Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.
-
Upload
jeanette-hyett -
Category
Documents
-
view
215 -
download
2
Transcript of Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 5Chapter 5Port ScanningPort Scanning
Last updated 9-18-08Last updated 9-18-08
22
ObjectivesObjectives
Describe port scanningDescribe port scanning Describe different types of port scansDescribe different types of port scans Describe various port-scanning toolsDescribe various port-scanning tools Explain what ping sweeps are used forExplain what ping sweeps are used for Explain how shell scripting is used to Explain how shell scripting is used to
automate security tasksautomate security tasks
33
Introduction to Port ScanningIntroduction to Port Scanning
Port ScanningPort Scanning Finds out which services are offered by a hostFinds out which services are offered by a host Identifies vulnerabilitiesIdentifies vulnerabilities
Open services can be used on attacksOpen services can be used on attacks Identify a vulnerable portIdentify a vulnerable port Launch an exploitLaunch an exploit
Scan all ports when testingScan all ports when testing Not just well-known portsNot just well-known ports
44
AW Security Port ScannerAW Security Port Scanner
A commercial tool to identify vulnerabilitiesA commercial tool to identify vulnerabilities
55
Introduction to Port Scanning Introduction to Port Scanning (continued)(continued)
Port scanning programs reportPort scanning programs report Open portsOpen ports Closed portsClosed ports Filtered portsFiltered ports Best-guess assessment of which OS is Best-guess assessment of which OS is
running running
66
Is Port Scanning Legal?Is Port Scanning Legal?
The legal status of port scanning is The legal status of port scanning is unclearunclear If you have permission, it's legalIf you have permission, it's legal If you cause damage of $5,000 or more, it If you cause damage of $5,000 or more, it
may be illegalmay be illegal For more, see links Ch For more, see links Ch 5a
77
Normal TCP HandshakeNormal TCP Handshake
ClientClient SYN SYN ServerServer
ClientClient SYN/ACK SYN/ACK ServerServer
ClientClient ACKACK ServerServer
After this, you are ready to send dataAfter this, you are ready to send data
88
SYN Port ScanSYN Port ScanClientClient SYN SYN ServerServer
ClientClient SYN/ACK SYN/ACK ServerServer
ClientClient RSTRST ServerServer
The server is ready, but the client decided The server is ready, but the client decided not to complete the handshakenot to complete the handshake
99
Types of Port ScansTypes of Port Scans
SYN scanSYN scan Stealthy scan, because session handshakes are Stealthy scan, because session handshakes are
never completednever completed That keeps it out of some log filesThat keeps it out of some log files Three statesThree states
ClosedClosed
OpenOpen
FilteredFiltered
1010
Types of Port ScansTypes of Port Scans
Connect scanConnect scan Completes the three-way handshakeCompletes the three-way handshake Not stealthy--appears in log filesNot stealthy--appears in log files Three statesThree states
ClosedClosed
OpenOpen
FilteredFiltered
1111
Types of Port ScansTypes of Port Scans
NULL scanNULL scan All the packet flags are turned offAll the packet flags are turned off Two results:Two results:
Closed ports reply with Closed ports reply with RSTRST
Open or filtered ports give Open or filtered ports give no responseno response
1212
Types of Port ScansTypes of Port Scans
XMAS scanXMAS scan FIN, PSH and URG flags are setFIN, PSH and URG flags are set Works like a NULL scan – a closed port Works like a NULL scan – a closed port
responds with an RST packetresponds with an RST packet
FIN scanFIN scan Only FIN flag is setOnly FIN flag is set Closed port responds with an RST packetClosed port responds with an RST packet
1313
Windows MachinesWindows Machines
NULL, XMAS and FIN scans don't work on NULL, XMAS and FIN scans don't work on Windows machinesWindows machines Win 2000 Pro and Win Server 2003 shows all Win 2000 Pro and Win Server 2003 shows all
ports closedports closed Win XP Pro all ports open/filteredWin XP Pro all ports open/filtered
See the NMAP tutorial (link Ch See the NMAP tutorial (link Ch 5c))
1414
Types of Port ScansTypes of Port Scans
Ping scanPing scan Simplest method sends ICMP ECHO Simplest method sends ICMP ECHO
REQUEST to the destination(s)REQUEST to the destination(s) TCP Ping sends SYN or ACK to any port TCP Ping sends SYN or ACK to any port
(default is port 80 for Nmap) (default is port 80 for Nmap) Any response shows the target is upAny response shows the target is up
1515
Types of Port Scans Types of Port Scans (continued)(continued)
ACK scanACK scan Used to get information about a firewallUsed to get information about a firewall Stateful firewalls track connection and block Stateful firewalls track connection and block
unsolicited ACK packetsunsolicited ACK packets Stateless firewalls just block incoming SYN Stateless firewalls just block incoming SYN
packets, so you get a RST responsepackets, so you get a RST response UDP scanUDP scan
Closed port responds with ICMP “Port Closed port responds with ICMP “Port Unreachable” messageUnreachable” message
Rarely usedRarely used
1616
Using Port-Scanning ToolsUsing Port-Scanning Tools
NmapNmap UnicornscanUnicornscan NetScanTools Pro 2004NetScanTools Pro 2004 Nessus / OpenVASNessus / OpenVAS
1717
NmapNmap
Originally written for Phrack magazineOriginally written for Phrack magazine One of the most popular toolsOne of the most popular tools GUI versionsGUI versions
Xnmap and Ubuntu's NmapFEXnmap and Ubuntu's NmapFE
Open source toolOpen source tool Standard tool for security professionalsStandard tool for security professionals
1818
The Matrix ReloadedThe Matrix Reloaded
Trinity uses NmapTrinity uses Nmap Video at link Ch 4eVideo at link Ch 4e
1919
UnicornscanUnicornscan
Developed in 2004 for Linux & UNIX onlyDeveloped in 2004 for Linux & UNIX only Ideal for large networksIdeal for large networks Scans 65,535 ports in three to seven Scans 65,535 ports in three to seven
secondsseconds Optimizes UDP scanningOptimizes UDP scanning Alco can use TCP, ICMP, or IPAlco can use TCP, ICMP, or IP
Free from http://unicornscan.org/ (link Ch 5f)Free from http://unicornscan.org/ (link Ch 5f)
2020
NetScanTools ProNetScanTools Pro
Robust easy-to-use commercial toolRobust easy-to-use commercial tool Runs on WindowsRuns on Windows Types of testsTypes of tests
Database vulnerabilitiesDatabase vulnerabilities DHCP server discoveryDHCP server discovery IP packets viewerIP packets viewer Name server lookupName server lookup OS fingerprintingOS fingerprinting Many more (see link Ch 5g)Many more (see link Ch 5g)
2121
2222
NessusNessus
First released in 1998First released in 1998 Free, open source toolFree, open source tool Uses a client/server technologyUses a client/server technology Can conduct tests from different locationsCan conduct tests from different locations Can use different OSs for client and Can use different OSs for client and
networknetwork
2323
Nessus (continued)Nessus (continued)
ServerServer Any *NIX platformAny *NIX platform
ClientClient Can be *NIX or WindowsCan be *NIX or Windows
Functions much like a database serverFunctions much like a database server Ability to update security checks plug-insAbility to update security checks plug-ins Some plug-ins are considered dangerousSome plug-ins are considered dangerous
2424
2525
Nessus (continued)Nessus (continued)
Finds services running on portsFinds services running on ports Finds vulnerabilities associated with Finds vulnerabilities associated with
identified servicesidentified services
2626
2727
Conducting Ping SweepsConducting Ping Sweeps
Ping sweepsPing sweeps Identify which IP addresses belong to active Identify which IP addresses belong to active
hostshosts Ping a range of IP addressesPing a range of IP addresses
ProblemsProblems Computers that are shut down cannot Computers that are shut down cannot
respondrespond Networks may be configured to block ICMP Networks may be configured to block ICMP
Echo RequestsEcho Requests Firewalls may filter out ICMP trafficFirewalls may filter out ICMP traffic
2828
FPingFPing
Ping multiple IP addresses simultaneouslyPing multiple IP addresses simultaneously www.fping.com/downloadwww.fping.com/download Command-line toolCommand-line tool Input: multiple IP addressesInput: multiple IP addresses
To enter a range of addressesTo enter a range of addresses -g-g option option
Input file with addressesInput file with addresses -f-f option option
See links Ch 5k, 5lSee links Ch 5k, 5l
2929
3030
Fping on Ubuntu 8.04Fping on Ubuntu 8.04
sudo apt-get install fpingsudo apt-get install fping
3131
Hping2Hping2
Used to bypass filtering devicesUsed to bypass filtering devices Allows users to fragment and manipulate IP Allows users to fragment and manipulate IP
packetspackets www.hping.org/downloadwww.hping.org/download Powerful toolPowerful tool
All security testers must be familiar with toolAll security testers must be familiar with tool Supports many parameters (command Supports many parameters (command
options)options) See links Ch 5m, Ch 5nSee links Ch 5m, Ch 5n
3232
hping2 on Ubuntu 8.04hping2 on Ubuntu 8.04
sudo apt-get install hping2sudo apt-get install hping2 The command below sends three SYN The command below sends three SYN
packets to port 80 on the 147.144.1.2 packets to port 80 on the 147.144.1.2 serverserver
Response is SYN/ACK, as expectedResponse is SYN/ACK, as expected
3333
3434
3535
3636
Broadcast AddressesBroadcast Addresses
If you PING a broadcast address, that can If you PING a broadcast address, that can create a lot of trafficcreate a lot of traffic
Normally the broadcast address ends in Normally the broadcast address ends in 255255
But if your LAN is subnetted with a subnet But if your LAN is subnetted with a subnet mask like 255.255.255.192mask like 255.255.255.192 There are other broadcast addresses ending There are other broadcast addresses ending
in 63, 127, and 191in 63, 127, and 191
3737
Smurf AttackSmurf Attack
Pinging a broadcast address on an old network Pinging a broadcast address on an old network resulted in a lot of ping responsesresulted in a lot of ping responses
So just put the victim's IP address in the "From" So just put the victim's IP address in the "From" fieldfield The victim is attacked by a flood of pings, none of The victim is attacked by a flood of pings, none of
them directly from youthem directly from you Modern routers don't forward broadcast packets, Modern routers don't forward broadcast packets,
which prevents them from amplifying smurf which prevents them from amplifying smurf attacksattacks
Windows XP and Ubuntu don't respond to Windows XP and Ubuntu don't respond to broadcast PINGsbroadcast PINGs
See links Ch 5o, 5pSee links Ch 5o, 5p
3838
Crafting IP PacketsCrafting IP Packets
Packet componentsPacket components Source IP addressSource IP address Destination IP addressDestination IP address FlagsFlags
Crafting packets helps you obtain more Crafting packets helps you obtain more information about a serviceinformation about a service
ToolsTools FpingFping HpingHping
3939
Understanding Shell ScriptingUnderstanding Shell Scripting
Modify tools to better suit your needsModify tools to better suit your needs ScriptScript
Computer program that automates tasksComputer program that automates tasks Time-saving solutionTime-saving solution
4040
Scripting BasicsScripting Basics
Similar to DOS batch programmingSimilar to DOS batch programming Script or batch fileScript or batch file
Text fileText file Contains multiple commandsContains multiple commands
Repetitive commands are good candidate Repetitive commands are good candidate for scriptingfor scripting
Practice is the keyPractice is the key
4141