Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network and Port Scanning Chien-Chung Shen

Published byDoris McCormick Modified over 8 years ago

Similar presentations

Presentation on theme: "Network and Port Scanning Chien-Chung Shen"— Presentation transcript:

1 Network and Port Scanning Chien-Chung Shen cshen@udel.edu

2 Host Discovery One of very first steps in network reconnaissance mission to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts –administrator uses an ICMP ping to locate hosts on internal network –external penetration uses a diverse set of “probes” in an attempt to evade firewall restrictions Aka “ping” scan, but goes beyond ICMP echo request packets

3 IP Address $ nslookup stimpy.cis.udel.edu 128.4.31.17 is a class B address strauss.udel.edu 128.175.13.74 $ nmap -sL 128.4.0.0/16 > a Locate 128.4.21.33

4 Port Scanning In TCP/IP, every (network) service on a machine is assigned a port (number) On Unix machine, ports assigned to standard services are listed in /etc/services –There is a (Unix) process listens on the port for incoming connection requests –What is the port # of ssh? Goal of port scanning: find out which ports are open, closed, or filtered –e.g., find out if a remote host is providing a service that is vulnerable to buffer overflow attack –port scanning may involve all 65,535 ports or only the ports that are well-known to provide services vulnerable to security-related exploits

5 TCP Segment source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number receive window Urg data pointer checksum F SR PAU head len not used options (variable length) ACK RST, SYN

6 TCP 3-Way Handshake SYN bit=1, Seq=x SYN bit=1, Seq=y ACK bit=1; ACKnum=x+1 ACK bit=1, ACKnum=y+1 ClientServer

7 Port Scanning A port is open on a machine if there is a running (server) process on the machine and the port is assigned to this process –if a port on a remote host is open for incoming connection requests and you send it a SYN packet, the remote host will respond back with a SYN+ACK packet A port is filtered if packets passing through that port are subject to filtering rules of a firewall –if a port is filtered with something like an iptables based packet filter and you send it a SYN packet or an ICMP ping packet, you may not get back anything at all If a port on a remote host is closed and you send it a SYN packet, the remote host will respond back with a RST packet

8 connect (TCP) Scan Check out man page of connect() #include int connect(int socketfd, // file descriptor from socket() const struct sockaddr *address, // server IP address socklen_t address_len); A call to connect() if successful completes a three- way handshake for a TCP connection with a server In a typical use of connect() for port scanning, if the connection succeeds, the port scanner immediately closes (via close() ) the connection (having ascertained that the port is open) to avoid DoS attack

9 Socket “door” between application process and TCP transport protocol Internet controlled by OS controlled by app developer transport application physical link network process transport application physical link network process socket

10 Port Scanner in Python Using built-in socket module $ python port-scanner.py Nmap module/library in Python –python-nmap: nmap from pythonpython-nmap: nmap from python –python-libnmap 0.7.0python-libnmap 0.7.0

11 Port Scanning with (TCP) SYN (1) Most popular form of port scanning Open TCP connection via three-way handshake –SYN -> SYN+ACK -> ACK In port scanning with SYN packets, scanner sends out SYN packets to different ports of a remote machine. When scanner receives SYN+ACK packet in return for a given port, scanner can be sure that the port on remote machine is open –it is the “duty” of a good port-scanner to immediately send back RST packet in response to received SYN+ACK packet so that the half-open TCP connection at remote machine is closed immediately

12 Port Scanning with TCP SYN (2) When a target machine receives a SYN packet for a closed port, it sends back an RST packet back to the sender When a target machine is protected by a packet-level firewall, it is the firewall rules that decide what the machine’s response will be to a received SYN packet

13 connect() vs. SYN SYN –port scanner generates raw IP packets itself, and monitors for responses –aka "half-open scanning", because it never actually opens a full TCP connection –SYN scan has advantage that individual services never actually receive a connection (less intrusive?) connect() –use operating system's network functions –full TCP connection established

14 UDP Scan (1) SYN packet is a TCP concept In a UDP scan, if a UDP packet is sent to a port that is not open, the remote machine will respond with an ICMP port-unreachable message. So the absence of a returned message can be inferred as a sign of an open UDP port A packet filtering firewall at a remote machine may prevent the machine from responding with an ICMP error message even when a port is closed

15 UDP Scan (2) Send application-specific UDP packets, hoping to generate application layer response –e.g., sending DNS query to port 53 will result in a response, if DNS server is present limited to scanning ports for which an application specific probe packet is available

16 nmap Network Mapper Open-source nmap stands for “network mapper” ( http://nmap.org ) http://nmap.org nmap is more than just a port scanner –listing open ports on a network –trying to construct an inventory of all services running in a network –trying to detect as to which operating system is running on each machine nmap can carry out TCP SYN scan, TCP connect() scans, UDP scans, ICMP scans, etc.

17 nmap As listed in manpage, nmap comes with a large number of options for carrying out different security scans of a network -sT : carries out a TCP connect() scan -sU : sends a dataless UDP header to every port (state of the port is inferred from the ICMP response packet [if there is such a response at all])

18 nmap -sP : “ping scanning” to determine which machines are up in a network –nmap sends out ICMP echo request packets to every IP address in a network. Hosts that respond are up –But this does not always work since many sites now block echo request packets. To get around this, nmap can also send a TCP ACK packet to (by default) port 80. If the remote machine responds with an RST back, then that machine is up –Another possibility is to send the remote machine a SYN packet and waiting for an RST or a SYN/ACK. For root users, nmap uses both ICMP and ACK techniques in parallel. For non-root users, only the TCP connect() is used -sV : “version detection” –After nmap figures out which TCP and/or UDP ports are open, it next tries to figure out what service is actually running those ports –In addition to determine the service protocol (http, ftp, ssh, telnet, etc.), nmap also tries to determine the application name (such as Apache httpd, ISC bind, Solaris telnetd, etc.), version number, etc.

19 Port Scan Examples (sudo) nmap -sS localhost –SYN scan nmap –sS stimpy.cis.udel.edu nmap –sS –A stimpy.cis.udel.edu –aggressive or advanced If the target machine has the DenyHosts shield running and you repeatedly scan that machine with ’ -A ’ turned on, your IP address may become quarantined on the target machine (assuming that port 22 is included in the range of the ports scanned). When that happens, you will not be able to SSH into the target machine

20 nmap By default, nmap first pings a remote host in a network before scanning the host. The idea is that if the machine is down, why waste time by scanning all its ports Since many sites now block/filter ping echo request packets, this strategy may bypass machines that may otherwise be up in a network To change this behavior, the following nmap may produce richer results –nmap -sS -A –P0 –-P0 : skip pinging

21 nmap nmap can make good guess of the OS running on the target machine by using TCP/IP stack fingerprinting It sends out a series of TCP and UDP packets to the target machine and examines content of returned packets for values in various header fields, including sequence number, initial window size, etc. Based on these values, nmap then constructs an OS “signature” of the target machine and sends it to a database of such signatures to make a guess about the OS running on the target machine

22 Firewall/IDS Evasion/Spoofing Network obstructions such as firewalls can make mapping a network exceedingly difficult All of the major IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks Many of these products have recently morphed into intrusion prevention systems (IPS) that actively block traffic deemed malicious https://nmap.org/book/man-bypass-firewalls-ids.html

Download ppt "Network and Port Scanning Chien-Chung Shen"

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.

TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
Transport Layer peterl. Transport level application transport network data link physical logical end-end transport application transport network data.

Transport Layer peterl. Transport level application transport network data link physical logical end-end transport application transport network data.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

Similar presentations

Ads by Google