nps9B36
8
8/4/2019 nps9B36 http://slidepdf.com/reader/full/nps9b36 1/8
-
Upload
okcy-ocky-susilo -
Category
Documents
-
view
224 -
download
0
Transcript of nps9B36
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 1/8
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 2/8
© S A N S I n
s t i t u
t e 2 0
0 2 , A u t h o
r r e t a i
n s f u l l r
i g h t
s .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rig
Port Scanning Techniques and the Defense Against Them
Roger ChristopherOctober 5, 2001
Introduction
Port Scanning is one of the most popular techniquesattackers use to discover services that they can exploit tobreak into systems. All systems that are connected to aLAN or the Internet via a modem run services that listen towell-known and not so well-known ports. By port scanning,the attacker can find the following information about thetargeted systems: what services are running, what users ownthose services, whether anonymous logins are supported, andwhether certain network services require authentication.Port scanning is accomplished by sending a message to eachport, one at a time. The kind of response receivedindicates whether the port is used and can be probed forfurther weaknesses. Port scanners are important to networksecurity technicians because they can reveal possiblesecurity vulnerabilities on the targeted system.
Just as port scans can be ran against your systems, portscans can be detected and the amount of information aboutopen services can be limited utilizing the proper tools.Every publicly available system has ports that are open andavailable for use. The object is to limit the exposure of
open ports to authorized users and to deny access to theclosed ports.
Port Scan Techniques
To defend against port scans, you have to understand howport scans are performed. There are various port scanningtechniques available. Port scans have been made automatedby popular port scanning tools such as Nmap and Nessus.
The following scans are available for standard for Nmap andNessus.
1. Address Resolution Protocol (ARP) scans discoveractive devices on the local network segment by sendinga series of ARP broadcasts and incrementing the valuefor the target IP address field in each broadcastpacket. This type of scan will have every IP device
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 3/8
© S A N S I n
s t i t u
t e 2 0
0 2 , A u t h o
r r e t a i
n s f u l l r
i g h t
s .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rig
on the network respond with its own IP address inresponse. This scan will effectively map out anentire network.
2. The Vanilla TCP connect scan is the most basic
scanning technique. The scan uses the connect systemcall of an operating system on a target system to opena connection to every port that is open. The scan isextremely noisy and easily detectable. The targetedsystem logs will show connection requests and errormessages for the services that accepted theconnections.
3. The TCP SYN (Half Open) scans are called half openbecause the attacking system doesn’t close the openconnections. The attacking scanner will send a SYNpacket to the target and wait for a response. If theport is open, the target will send a SYN|ACK. If theport is closed, the target will send an RST. Thistype of scan is difficult to detect. The targetsystem is in charge of closing the open connectionsand the target, most likely, will not have the properlogging set up to detect this type of scan.
4. The TCP FIN scan has the ability to pass undetectedthrough most firewalls, packet filters, and scandetection programs. The attacking system sends FINpackets to the targeted system. The closed ports will
respond with an RST. The open ports will ignore thepackets. The attacking system will take note of whichports it received an RST on and report on the portsthat did not respond with an RST.
5. The TCP Reverse Ident scan discovers the usernameof the owner of any TCP connected process on thetargeted system. This type of scan allows theattacking system to connect to open ports and use theident protocol to discover who owns the process.
6. The TCP XMAS scan is used to identify listeningports on the targeted system. The scan manipulatesthe URG, PSH and FIN flags of the TCP header. If theport is closed on the targeted system, the target willsend an RST. If the port is open, the port willignore the packets.
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 4/8
© S A N S I n
s t i t u
t e 2 0
0 2 , A u t h o
r r e t a i
n s f u l l r
i g h t
s .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rig
7. The TCP NULL scan uses a series of uniquelyconfigured TCP packets that contain a sequence numberbut no flags. It the target’s TCP port is closed, theport will send an RST. If the port is open, the portwill ignore the packet.
8. The TCP ACK scan is used to identify active websites that may not respond to standard ICMP pings.The scan utilizes TCP packets with the ACK flag set toa probable port number. If the port is open, thetarget will send an RST in reply. If the port isclosed, the target will ignore the packet.
9. The FTP Bounce Attack uses the ftp protocol supportfor proxy ftp connections. The beauty of this scan isthat the attacker can hide behind an ftp server andscan another target without being detected. Thedownside is that most ftp servers have this servicedisabled.
10. The UDP ICMP port scan uses the UDP protocol.This port scan is successful in finding high numberports, especially in Solaris systems. The scan isslow and unreliable.
11. The ICMP ping-sweeping scan utilizes the pingcommand to do a sweep to see what systems are active.
The downside is that most networks have the ICMPprotocol either filtered or disabled.
(Fyodor)
Defending Against Port Scans
If you have a publicly accessible server, the system willbe vulnerable to port scans. There is no certain way todefeat port scans. The court systems have determined that
performing port scans is not illegal. Port scans areillegal only if the attacker uses information from a portscan to exploit a vulnerability or open port on the system.So the question is: How do we limit the information oursystems will give out?
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 5/8
© S A N S I n
s t i t u
t e 2 0
0 2 , A u t h o
r r e t a i
n s f u l l r
i g h t
s .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rig
One way to limit the information gained from port scans isto close unnecessary services on the targeted systems, i.e.if you are running a web server, http should be the onlyservice offered. On UNIX systems, the easiest way to limit
the information given to port scanners is to edit the/etc/inetd.conf and remark out any unnecessary services.You will also want to edit the /etc/init.d and the runlevelfile that your system is utilizing. Remove any unneededservices. Also, ensure that your system is not running inthe X11 mode. If you are running in the X11 mode, yoursystem will broadcast the 6000 service whether you arelogged in or not.
Another way to limit the information given to port scannersis to employ TCP Wrappers, where applicable. TCP Wrappersgive the administrator the flexibility to permit or denyaccess to the services based upon IP addresses or domainnames. TCP Wrappers work in conjunction with the/etc/inetd.conf file. TCP Wrappers works by invoking thetcpd daemon prior to providing the specified service. Whenan incoming request is detected coming in from anauthorized port, TCP Wrappers will first check the/etc/hosts.allow file to see if the IP address or domainname has permissions to access the service. If no entry isfound, TCP Wrappers will check the /etc/hosts.deny file.If no entry is found there, or if the statement ALL : ALLis found, TCP Wrappers will ignore the request and not
permit the requested service to be utilized. When thesystem is port scanned, TCP Wrappers will still allow theservice to be advertised, however, the scanner will notreceive any additional information from the port unless thescan is coming from a host or domain specified in the/etc/hosts.allow file. When scanned, the system will listthe service as being open. When the attacker tries toexploit the open port, TCP Wrappers will reject theincoming connection if it is not originated from anapproved host or domain. The drawback of TCP Wrappers isthat not all services are covered. Services such as http
and smtp are not covered, and if improperly configured,will be susceptible to exploit. TCP Wrappers is notsusceptible to IP spoofing. When an incoming request isdetected, TCP Wrappers will perform a reverse DNS lookup onthe requesting IP address. If the reverse lookup matchesthe requesting IP, TCP Wrappers will permit the connection.If the reverse lookup fails, TCP Wrappers will assume that
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 6/8
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 7/8
© S A N S I n
s t i t u
t e 2 0
0 2 , A u t h o
r r e t a i
n s f u l l r
i g h t
s .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rig
References
1. Anonymous. Maximum Security, Second Edition.Indianapolis: SAMS, 1998. 177 – 180.
2. McClure, Stuart; Scambray, Joel; Kurtz, George. HackingExposed, Network Security Secrets & Solutions. Berekley:Osborne/McGraw Hill, 1999. 38 – 51.
3. Fyodor. “The Art of Port Scanning.” September 01, 1997.URL: http://www.insecure.org/nmap/nmap_doc.html. (September25, 2001).
4. Psionic Software, Inc. URL:http://www.psionic.com/abacus/portsentry. (September 25,2001).
5. Venema, Wietse. “TCP Wrappers 7.6 BLURB.” March 21,1997. URL:ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.BLURB. (September 25, 2001).
8/4/2019 nps9B36
http://slidepdf.com/reader/full/nps9b36 8/8
Last Updated: September 29th, 2011
Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location
SANS Baltimore 2011 Baltimore, MD Oct 09, 2011 - Oct 15, 2011 Live Event
SOS: SANS October Singapore 2011 Singapore, Singapore Oct 10, 2011 - Oct 18, 2011 Live Event
National Cybersecurity Innovation Conference Washington, DC Oct 11, 2011 - Oct 14, 2011 Live Event
Grid SecCon 2011 New Orleans, LA Oct 18, 2011 - Oct 18, 2011 Live Event
SANS Chicago 2011 Chicago, IL Oct 23, 2011 - Oct 28, 2011 Live Event
SANS Seattle 2011 Seattle, WA Nov 02, 2011 - Nov 07, 2011 Live Event
SANS Korea 2011 Seoul, Korea, RepublicOf
Nov 07, 2011 - Nov 12, 2011 Live Event
SANS Sydney 2011 Sydney, Australia Nov 11, 2011 - Nov 19, 2011 Live Event
SANS Tokyo Autumn 2011 Tokyo, Japan Nov 14, 2011 - Nov 19, 2011 Live Event
SANS San Francisco 2011 San Francisco, CA Nov 14, 2011 - Nov 19, 2011 Live Event
European SCADA and Process Control System Security Summit2011
Rome, Italy Nov 26, 2011 - Dec 04, 2011 Live Event
SANS San Antonio 2011 San Antonio, TX Nov 28, 2011 - Dec 05, 2011 Live Event
SANS London 2011 London, UnitedKingdom
Dec 03, 2011 - Dec 12, 2011 Live Event
SANS CDI 2011 Washington, DC Dec 09, 2011 - Dec 16, 2011 Live Event
SANS Perth 2011 Perth, Australia Dec 12, 2011 - Dec 17, 2011 Live Event
SANS Gulf Region 2011 OnlineUnited ArabEmirates
Oct 08, 2011 - Oct 22, 2011 Live Event
SANS OnDemand Books & MP3s Only Anytime Self Paced
