Port Scanning (based on nmap tool) Lecture – 5 NETW4006-Lecture05 Part 2

Content Definition Port Numbers TCP 3 Way-handshake Different Port Scanning Types Detecting Scan NETW4006-Lecture05 Part 2

Port Scanning Attackers: reconnaissance technique to discover available services/open ports send a packet to different ports response indicates state of ports open, closed, filtered type of response: different info about the system (OS) (fingerprinting) Reconnaissance – Investigation Netstat – displays network connection, routing table etc. NETW4006-Lecture05 Part 2

Port Numbers part of the addressing information used to identify the senders and receivers of messages (0- 65535) TCP/UDP: source & destination port numbers 16-bit unsigned integer 0 to 1023: well known (ftp=21, telnet=23) 1024 to 49151: registered 49152 to 65535: others – dynamic / private ports Most often used for ephemeral (short-lived) connections; usually for TCP source ports A port is identified for each address and protocol by a 16-bit number, commonly known as the port number. The port number, added to a computer's IP address, completes the destination address for a communications session NETW4006-Lecture05 Part 2

Well Known Ports Listed by Internet Assigned Numbers Authority (IANA) at the Information Sciences Institute (ISI) –(responsible for global coordination of the DNS root, IP addressing and Internet protocol resources. ) Requires root privilege on UNIX systems List: http://www.iana.org/assignments/port-numbers Example: ftp 21/tcp File Transfer [Control] ftp 21/udp File Transfer [Control] # Jon Postel postel@isi.edu ssh 22/tcp SSH Remote Login Protocol ssh 22/udp SSH Remote Login Protocol # Tatu Ylonen ylo@cs.hut.fi telnet 23/tcp Telnet NETW4006-Lecture05 Part 2

Registered Ports 1024 - 49151 Listed by IANA, as a convenience to reduce any port number conflicts Used by ordinary user processes or programs executed by ordinary users Example: shockwave2 1257/tcp Shockwave2 NETW4006-Lecture05 Part 2

Other Ports (Dynamic/Private 49152 - 65535) Private and/or dynamic ports. Used by ordinary programs. Commonly used for ephemeral (short-lived) ports. Most commonly for source ports on outgoing connections. NETW4006-Lecture05 Part 2

TCP 3Way-Handshake TCP handshaking technique to open connections: SYN-SYN-ACK 2 systems attempting to initiate a connection for communication can negotiate one connection at a time independently of each other. Description Host A sends a TCP SYNchronize packet → Host B Host B receives A's SYN Host B sends SYN → Host A Host A receives B's SYN Host A sends ACKnowledge → Host B Host B receives ACK → TCP connection is established. TCP knows the state of a connection by using the SYN and ACK Once connected, TCP hands off to the application for data transfer and communication (Reference: http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml) NETW4006-Lecture05 Part 2

TCP connect() Scan With connect() call used by the operating system to initiate a normal TCP connection to a remote device (3-way handshake) No need of any special privileged access: Any user can use it. TCP connect scan is often logged by target host service. NETW4006-Lecture05 Part 2

Figures taken from [4]: http://www.networkuptime.com/nmap/index.shtml TCP connect() Scan Closed Port: Like the TCP SYN scan Open Port: completes the TCP 3W-Handshake (3WHS). Then sends RST. RST – Reset TCP connect() scan completed the 3 way handshake and then immediately sent a rest (RST) packet to close the connection. Figures taken from [4]: http://www.networkuptime.com/nmap/index.shtml NETW4006-Lecture05 Part 2

TCP SYN Scan/Half-Open Scan Send a SYN packet , wait for a response & A SYN/ACK indicates the port is listening if a SYN.ACK is received, send an RST to tear down the connection immediately Requires Root privileges to create raw SYN Often not logged: 3WHAS not completed Root – admin privilage NETW4006-Lecture05 Part 2

TCP SYN Scan/Half-Open Scan Closed Port: No difference with TCP connect scan Open Port: SYN/ACK: port is open SYN/ACK then RST Common scan when open ports on a remote device. It only half opens the TCP connections. NETW4006-Lecture05 Part 2

TCP ACK Scan Random TCP ACK sent to destination If active, RST is returned If not active or the port is filtered, no response to the ACK Useful to see if a firewall is stateful or simple Requires privileged access or send TCP connect() Port 80 is used by default: filtered connection No response means port is filtered. NETW4006-Lecture05 Part 2

ICMP Ping Scan ICMP echo (ping) request to destination IP @ If an ICMP echo reply (pong) received, station is active If no response -station not active or connection is filtered ICMP does not have a notion of port numbers, it has types and codes @ means address NETW4006-Lecture05 Part 2

ICMP Echo & TCP ACK ICMP echo request + TCP ACK Response if system alive & if port 80 not filtered NETW4006-Lecture05 Part 2

TCP FIN Scan Send a FIN (finish) packet without SYN For when trying to hide from SYN loggers Requires Root privileges to create raw TCP packet FIN may be dropped by firewall/pass through: no differentiation with open port NETW4006-Lecture05 Part 2

TCP FIN Scan Closed Port: Open Port: Reply with RST No reply to FIN Identifies TCP ports NETW4006-Lecture05 Part 2

FTP Bounce Scan connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked Use a FTP vulnerability: proxy No required privileges., Harder to trace, Potential to bypass firewalls. Requires a third host as proxy for FTP (passive) Must be logged in. Slow, Many FTP servers have disable the proxy features Either Anonymous or User, User sends PORT command to FTP server that redirects data towards different host/port! User can send arbitrary data to open ports Don’t accept connections from your FTP server Many FTP servers disable proxy This technique can be generalized to eg. SMTP (spam) Advantages Disadvantages NETW4006-Lecture05 Part 2

FTP Bounce Scan Closed Port: Open Port: Send Port(IP@+Port) + List (launch data connection) (or PUT to send arbitrary data) FTP server can’t build the connection Open Port: FTP Transfer is completed NETW4006-Lecture05 Part 2

UDP Scan Scan is more difficult No ACK from open ports Most host send an ICMP_ Port_ Unreached error when you send a packet to a closed UDP port. Reading ICMP packets requires root privileges Can find out if system is alive If ICMP is filtered, no response to UDP ping NETW4006-Lecture05 Part 2

UDP Ping Scan Closed Port: Open Port: UDP ping, If ICMP Port Unreachable system is alive Open Port: If no response: remote system unavailable. Could be incorrect because UDP applications don’t necessarily send a response to empty requests UDP Scan : This type of Scanning is used to determine which UDP ports are open on the target host. In this type of scanning 0 byte udp packet it send to all the specified ports on the taget machine and if we get ICMP unreacheable then the port is assumed to be closed or else it is considered as open. But to its demerit is that sometimes ISP’s often block these ports and so it sometimes throws incorrect results that the ports are open but infact it is not, so you need to be a bit more fortunate about these results. NETW4006-Lecture05 Part 2

Other Scan Techniques Stealth scan: refers to scanning techniques that can avoid being logged fragmented packets, SYN scanning, FIN scanning, scan slowly etc identd protocol: gives username of the owner of process connected via TCP Connect http port (80) + use identd Ident (aka auth) protocol use is uncommon NETW4006-Lecture05 Part 2

Detect Scan Rapid Scan detected: several packets rapidly sent to different ports from same source SYN to a closed port Port scan logged by the services/application Firewall log scanning A detector can inform is that we have been port scanned, but the source address may have been spoofed. NETW4006-Lecture05 Part 2