Port Scanning Prabhaker Mateti
Mateti, Port Scanning2 Port scanning Attackers wish to discover services they can break into. Attackers wish to discover services they can break into. Security audit: Why are certain ports open? Security audit: Why are certain ports open? sending a packet to each port, one at a time. sending a packet to each port, one at a time. Based on the type of response, an attacker knows if the port is used. Based on the type of response, an attacker knows if the port is used. The used ports can be probed further for weakness. The used ports can be probed further for weakness.
Mateti, Port Scanning3 Port Numbers An abstraction of the OS + Net Stds An abstraction of the OS + Net Stds Part of UDP and TCP packets Part of UDP and TCP packets UDP and TCP port numbers are disjoint UDP and TCP port numbers are disjoint Typical to use the same port number for both UDP and TCP service Typical to use the same port number for both UDP and TCP service E.g., 80/TCP and 80/UDP for www E.g., 80/TCP and 80/UDP for www 16-bit unsigned integer 16-bit unsigned integer Well Known Ports ( ) Well Known Ports ( ) Registered Ports ( ) Registered Ports ( ) Dynamic and/or Private Ports ( ). Dynamic and/or Private Ports ( ). port-numbers port-numbers port-numbers port-numbers
Mateti, Port Scanning4 Sockets
5 Socket calls for connection-oriented communication
Mateti, Port Scanning6 socket() bind() sendto() close() socket() bind() recvfrom() sendto() close() blocks until server receives data from client data Server Client recvfrom() Socket calls for connectionless communication
Mateti, Port Scanning7 Well Known: Only root-privileged programs are allowed to open these ports. Only root-privileged programs are allowed to open these ports. Examples Examples ftp-data 20/udp ftp-data 20/udp ftp 21/tcp ftp 21/tcp ssh 22/tcp ssh 22/tcp telnet 23/tcp telnet 23/tcp Time 37/tcp Time 37/tcp Time 37/udp Time 37/udp Whois 43/tcp Whois 43/tcp Imap 143/tcp Imap 143/tcp
Mateti, Port Scanning8 Registered: Ordinary programs/users can use these Ordinary programs/users can use these shockwave2 1257/tcp Shockwave 2 shockwave2 1257/udp Shockwave 2 shockwave2 1257/tcp Shockwave 2 shockwave2 1257/udp Shockwave 2 x /tcp X Window System x /udp X Window System x /tcp X Window System x /udp X Window System
Mateti, Port Scanning9 Dynamic/Private: Ordinary programs can use these Ordinary programs can use these
Mateti, Port Scanning10 State of a Port Open Open A service process is listening at the port. The OS receives packets arriving at this port and gives the messages to the service process. If the OS receives a SYN at an open port, this is the first packet of the three way handshake. A service process is listening at the port. The OS receives packets arriving at this port and gives the messages to the service process. If the OS receives a SYN at an open port, this is the first packet of the three way handshake. Closed Closed No process is listening at the port. If the OS receives a SYN at a closed port, an RST is sent. No process is listening at the port. If the OS receives a SYN at a closed port, an RST is sent. Filtered Filtered A packet filter is listening at the port. A packet filter is listening at the port.
Mateti, Port Scanning11 TCP connect(0) scanning Try connect()-ing to every port Try connect()-ing to every port If the port is listening, connect() will succeed. If the port is listening, connect() will succeed. Otherwise, the port isn ’ t reachable. Otherwise, the port isn ’ t reachable. No need for any special privileges. Any user can use it. No need for any special privileges. Any user can use it. Speed - slow. Speed - slow. Scanner can be identified. Scanner can be identified.
Mateti, Port Scanning12 TCP SYN scanning Often referred to as half-open scanning. Often referred to as half-open scanning. Send a SYN packet Send a SYN packet Wait for a response. Wait for a response. A SYN/ACK indicates the port is listening. A SYN/ACK indicates the port is listening. If a SYN/ACK is received, send an RST to tear down the connection immediately. If a SYN/ACK is received, send an RST to tear down the connection immediately. Most sites do not log these. Most sites do not log these. Need root privileges to build SYN packets. Need root privileges to build SYN packets.
Mateti, Port Scanning13 TCP FIN Scanning Send a FIN packet (without a preceding SYN etc.) Send a FIN packet (without a preceding SYN etc.) FIN packets may pass through firewalls FIN packets may pass through firewalls Closed ports reply with RST. Closed ports reply with RST. Open ports ignore the FIN packet. Open ports ignore the FIN packet. Some hosts violate RFC. Some hosts violate RFC. Reply with RST ’ s regardless of the port state Reply with RST ’ s regardless of the port state Thus, are not vulnerable to this scan. Thus, are not vulnerable to this scan.
Mateti, Port Scanning14 TCP reverse identd scanning identd protocol (rfc1413): Disclose the username of the owner of any process connected via TCP, even if that process didn ’ t initiate the connection. identd protocol (rfc1413): Disclose the username of the owner of any process connected via TCP, even if that process didn ’ t initiate the connection. Example: connect to the http port (80), and then use identd to find out whether the server is running as root. Example: connect to the http port (80), and then use identd to find out whether the server is running as root. Must have full TCP connection to the port. Must have full TCP connection to the port.
Mateti, Port Scanning15 Fragmentation scanning Not a new scanning method in and of itself. A modification of other techniques. Not a new scanning method in and of itself. A modification of other techniques. Split the probe packet into IP fragments. Split the probe packet into IP fragments. By splitting up the TCP header over several packets, it is harder for packet filters to detect a probe. By splitting up the TCP header over several packets, it is harder for packet filters to detect a probe.
Mateti, Port Scanning16 FTP Bounce Scan A port scanner can exploit this to scan TCP ports form a proxy ftp server. A port scanner can exploit this to scan TCP ports form a proxy ftp server. Connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked. Connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked. If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open. If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.
Mateti, Port Scanning17 FTP Bounce Scan Take advantage of a vulnerability of FTP protocol. Take advantage of a vulnerability of FTP protocol. Requires support for proxy ftp connections. Requires support for proxy ftp connections. For example, evil.com can establish a control communication connection to FTP server-PI (protocol interpreter) of target.com. For example, evil.com can establish a control communication connection to FTP server-PI (protocol interpreter) of target.com. Then it is able to request the server-PI to initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet. Then it is able to request the server-PI to initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet.
Mateti, Port Scanning18 FTP Bounce Scan Use the PORT command (of FTP) to declare that our passive user-DTP is listening on the target box at a certain port number. Use the PORT command (of FTP) to declare that our passive user-DTP is listening on the target box at a certain port number. LIST the current directory, and the results is sent over the server-DTP channel. LIST the current directory, and the results is sent over the server-DTP channel. If our target host is listening on the port, the transfer will be successful. If our target host is listening on the port, the transfer will be successful. Otherwise, connection will be refused. Otherwise, connection will be refused. Then issue another PORT command to try the next port on the target. Then issue another PORT command to try the next port on the target.
Mateti, Port Scanning19 FTP Bounce Scan Advantages Advantages Harder to trace Harder to trace Potential to bypass firewalls. Potential to bypass firewalls. Disadvantages Disadvantages Slow Slow Many FTP servers have (finally) disabled the proxy feature. Many FTP servers have (finally) disabled the proxy feature.
Mateti, Port Scanning20 UDP Scans UDP is simpler, but the scanning is more difficult UDP is simpler, but the scanning is more difficult Open ports do not have to send an ACK. Open ports do not have to send an ACK. Closed ports are not required to send an error packet. Closed ports are not required to send an error packet. Most hosts send an ICMP_PORT_UNREACH error when you send a packet to a closed UDP port. Most hosts send an ICMP_PORT_UNREACH error when you send a packet to a closed UDP port. Can find out if a port is NOT open. Can find out if a port is NOT open.
Mateti, Port Scanning21 UDP Scans Neither UDP packets, nor the ICMP errors are guaranteed to arrive. Neither UDP packets, nor the ICMP errors are guaranteed to arrive. Slow: the ICMP error message rate is limited. Slow: the ICMP error message rate is limited. Need to be root for access to raw ICMP socket. Need to be root for access to raw ICMP socket. Non-root users cannot read port unreachable errors directly. Non-root users cannot read port unreachable errors directly.
Mateti, Port Scanning22 UDP Scans But users can learn it indirectly. But users can learn it indirectly. For example, a second write() call to a closed port will usually fail. For example, a second write() call to a closed port will usually fail. recvfrom() on non-blocking UDP sockets usually return EAGAIN (try again), if the ICMP error hasn ’ t been received. recvfrom() on non-blocking UDP sockets usually return EAGAIN (try again), if the ICMP error hasn ’ t been received. It will return ECONNREFUSED (connection refuse), if ICMP error has been received. It will return ECONNREFUSED (connection refuse), if ICMP error has been received.
Mateti, Port Scanning23 Stealth Scan Simple port scanning can be easily logged by the services listening at the ports. Simple port scanning can be easily logged by the services listening at the ports. E.g. they see an incoming connection with no data, thus they log an error. E.g. they see an incoming connection with no data, thus they log an error. Stealth scan refers to scanning techniques that can avoid being logged. Stealth scan refers to scanning techniques that can avoid being logged. These techniques include fragmented packets, SYN scanning, FIN scanning etc. These techniques include fragmented packets, SYN scanning, FIN scanning etc.
Mateti, Port Scanning24 Stealth Scan Scan slowly Scan slowly A port scanner typically scans a host too rapidly A port scanner typically scans a host too rapidly Some detectors recognize these “ signatures ”. Some detectors recognize these “ signatures ”. So, scanning very slowly (e.g., over several days) is a stealth technique. So, scanning very slowly (e.g., over several days) is a stealth technique. Firing packets with fake IPs Firing packets with fake IPs Flood with spoofed scans and embed one scan from the real source (network) address. Flood with spoofed scans and embed one scan from the real source (network) address.
Mateti, Port Scanning25 Signatures of a port scan Several packets to different destination ports from the same source within a “ short period ” of time. Several packets to different destination ports from the same source within a “ short period ” of time. SYN to a non-listening port SYN to a non-listening port
Mateti, Port Scanning26 Detection of Port Scanning Open a socket Open a socket SOCK_RAW mode. SOCK_RAW mode. protocol type IPPROTO_IP protocol type IPPROTO_IP recvfrom() to capture the packets recvfrom() to capture the packets Discovering stealth scans requires kernel level work. Discovering stealth scans requires kernel level work. A detector can inform us that we have been port-scanned, but the source address may have been spoofed. A detector can inform us that we have been port-scanned, but the source address may have been spoofed.
Mateti, Port Scanning27 Scanner Leaks If the packets we received have an IP TTL of 255, we can conclude that it was sent from or local network, regardless of what the source address field says. If the packets we received have an IP TTL of 255, we can conclude that it was sent from or local network, regardless of what the source address field says. if TTL is 250, we can only tell that the attacker was no more than 5 hops away. if TTL is 250, we can only tell that the attacker was no more than 5 hops away.
Mateti, Port Scanning28 References 1. Ron Gula, How to Handle and Identify Network Probes, April 1999, [Local Copy] Required Reading. Copywww.securitywizards.comLocal Copy 2. Hobbit, The FTP Bounce Attack, hobbit.ftpbounce.txt The original paper on the subject. Reference. hobbit.ftpbounce.txthttp:// hobbit.ftpbounce.txt 3. Fyodor, Remote OS detection via TCP/IP Stack Finger Printing. Written: October 18, 1998 Last Modified: April 10, article.html Required Reading. article.html article.html 4. Solar Designer, Designing and Attacking Port Scan Detection Tools, Phrack Magazine, Volume 8, Issue 53, July 8, 1998, article 13 of 15, Recommended Reading ZoneAlarm (download free for personal use from that can detect port scans. Try this on your own home network of Windows PCs.