Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Chapter 5Chapter 5Port ScanningPort Scanning

Last updated 9-18-08Last updated 9-18-08

22

ObjectivesObjectives

Describe port scanningDescribe port scanning Describe different types of port scansDescribe different types of port scans Describe various port-scanning toolsDescribe various port-scanning tools Explain what ping sweeps are used forExplain what ping sweeps are used for Explain how shell scripting is used to Explain how shell scripting is used to

automate security tasksautomate security tasks

33

Introduction to Port ScanningIntroduction to Port Scanning

Port ScanningPort Scanning Finds out which services are offered by a hostFinds out which services are offered by a host Identifies vulnerabilitiesIdentifies vulnerabilities

Open services can be used on attacksOpen services can be used on attacks Identify a vulnerable portIdentify a vulnerable port Launch an exploitLaunch an exploit

Scan all ports when testingScan all ports when testing Not just well-known portsNot just well-known ports

44

AW Security Port ScannerAW Security Port Scanner

A commercial tool to identify vulnerabilitiesA commercial tool to identify vulnerabilities

55

Introduction to Port Scanning Introduction to Port Scanning (continued)(continued)

Port scanning programs reportPort scanning programs report Open portsOpen ports Closed portsClosed ports Filtered portsFiltered ports Best-guess assessment of which OS is Best-guess assessment of which OS is

running running

66

Is Port Scanning Legal?Is Port Scanning Legal?

The legal status of port scanning is The legal status of port scanning is unclearunclear If you have permission, it's legalIf you have permission, it's legal If you cause damage of $5,000 or more, it If you cause damage of $5,000 or more, it

may be illegalmay be illegal For more, see links Ch For more, see links Ch 5a

77

Normal TCP HandshakeNormal TCP Handshake

ClientClient SYN SYN ServerServer

ClientClient SYN/ACK SYN/ACK ServerServer

ClientClient ACKACK ServerServer

After this, you are ready to send dataAfter this, you are ready to send data

88

SYN Port ScanSYN Port ScanClientClient SYN SYN ServerServer

ClientClient SYN/ACK SYN/ACK ServerServer

ClientClient RSTRST ServerServer

The server is ready, but the client decided The server is ready, but the client decided not to complete the handshakenot to complete the handshake

99

Types of Port ScansTypes of Port Scans

SYN scanSYN scan Stealthy scan, because session handshakes are Stealthy scan, because session handshakes are

never completednever completed That keeps it out of some log filesThat keeps it out of some log files Three statesThree states

ClosedClosed

OpenOpen

FilteredFiltered

1010

Types of Port ScansTypes of Port Scans

Connect scanConnect scan Completes the three-way handshakeCompletes the three-way handshake Not stealthy--appears in log filesNot stealthy--appears in log files Three statesThree states

ClosedClosed

OpenOpen

FilteredFiltered

1111

Types of Port ScansTypes of Port Scans

NULL scanNULL scan All the packet flags are turned offAll the packet flags are turned off Two results:Two results:

Closed ports reply with Closed ports reply with RSTRST

Open or filtered ports give Open or filtered ports give no responseno response

1212

Types of Port ScansTypes of Port Scans

XMAS scanXMAS scan FIN, PSH and URG flags are setFIN, PSH and URG flags are set Works like a NULL scan – a closed port Works like a NULL scan – a closed port

responds with an RST packetresponds with an RST packet

FIN scanFIN scan Only FIN flag is setOnly FIN flag is set Closed port responds with an RST packetClosed port responds with an RST packet

1313

Windows MachinesWindows Machines

NULL, XMAS and FIN scans don't work on NULL, XMAS and FIN scans don't work on Windows machinesWindows machines Win 2000 Pro and Win Server 2003 shows all Win 2000 Pro and Win Server 2003 shows all

ports closedports closed Win XP Pro all ports open/filteredWin XP Pro all ports open/filtered

See the NMAP tutorial (link Ch See the NMAP tutorial (link Ch 5c))

1414

Types of Port ScansTypes of Port Scans

Ping scanPing scan Simplest method sends ICMP ECHO Simplest method sends ICMP ECHO

REQUEST to the destination(s)REQUEST to the destination(s) TCP Ping sends SYN or ACK to any port TCP Ping sends SYN or ACK to any port

(default is port 80 for Nmap) (default is port 80 for Nmap) Any response shows the target is upAny response shows the target is up

1515

Types of Port Scans Types of Port Scans (continued)(continued)

ACK scanACK scan Used to get information about a firewallUsed to get information about a firewall Stateful firewalls track connection and block Stateful firewalls track connection and block

unsolicited ACK packetsunsolicited ACK packets Stateless firewalls just block incoming SYN Stateless firewalls just block incoming SYN

packets, so you get a RST responsepackets, so you get a RST response UDP scanUDP scan

Closed port responds with ICMP “Port Closed port responds with ICMP “Port Unreachable” messageUnreachable” message

Rarely usedRarely used

1616

Using Port-Scanning ToolsUsing Port-Scanning Tools

NmapNmap UnicornscanUnicornscan NetScanTools Pro 2004NetScanTools Pro 2004 Nessus / OpenVASNessus / OpenVAS

1717

NmapNmap

Originally written for Phrack magazineOriginally written for Phrack magazine One of the most popular toolsOne of the most popular tools GUI versionsGUI versions

Xnmap and Ubuntu's NmapFEXnmap and Ubuntu's NmapFE

Open source toolOpen source tool Standard tool for security professionalsStandard tool for security professionals

1818

The Matrix ReloadedThe Matrix Reloaded

Trinity uses NmapTrinity uses Nmap Video at link Ch 4eVideo at link Ch 4e

1919

UnicornscanUnicornscan

Developed in 2004 for Linux & UNIX onlyDeveloped in 2004 for Linux & UNIX only Ideal for large networksIdeal for large networks Scans 65,535 ports in three to seven Scans 65,535 ports in three to seven

secondsseconds Optimizes UDP scanningOptimizes UDP scanning Alco can use TCP, ICMP, or IPAlco can use TCP, ICMP, or IP

Free from http://unicornscan.org/ (link Ch 5f)Free from http://unicornscan.org/ (link Ch 5f)

2020

NetScanTools ProNetScanTools Pro

Robust easy-to-use commercial toolRobust easy-to-use commercial tool Runs on WindowsRuns on Windows Types of testsTypes of tests

Database vulnerabilitiesDatabase vulnerabilities DHCP server discoveryDHCP server discovery IP packets viewerIP packets viewer Name server lookupName server lookup OS fingerprintingOS fingerprinting Many more (see link Ch 5g)Many more (see link Ch 5g)

2121

2222

NessusNessus

First released in 1998First released in 1998 Free, open source toolFree, open source tool Uses a client/server technologyUses a client/server technology Can conduct tests from different locationsCan conduct tests from different locations Can use different OSs for client and Can use different OSs for client and

networknetwork

2323

Nessus (continued)Nessus (continued)

ServerServer Any *NIX platformAny *NIX platform

ClientClient Can be *NIX or WindowsCan be *NIX or Windows

Functions much like a database serverFunctions much like a database server Ability to update security checks plug-insAbility to update security checks plug-ins Some plug-ins are considered dangerousSome plug-ins are considered dangerous

2424

2525

Nessus (continued)Nessus (continued)

Finds services running on portsFinds services running on ports Finds vulnerabilities associated with Finds vulnerabilities associated with

identified servicesidentified services

2626

2727

Conducting Ping SweepsConducting Ping Sweeps

Ping sweepsPing sweeps Identify which IP addresses belong to active Identify which IP addresses belong to active

hostshosts Ping a range of IP addressesPing a range of IP addresses

ProblemsProblems Computers that are shut down cannot Computers that are shut down cannot

respondrespond Networks may be configured to block ICMP Networks may be configured to block ICMP

Echo RequestsEcho Requests Firewalls may filter out ICMP trafficFirewalls may filter out ICMP traffic

2828

FPingFPing

Ping multiple IP addresses simultaneouslyPing multiple IP addresses simultaneously www.fping.com/downloadwww.fping.com/download Command-line toolCommand-line tool Input: multiple IP addressesInput: multiple IP addresses

To enter a range of addressesTo enter a range of addresses -g-g option option

Input file with addressesInput file with addresses -f-f option option

See links Ch 5k, 5lSee links Ch 5k, 5l

2929

3030

Fping on Ubuntu 8.04Fping on Ubuntu 8.04

sudo apt-get install fpingsudo apt-get install fping

3131

Hping2Hping2

Used to bypass filtering devicesUsed to bypass filtering devices Allows users to fragment and manipulate IP Allows users to fragment and manipulate IP

packetspackets www.hping.org/downloadwww.hping.org/download Powerful toolPowerful tool

All security testers must be familiar with toolAll security testers must be familiar with tool Supports many parameters (command Supports many parameters (command

options)options) See links Ch 5m, Ch 5nSee links Ch 5m, Ch 5n

3232

hping2 on Ubuntu 8.04hping2 on Ubuntu 8.04

sudo apt-get install hping2sudo apt-get install hping2 The command below sends three SYN The command below sends three SYN

packets to port 80 on the 147.144.1.2 packets to port 80 on the 147.144.1.2 serverserver

Response is SYN/ACK, as expectedResponse is SYN/ACK, as expected

3333

3434

3535

3636

Broadcast AddressesBroadcast Addresses

If you PING a broadcast address, that can If you PING a broadcast address, that can create a lot of trafficcreate a lot of traffic

Normally the broadcast address ends in Normally the broadcast address ends in 255255

But if your LAN is subnetted with a subnet But if your LAN is subnetted with a subnet mask like 255.255.255.192mask like 255.255.255.192 There are other broadcast addresses ending There are other broadcast addresses ending

in 63, 127, and 191in 63, 127, and 191

3737

Smurf AttackSmurf Attack

Pinging a broadcast address on an old network Pinging a broadcast address on an old network resulted in a lot of ping responsesresulted in a lot of ping responses

So just put the victim's IP address in the "From" So just put the victim's IP address in the "From" fieldfield The victim is attacked by a flood of pings, none of The victim is attacked by a flood of pings, none of

them directly from youthem directly from you Modern routers don't forward broadcast packets, Modern routers don't forward broadcast packets,

which prevents them from amplifying smurf which prevents them from amplifying smurf attacksattacks

Windows XP and Ubuntu don't respond to Windows XP and Ubuntu don't respond to broadcast PINGsbroadcast PINGs

See links Ch 5o, 5pSee links Ch 5o, 5p

3838

Crafting IP PacketsCrafting IP Packets

Packet componentsPacket components Source IP addressSource IP address Destination IP addressDestination IP address FlagsFlags

Crafting packets helps you obtain more Crafting packets helps you obtain more information about a serviceinformation about a service

ToolsTools FpingFping HpingHping

3939

Understanding Shell ScriptingUnderstanding Shell Scripting

Modify tools to better suit your needsModify tools to better suit your needs ScriptScript

Computer program that automates tasksComputer program that automates tasks Time-saving solutionTime-saving solution

4040

Scripting BasicsScripting Basics

Similar to DOS batch programmingSimilar to DOS batch programming Script or batch fileScript or batch file

Text fileText file Contains multiple commandsContains multiple commands

Repetitive commands are good candidate Repetitive commands are good candidate for scriptingfor scripting

Practice is the keyPractice is the key

4141