever it is, and going further. But this is very noisy on the network, the SV scan, but it will give you back the most information if it works correctly. Got a question? Okay, awesome.

of 30

OS Fingerprinting with Nmap Example


OS Fingerprinting with Nmap Example

-sVVersion Scan

Notice the Discovered OS Version reference.

**064 We scanned a machine that we knew to be running Windows, just Nmap-SV and then the IP address. You can see what comes back. A lot of stuff comes back. This is an older version of Windows. Most Windows machines now don't have so many ports, usually three ports is the most I'll see on more common Windows 10, Windows 7, Windows 8. But Windows XP, this was Windows XP Plus. So, someone installed some bad stuff on there. So, lots of different ports were open. You can see as we scanned our host,

of 30

we got, I don't know what is this, fifteen or twenty different ports that were open. The ports are listed on the left side. It tells whether it's TCP or UDP. It tells whether the port was open or closed. It doesn't tell us closed ports, otherwise we'd be reading through a list of a thousand that just said closed. It's nice and just tells us the open ones. It tells us what service, if it knows. This is the service based upon the port number. So, for example, here SMTP, it's well known that SMTP is usually transmitted over port 25 on the Internet. So, if it sees port 25 open, it's going to say there's an SMTP-- there's probably SMTP running behind there. Then, because we ran the service version detection with our scan, we actually get the version numbers of some of the services that are over here. This is fantastic for us, as an attacker. We can see that it's running Windows XP, a Telnet daemon of some kind. We see it's running an older version of a web server, Microsoft IS 5.1, and some other stuff that's pretty bad here. Yeah. VNC is a quick way to connect and actually see the screen of a remote system. And see it's running on port 5900. We can even see what resolution it's in. so, if we can connect to that, we could probably just view the desktop of that system. You can see that the operating system version also got discovered as

of 30

well at the bottom. We can see that it listed it as Windows XP. And it's pretty reliable when it does its scans, especially in this output. It's pretty reliable. Windows XP is end of life for a reason, just for exactly this-- well, not exactly this, but this is one of the reasons that Windows XP is out of service because it's old, it answered to a lot of stuff, and generally was exploitable as soon as it got installed on a system. As an attacker, you could just exploit a Windows XP machine straight out of the box. The new versions of Windows, not so much. So, Nmap, cool tool.

of 30

Other Nmap Options


No Ping

-PN – Disable ping during scan

Name Resolution

-n – Disables name resolution of target hosts-R – Resolves names to IP addresses

Verbose

-v – Verbose mode-vv – Very Verbose mode

Other Nmap Options

Consideration:Why might you do

this?

**065 There's a couple more options. You can disable pinging during a scan. You can tell it to do name resolution meaning DNS or not. With the dash n will not do name resolution. With a dash R will actually resolve those names to IP addresses if you want. And verbose, and very verbose modes.

of 30

hping


Like nmap, a port scanning tool, but allows much more packet customization

For example-M --setseq set TCP sequence number-L --setack set TCP ack-F --fin set FIN flag-S --syn set SYN flag-R --rst set RST flag-P --push set PUSH flag-A --ack set ACK flag-U --urg set URG flag-X --xmas set X unused flag (0x40)-Y --ymas set Y unused flag (0x80)

hping

**066 There's another tool out there called hping. This is a very customizable tool that has less scripting built into it. It's much more of a manual tool. But if you want to create less traffic on a network, or if you're afraid there might be network defenders or firewalls or something in place that might catch you when you're on an offensive operation, consider using hping. You have granular control over what flags are set.

of 30

hping Example


The –S sends a SYN packet and the –p +80 starts at TCP port 80 and increments the TCP port number with each packet.

hping Example

**067 And here's just an example of doing hping against one port. We're pinging against port 80. No, we're incrementing the-- what are we doing here? We're incrementing the source port number every time. So, we're just basically scanning to see if port 80 is open on a remote host.

of 30

SuperScan


A GUI port scanner, pinger, and hostname resolver

SuperScan

**068 So, there's an hping example. Then if you're not into the command line, you like doing this pictures and pointing and clicking, Super Scan is one that you can use. It's a graphical user interface driven port scanner, pinger, and hostname resolver. It gives you basically the same information. It just does it in a different way. Student: Just a note about Nmap, it's very case sensitive when it's flags. Instructor: Yes, it absolutely is. So, the dash s capital S--

of 30

Student: You can get a totally different scan than what you were expecting just by having an uppercase or a lowercase. Instructor: Very, very true, very true. Thank you. Student: You mentioned Nmap has an Nmap scripting engine? Instructor: Yes. Student: Are there cases you've had to use that yourself? Are these just precompiled scripts that you use from the-- from Nmap source? Instructor: Sure, so yes to both. You can do down with custom Nmap scripting engine scripts and run them yourself. It also comes with a pretty complete list. So, if you just wanted to, example, use Nmap to scan for-- let me think of a vulnerability that exists, or scan for open shares, for example, open Windows shares and the names of those shares, you can tell it to just do that specific scan. If you want to use Nmap to scan for and do enumeration of what mail users are answering to on a mail server, there's an Nmap script for that as well. And you just have to give it that option, the Nmap scripting engine. You have to tell it which script you want to use. Student: Super useful on the defensive side because it's basically a DSL, a domain specific language, for describing how you want to ensure that your machines are responding?

of 30

Instructor: Sure, yeah. You can use it for defense as well, absolutely.

Notices

of 30

Port Scanning for Active Reconnaissance

Documents

Transcript of Port Scanning for Active Reconnaissance