Study of Network Port Study of Network Port Scanning Attacks Scanning Attacks

Brady Clarke Brady Clarke <clarkeb@onid.orst.edu><clarkeb@onid.orst.edu>

Oregon State UniversityOregon State UniversityNetwork Security - ECE 478Network Security - ECE 478

Port definitionPort definition

Port: There are two types of ports Port: There are two types of ports relating to computersrelating to computers 1) Connections to peripherals such as 1) Connections to peripherals such as

USB devices, serial cables, or mouse's USB devices, serial cables, or mouse's etcetc

2) Virtual ports found in TCP/IP 2) Virtual ports found in TCP/IP communicationscommunications

Expanded definitionExpanded definition

For information relating to network For information relating to network security we are more concerned with security we are more concerned with virtual portsvirtual ports Ports are like channels that carry Ports are like channels that carry

information into, out of, and internal to a information into, out of, and internal to a computercomputer

There are 65,536 standard ports on a There are 65,536 standard ports on a computercomputer

Each port is assigned to a certain type of Each port is assigned to a certain type of communication “traffic”communication “traffic”

Example of port Example of port assignmentsassignments

Port #21: FTPPort #21: FTP Port #35: Private printer serverPort #35: Private printer server Port #80: HTTP trafficPort #80: HTTP traffic Port #110: POP3 e-mailPort #110: POP3 e-mail Port #515: Printer spoolerPort #515: Printer spooler Port #5002: Radio free EthernetPort #5002: Radio free Ethernet

What is port scanning?What is port scanning?

Ports to a computer are like windows or Ports to a computer are like windows or doors to a housedoors to a house

Port scanning attacks are much like a Port scanning attacks are much like a burglar searching all the windows and burglar searching all the windows and doors of a house to look for unlocked entry doors of a house to look for unlocked entry waysways

If a window is left unlocked (like a port If a window is left unlocked (like a port being “open” or not in use), it may be easy being “open” or not in use), it may be easy for the intruder to enter the housefor the intruder to enter the house

Shortcomings of port Shortcomings of port scanningscanning

Adversaries can only attack the type Adversaries can only attack the type of communication which is carried on of communication which is carried on the specific port that they are the specific port that they are accessingaccessing

Adversaries cannot gain direct Adversaries cannot gain direct access to your computer’s file access to your computer’s file system through port scanningsystem through port scanning

Different types of port Different types of port scanningscanning

Simple port scanningSimple port scanning Strobe port scanningStrobe port scanning Stealth port scanningStealth port scanning SYN scanningSYN scanning FIN scanningFIN scanning

Simple port scanningSimple port scanning

An attacker searches all ports looking for, An attacker searches all ports looking for, and noting, all open portsand noting, all open ports ProsPros

Attacker will see ALL available portsAttacker will see ALL available ports ConsCons

Takes a long time to scan all 65,000+ portsTakes a long time to scan all 65,000+ ports Can be detected fairly easily, due to large number of Can be detected fairly easily, due to large number of

ports being scannedports being scanned Specific ports that are found to be open may not be Specific ports that are found to be open may not be

useful to attackuseful to attack

Strobe port scanningStrobe port scanning

An attacker selects a certain range of An attacker selects a certain range of ports to check for open portsports to check for open ports ProsPros

Quicker than a full scanQuicker than a full scan Already knows that all searched ports can Already knows that all searched ports can

lead to vulnerable access pointslead to vulnerable access points ConsCons

Does not give entire vulnerability profile of Does not give entire vulnerability profile of targettarget

Is somewhat easy for target to detectIs somewhat easy for target to detect

Stealth port scanningStealth port scanning

An attacker searches only a few random An attacker searches only a few random ports at once over a long period of time ports at once over a long period of time (usually a day or more). Often jumping (usually a day or more). Often jumping between different computers on a network.between different computers on a network. ProsPros

Hard to detect because individual port scans, from the Hard to detect because individual port scans, from the network’s point of view, appear to be accidental network’s point of view, appear to be accidental communication attemptscommunication attempts

ConsCons Takes a long time (usually a day or more)Takes a long time (usually a day or more)

SYN scanningSYN scanning

Also known as: half-open scanningAlso known as: half-open scanning Attacker does not complete all the Attacker does not complete all the

formal steps necessary to make a TCP formal steps necessary to make a TCP connection, but the state of the port connection, but the state of the port can still be identifiedcan still be identified ProsPros

The attack is not detected, because the The attack is not detected, because the computer doesn’t think that a communication computer doesn’t think that a communication has been madehas been made

FIN scanningFIN scanning

Attackers send erroneous packets to ports and Attackers send erroneous packets to ports and listen for a response. If a port is closed, the listen for a response. If a port is closed, the attacker will receive an error message. However attacker will receive an error message. However TCP requires than an open port ignore the TCP requires than an open port ignore the erroneous packet. Based on the response, the erroneous packet. Based on the response, the attacker can determine the state of the port.attacker can determine the state of the port. ProsPros

It is difficult for the target’s computer to recognize this as an It is difficult for the target’s computer to recognize this as an attack since the packets being send are random dataattack since the packets being send are random data

ConsCons If the target sends an error message response, it could get If the target sends an error message response, it could get

dropped or blocked by a firewall. This will lead the attacker dropped or blocked by a firewall. This will lead the attacker to believe that a closed port is really open since it did not to believe that a closed port is really open since it did not receive a response.receive a response.

Example of a port scanning Example of a port scanning attackattack

E-mail attack exampleE-mail attack example Adversary first accesses your IMAP port (#143) Adversary first accesses your IMAP port (#143)

when it is open (not in use by you)when it is open (not in use by you) Adversary will then attempt to discover e-mail Adversary will then attempt to discover e-mail

program being used and exploit its weaknessesprogram being used and exploit its weaknesses A virus can be planted in the e-mail programA virus can be planted in the e-mail program The adversary may be able to give themselves The adversary may be able to give themselves

“administrator privileges” and then be able to access “administrator privileges” and then be able to access account through various other means to plant account through various other means to plant malicious filesmalicious files

Laws regarding port Laws regarding port scanningscanning

Port scanning is NOT illegalPort scanning is NOT illegal Port scanning is analogous to ringing Port scanning is analogous to ringing

someone’s doorbell to see if they’re homesomeone’s doorbell to see if they’re home Port scanning is considered illegal only if a Port scanning is considered illegal only if a

crime is committedcrime is committed Rarely a company may be able to press Rarely a company may be able to press

charges if they’re being scanned so frequently charges if they’re being scanned so frequently that it is affecting their network’s performancethat it is affecting their network’s performance

Port scanning softwarePort scanning software

Port scanning software is easily Port scanning software is easily available. Free versions are readily available. Free versions are readily available for download on the available for download on the internet, or more complex versions internet, or more complex versions can be purchased.can be purchased. Nmap – the most widely used softwareNmap – the most widely used software SuperScan – similar to Nmap but with SuperScan – similar to Nmap but with

less featuresless features

Nmap software detailsNmap software details

Nmap gives adversaries a number of Nmap gives adversaries a number of important pieces of informationimportant pieces of information Provides a list of all available open portsProvides a list of all available open ports Gives the target’s operating systemGives the target’s operating system Most importantly: can search for all Most importantly: can search for all

open ports on a open ports on a rangerange of IP addresses of IP addresses Meaning multiple computers on a network Meaning multiple computers on a network

can be searched at oncecan be searched at once

Protecting against port Protecting against port scanningscanning

Users can configure their system to Users can configure their system to use non-standard unregistered ports use non-standard unregistered ports to communicate onto communicate on

Port scanning sniffing software can Port scanning sniffing software can be implemented on a networkbe implemented on a network

Using non-standard portsUsing non-standard ports

Technique used to “hide” communicationsTechnique used to “hide” communications This allows users to transmit sensitive data This allows users to transmit sensitive data

on ports that are normally unassigned. For on ports that are normally unassigned. For example: instead of using the standard port example: instead of using the standard port #21 for FTP, the user can transmit FTP files #21 for FTP, the user can transmit FTP files over the normally unregistered port #49152.over the normally unregistered port #49152.

Therefore an attacker will not generally look Therefore an attacker will not generally look for vulnerabilities on this normally unused for vulnerabilities on this normally unused port #49152, but rather will look on port #21port #49152, but rather will look on port #21

Port scanning sniffingPort scanning sniffing

Programs such as iNetTools can be used to Programs such as iNetTools can be used to watch for port scanning attackswatch for port scanning attacks

These programs do not prevent the scanning, These programs do not prevent the scanning, but log attacker’s attempts for later but log attacker’s attempts for later investigationinvestigation Depending on the security needed, the number of Depending on the security needed, the number of

attempted scans that trigger an alert can be attempted scans that trigger an alert can be adjustedadjusted

For larger networks, more “accidental” scans For larger networks, more “accidental” scans would likely be allowed without a security concernwould likely be allowed without a security concern

Summary – attacksSummary – attacks

Port scanningPort scanning Shows an attacker which ports are Shows an attacker which ports are

vulnerable and may allow accessvulnerable and may allow access Attacker can use the type of communication Attacker can use the type of communication

that is meant for that channel to exploit that is meant for that channel to exploit program (i.e. plant a virus via FTP)program (i.e. plant a virus via FTP)

There are multiple types of port There are multiple types of port scanning attacks for different types of scanning attacks for different types of targets, so the attacker can try to go targets, so the attacker can try to go undetectedundetected

Summary – preventionSummary – prevention

Using non-standard port assignments for Using non-standard port assignments for data transferdata transfer This port is still unprotected and vulnerable, This port is still unprotected and vulnerable,

however it is more difficult for the adversary to however it is more difficult for the adversary to locatelocate

Networks can implement port scanning Networks can implement port scanning sniffing programssniffing programs Choosing amount of acceptable “accidental” Choosing amount of acceptable “accidental”

scans is crucialscans is crucial Balancing the amount of security required and Balancing the amount of security required and

the amount of resources necessary to implement the amount of resources necessary to implement the security is usually the main concern with this the security is usually the main concern with this type of protectiontype of protection

ReferencesReferences

Black, Ronald (2000). Black, Ronald (2000). How Does Network Security How Does Network Security Scanning Work Anyway?Scanning Work Anyway? The SANS Institute; The SANS Institute; Bethesda, Maryland.Bethesda, Maryland.

Bradley, Tony (2004). Bradley, Tony (2004). Introduction to Port Introduction to Port ScanningScanning. About, Inc. World Wide Web: . About, Inc. World Wide Web: http://netsecurity.about.com/cs/hackertools/qt/qt_phttp://netsecurity.about.com/cs/hackertools/qt/qt_portscan.htmortscan.htm

Fyodor, “The Art of Port Scanning”, Phrack Fyodor, “The Art of Port Scanning”, Phrack Magazine Volume 7, article 11, Issue 51 Magazine Volume 7, article 11, Issue 51 September,1997.September,1997.

Kanlayasiri, Kanlayasiri, Urupoj (2001). A Rule-based Approach A Rule-based Approach for Port Scanning Detectionfor Port Scanning Detection. Faculty research . Faculty research project, project, Kasetsart University; Bangkok, Thailand.