SCSC 555 Frank Li
Port scanning Port-scanning tools Ping sweeps 2
Port Scanning ◦ Finds out which services a host computer offers ◦ Identifies vulnerabilities ◦ Scan all ports when testing, not just well-known ports Open services can be used on attacks ◦ Identify a vulnerable port via scanning ◦ Then launch an exploit ◦ E.g. ? 3
Port scanning programs report: ◦ Open ports ◦ Closed ports ◦ Filtered ports ◦ Best-guess assessment of which OS is running Discussion: closed port vs. filtered port 4
SYN scan ◦ Aka. Stealthy scan Connect scan ◦ Completes the three-way handshake NULL scan ◦ Packet flags are turned off XMAS scan ◦ FIN, PSH and URG flags are set 5
ACK scan ◦ Used to past a firewall FIN scan ◦ Closed port responds with an RST packet UDP scan ◦ Closed port responds with ICMP “Port Unreachable” message 6
Port scanning Port-scanning tools Ping sweeps 7
Nmap Genlist Zenmap Unicornscan Nessus 8
Nmap ("Network Mapper") ◦ An open source tool for network exploration and security auditing. ◦ commonly used for security audits many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime 9
Nmap can rapidly scan large networks, to determine: ◦ what hosts are available on the network, ◦ what services (application name and version) those hosts are offering, ◦ what operating systems (and OS versions) they are running, ◦ what type of packet filters/firewalls are in use, ◦ And dozens of other characteristics … 10
nmap -sS -P0 -O -T Sneaky -p 445 -D Stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive. The -P0 flag tells nmap NOT to ping the IP which adds to stealth. The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation. The -p flag specifies the port or a port range. The -D flag allows you to specify a number of decoys. ◦ googlebot’s IP address is used as decopy to make nmap generate packets from your IP address and googlebots IP address. This has an effect of confusing the target. 11
Genlist is a program that returns a list of hosts that responding to ping probes. ◦ This list can be used to perform an scan of these machines using Nmap. Example: 1.Generate list of live hosts and save it to a file called “list”: genlist -s \* > list 2.Use Nmap to scan that list: nmap -v -iL list 12
Zenmap is the official Nmap Security Scanner GUI. ◦ a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application ◦ Make Nmap easy for beginners to use ◦ Also providing advanced features for experienced Nmap users. 13
Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved in a searchable database and viewed later. 14
15
16
Results viewing ◦ arrange its display to show all ports on a host or all hosts running a particular service. ◦ The results of several scans may be combined together and viewed at once. Comparison ◦ graphically show the differences between two scans. ◦ scans run on different days, scans of two different hosts, scans of the same hosts with different options, or any other combination. Convenience ◦ keeps track of scan results until you choose to throw them away. Repeatability ◦ command profiles make it easy to run the exact same scan more than once. 17
Unicornscan is a scalable port scanner ◦ developed in 2004 ◦ uses CPU specific instructions to track the packets per second (PPS) you specify as closely as possible. E.g., From a single Pentium system, it is typical to be able to generate up to 25,000 PPS or more ◦ Ideal for conducting tests on large networks 18
UDP scan is optimized for fast scan ◦ UDP scanning is an unreliable method of discovering live system on a system. ◦ Scans 65,535 ports in three to seven seconds Unicornscan can also handles port scanning using TCP, ICMP, and IP 19
Common Flag schemes: ◦ a SYN scan -mT ◦ an ACK scan -mTsA ◦ an Fin scan-mTsF ◦ a Null scan -mTs ◦ a nmap style Xmas scan -mTsFPU ◦ a scan with all options on -mTFSRPAUEC 20
# unicornscan -r200 -mU -I /24:53 Option Description: -r Packets Per Second -mU Scan Mode UDP -I Immediately display results to the screen as received :53 Port 53 21
# unicornscan -r500 -mT Option Description: -r Packets Per Second -mT Scan Mode TCP (TCP is default mode if not otherwise specified) 29:80,443 Ports and
Nessus is capable of: ◦ high speed discovery, ◦ configuration auditing, ◦ asset profiling, ◦ sensitive data discovery and vulnerability analysis Nessus uses a client/server technology ◦ Server is on a ny *NIX platform ◦ Client c an be UNIX or Windows ◦ Conducts testing from different locations 23
Nessus security plug-in is a security test program (script) that can be selected from the client interface. ◦ Nessus can update security checks plug-ins ◦ plug-ins can find vulnerabilities associated with identified services 24
25
Port scanning Port-scanning tools Ping sweeps 26
Ping sweeps identify which IP addresses belong to active hosts Problems of Ping Sweep: ◦ Computers that are shut down cannot respond ◦ Networks may be configured to block ICMP Echo Requests ◦ Firewalls may filter out ICMP traffic 27
Ping uses the Internet Control Message Protocol (ICMP) ◦ send out ICMP requests (the ICMP ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE) ◦ Tells you that the destination is reachable, and the route between your computer and another one (by using the -R option). 28
FPing (Fast Ping) ◦ similar to ping program, sends out ICMP Echo Request packets and reports on host reachability, packet loss, and round trip delay. ◦ Unlike ping program fping has the ability to send out ICMP packets to multiple IP addresses simultaneously fping is meant to be used in scripts and its output is easy to parse. 29
manually enter multiple IP addresses at a shell # fping -g # fping -g /24 Input file with addresses # fping -f AddressFile 30
31
Interval between sending ping packet -i 30 The count of pings to send to each target -c 2 Number of retries -r 3 Amount of ping data to send -b 100 Etc. 32
Hping is command-line oriented TCP/IP packet assembler/analyzer ◦ Allows users to fragment and manipulate IP packets ◦ is used to bypass filtering devices ◦ supports TCP, UDP, ICMP and RAW-IP protocols 33
Crafting packets helps you obtain more information about a service ◦ Source IP address ◦ Destination IP address ◦ Flags: SYN, ACK, FIN … 34
Crafting TCP packets is the default behavior of HPING. ◦ By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets. SYN scan or Stealth scan ◦ An open port is indicated by a SA return packet, closed ports by a RA ◦ E.g. 1 # hping -I eth0 -S p 80 35
A nice feature is the ++, which will increase the destination port in the packets by one. e.g. 2 # hping -I eth0 -S p ++79 | grep SA All known NMAP scanning techniques can be easily reproduced 36
Idle scanning is a technique to port scan a remote system fully anonymous. Three hosts in idle scanning: ◦ The Attacker runs two sessions of hping ◦ The Server is the machine to be scanned ◦ The Silent host is a machine that is not busy generating packets has a predictable increase in the IP header IDENTIFICATION field. 37
A suitable silent host can be found by running the following hping probe. # hping -I eth0 -SA HPING (eth ): SA set, 40 headers + 0 data bytes len=46 ip= flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms len=46 ip= flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms len=46 ip= flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms... 38
39
The attacker runs a continuous probe against the silent host, and the attacker scans the server, spoofed with the IP address of the silent host. Step 2, a spoofed scan of the server by the attacker # hping -I eth0 -a S p ++20 HPING (eth ): S set, 40 headers + 0 data bytes 40
Step 1, 4: a continuous probe from the attacker to the Silent host to monitor the IP IDENTIFICATION field: # hping -I eth0 -r -S p 2000 HPING (eth ): S set, 40 headers + 0 data bytes.. len=46 ip= flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms len=46 ip= flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms (port 21) len=46 ip= flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip= flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms len=46 ip= flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip= flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms (port 25) 41
Scenario 1: ◦ If the attacker scans an open port at the server with a SYN packet, the server will respond with a SYN/ACK packet to the silent host. ◦ The Silent host will react by sending a RESET packet to the server, and will increase the IP_ID by one ◦ The next probe the attacker sends will have the next IP_ID in return 2 units higher then the previous probe. 42
Scenario 2: ◦ If the attacker sends a SYN packet to a closed port of the server ◦ The server sends a RST to the silent host, which does not imply sending any packet from the silent host. IP_ID is not increased, since this RST will be discarded by the silent host. 43
Example: against an IIS 5.0 W2Ksp4 Professional machine. ◦ To avoid sending a TCP reset packet from the attacking machine, use a spoofed IP address with the -a switch. ◦ To increase the pps rate, use the -u switch to indicate the interval E.g., -i u1000, means every 1000 microseconds. # hping -I eth0 -a S p 80 -i u
-i --interval Wait the specified number of seconds or micro seconds between sending each packet. --interval X set wait to X seconds, --interval uX set wait to X micro seconds. The default is to wait one second between each packet. Using hping2 to transfer files tune this option is really important in order to increase transfer rate. --fast Alias for -i u Hping will send 10 packets for second. --faster Alias for -i u1. Faster then --fast ;) (but not as fast as your computer can send packets due to the signal-driven design). --flood Sent packets as fast as possible, without taking care to show incoming replies. This is ways faster than to specify the -i u0 option. 45