View
216
Download
0
Tags:
Embed Size (px)
Citation preview
1
Anti-Hacker Tool Kit
Port Scanners
Chapter 6
2
Introduction
• The first step in the process of hacking– Discover the services– Version label– Operation System
• Send few packets to the host
3
Pre Study
• TCP Packet Header
4
TCP conversation
Client Server
SYN
SYN/ACK
ACK
Connection Established
Client Server
FIN
ACK/FIN
ACK
Connection Closed
Connect Disconnect
Three-way handshake
5
TCP Flag Definitions
Flag
SYN The beginning of a connection
ACK Acknowledge receipt of a previous packet or transmission
FIN Close a TCP connection
RST Abort a TCP connection
6
Scanning for Hosts
• Is the host alive ?
• Method– Ping
• nmap –sP 192.168.0.1
– TCP Ping• nmap –sT 192.168.0.1
7
Scanning for TCP Ports
• TCP connect– nmap –sT 192.168.0.1
• RCP service– nmap –sR 192.168.0.1
8
SYN Scan
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
SYN SYN/ACK Port is open
Host is up
SYN RST Port is closed
Host is up
SYN Nothing Port is blocked by firewall
Or Host is down
Nmap –sS <target host>
9
ACK Scan
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
ACK RST Port is not firewall-protect
Port may be open or closed
Host is up
ACK Nothing or ICMP unreachable
Port is blocked by firewall if host is up
No firewall~
Protected by firewall~
Nmap –sA <target host>
10
FIN Scan
Connect
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
FIN RST Port is closed Host is up
FIN Nothing Port is open if host is up and not firewall-protected
Nmap –sF <target host>
11
Xmas Scan
• Non-normal TCP operation
• Set the flags FIN,URG,PUSH
• With –sX
Nmap –sX <target host>
12
Null scan
• Turn off all flags
• With -sN
Nmap –sN <target host>
13
Scanning for UDP Ports
Nmap sends to Host Port
Nmap receives from Host Port
Nmap Assumes
Empty UDP packet
Nothing Port assumed open if host responds to Ping.
Port may be closed if firewall blocking ICMP
Empty UDP packet
ICMP unreachable
Port is closed
Nmap –sU <target host>
14
Scanning for Protocol
IP HeaderNmap –sO <target host>
15
• Decoys• Fragmentation
Hiding Your Scan
(-D) (-r)(-f)
Nmap –sS –f <target host>
• With –sS –sF –sN -sX
• FTP Bounce
Nmap –b anonymous@<ftp server> –p <targer port> <target host>Nmap –D <spoof host> <target host>
• Disable Randomizing Ports
Nmap –r <target host>
16
Timing Your Scan
• Time-based algorithm• Using -T option
Nmap –T <name> <target host>
name Probe Response Timeout
Time Spent on One Host
Time between Probes
Use Parallelized Probes
Paranoid 5 min Unlimited 5 min No
Sneaky 15 sec Unlimited 12 sec No
Polite 6 sec Unlimited 0.4 sec No
Normal 6 sec Unlimited None No
Aggressive 1 sec 5 min None Yes
Insane 0.3 sec 75 sec None Yes
17
TCP Reverse Ident Scanning
• Who runs the process (-I)
Nmap –I <target host>
18
OS Fingerprinting
• With –O flag
Sending specially TCP and UDP headers
Analyze the result and compare information
OS information
19
OS Detection on Linux
• Nmap –O 192.168.0.1
20
Mapping Networks
• Scanning a Class C subnet
21
Mapping Networks
• Port scans in IP section
22
Scanning Tools on windows
• Netscantools
• Superscan
• IPEYE
• WUPS
23
Netscantools
• Powerful tools
• Port scanner+finger+whois+traceRoute...etc
24
Super Scan
25
IPEYE
• TCP stealth scan
• SYN, FIN, Xmas tree, and null scan
26
WUPS
Scanning UPD ports for Windows
27
Banner Identification
• Get the information normally– Hostname– Program– Version
28
Using your “Telnet”
Try this
FTP ServiceTelnet ServiceWorld Wide Web Service
29
Message logGenerateTCP connect() method
Normal timing option
System Log
30
Summary
• Protect your host
• Dishonesty
• Footprints in the sand show where one has been.
31
Reference
• Nmap www.insecure.org/nmap/• Tcmpdump www.tcpdump.org/• Superscan
www.foundstone.com/resources/proddesc/superscan.htm
• Netscanools www.netscantools.com• RFC 1700• RFC 793
32
What is RPC Service ?• Remote Procedure Call• 程序呼叫
–一個程式裡一部份呼叫另一部份去做某項工作
33
UDP_SCAN
34
UDP_SCAN