SCSC 555 Frank Li. Port scanning Port-scanning tools Ping sweeps 2

SCSC 555Frank Li

Port scanning Port-scanning tools Ping sweeps

2

Port Scanning◦ Finds out which services a host computer offers◦ Identifies vulnerabilities◦ Scan all ports when testing, not just well-known

ports

Open services can be used on attacks◦ Identify a vulnerable port via scanning◦ Then launch an exploit◦ E.g. ?

3

Port scanning programs report:◦ Open ports◦ Closed ports◦ Filtered ports◦ Best-guess assessment of which OS is running

Discussion: closed port vs. filtered port

4

SYN scan◦ Aka. Stealthy scan

Connect scan◦ Completes the three-way handshake

NULL scan◦ Packet flags are turned off

XMAS scan◦ FIN, PSH and URG flags are set

5

ACK scan◦ Used to past a firewall

FIN scan◦ Closed port responds with an RST packet

UDP scan◦ Closed port responds with ICMP “Port

Unreachable” message

6


7

Nmap Genlist Zenmap Unicornscan Nessus

8

Nmap ("Network Mapper") ◦ An open source tool for network exploration and

security auditing. ◦ commonly used for security audits

many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime

9

Nmap can rapidly scan large networks, to determine: ◦ what hosts are available on the network, ◦ what services (application name and version)

those hosts are offering, ◦ what operating systems (and OS versions) they

are running, ◦ what type of packet filters/firewalls are in use, ◦ And dozens of other characteristics …

10

nmap -sS -P0 -O -T Sneaky -p 445 -D 64.233.169.99 <ip_to_scan>

Stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive.

The -P0 flag tells nmap NOT to ping the IP which adds to stealth.

The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation.

The -p flag specifies the port or a port range. The -D flag allows you to specify a number of decoys.

◦ googlebot’s IP address is used as decopy to make nmap generate packets from your IP address and googlebots IP address. This has an effect of confusing the target.

11

Genlist is a program that returns a list of hosts that responding to ping probes. ◦ This list can be used to perform an scan of

these machines using Nmap. Example:

1. Generate list of live hosts and save it to a file called “list”:

genlist -s 216.109.112.\* > list2. Use Nmap to scan that list:

nmap -v -iL list

12

Zenmap is the official Nmap Security Scanner GUI. ◦ a multi-platform (Linux, Windows, Mac OS X, BSD,

etc.) free and open source application ◦ Make Nmap easy for beginners to use ◦ Also providing advanced features for experienced

Nmap users.

13

Frequently used scans can be saved as profiles to make them easy to run repeatedly.

A command creator allows interactive creation of Nmap command lines.

Scan results can be saved in a searchable database and viewed later.

14

15

16

Results viewing ◦ arrange its display to show all ports on a host or all

hosts running a particular service. ◦ The results of several scans may be combined together

and viewed at once. Comparison

◦ graphically show the differences between two scans. ◦ scans run on different days, scans of two different hosts,

scans of the same hosts with different options, or any other combination.

Convenience ◦ keeps track of scan results until you choose to throw

them away. Repeatability

◦ command profiles make it easy to run the exact same scan more than once.

17

Unicornscan is a scalable port scanner ◦ developed in 2004◦ uses CPU specific instructions to track the packets

per second (PPS) you specify as closely as possible. E.g., From a single Pentium system, it is typical to be

able to generate up to 25,000 PPS or more◦ Ideal for conducting tests on large networks

18

UDP scan is optimized for fast scan◦ UDP scanning is an unreliable method of

discovering live system on a system.◦ Scans 65,535 ports in three to seven seconds

Unicornscan can also handles port scanning using TCP, ICMP, and IP

19

Common Flag schemes:◦ a SYN scan -mT◦ an ACK scan -mTsA◦ an Fin scan -mTsF◦ a Null scan -mTs◦ a nmap style Xmas scan -mTsFPU◦ a scan with all options on -mTFSRPAUEC

20

# unicornscan -r200 -mU -I 192.168.0.0/24:53

Option Description:-r200 200 Packets Per Second-mU Scan Mode UDP-I Immediately display results to the screen as received:53 Port 53

21

# unicornscan -r500 -mT www.yahoo.com/29:80,443

Option Description:-r500 500 Packets Per Second-mT Scan Mode TCP (TCP is default mode if not

otherwise specified)29:80,443 Ports 29 - 80 and 443

22

Nessus is capable of: ◦ high speed discovery, ◦ configuration auditing, ◦ asset profiling, ◦ sensitive data discovery and vulnerability analysis

Nessus uses a client/server technology◦ Server is on any *NIX platform◦ Client can be UNIX or Windows◦ Conducts testing from different locations

23

Nessus security plug-in is a security test program (script) that can be selected from the client interface.◦ Nessus can update security checks plug-ins◦ plug-ins can find vulnerabilities associated with

identified services

24

25


26

Ping sweeps identify which IP addresses belong to active hosts

Problems of Ping Sweep:◦ Computers that are shut down cannot respond◦ Networks may be configured to block ICMP Echo

Requests◦ Firewalls may filter out ICMP traffic

27

Ping uses the Internet Control Message Protocol (ICMP)◦ send out ICMP requests (the ICMP

ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE)

◦ Tells you that the destination is reachable, and the route between your computer and another one (by using the -R option).

28

FPing (Fast Ping)◦ similar to ping program, sends out ICMP Echo

Request packets and reports on host reachability, packet loss, and round trip delay.

◦ Unlike ping program fping has the ability to send out ICMP packets to

multiple IP addresses simultaneously fping is meant to be used in scripts and its output is

easy to parse.

29

manually enter multiple IP addresses at a shell# fping -g 193.145.85.201 193.145.85.220

# fping -g 192.168.1.0/24

Input file with addresses# fping -f AddressFile

30

31

Interval between sending ping packet-i 30

The count of pings to send to each target-c 2

Number of retries -r 3

Amount of ping data to send -b 100

Etc.

32

Hping is command-line oriented TCP/IP packet assembler/analyzer ◦ Allows users to fragment and manipulate IP

packets◦ is used to bypass filtering devices◦ supports TCP, UDP, ICMP and RAW-IP protocols

33

Crafting packets helps you obtain more information about a service◦ Source IP address◦ Destination IP address◦ Flags: SYN, ACK, FIN …

34

Crafting TCP packets is the default behavior of HPING.◦ By specifying the TCP flags, a destination port

and a target IP address, one can easily construct TCP packets.

SYN scan or Stealth scan◦ An open port is indicated by a SA return packet,

closed ports by a RA◦ E.g. 1

# hping -I eth0 -S 192.168.10.1 -p 80

35

A nice feature is the ++, which will increase the destination port in the packets by one.

e.g. 2 # hping -I eth0 -S 192.168.10.1 -p ++79 |

grep SA

All known NMAP scanning techniques can be easily reproduced

36

Idle scanning is a technique to port scan a remote system fully anonymous.

Three hosts in idle scanning:◦ The Attacker runs two sessions of hping ◦ The Server is the machine to be scanned◦ The Silent host is a machine that is not busy

generating packets has a predictable increase in the IP header

IDENTIFICATION field.

37

A suitable silent host can be found by running the following hping probe.

# hping -I eth0 -SA 192.168.10.1HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data bytes

len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms

len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms

len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms...

38

39

The attacker runs a continuous probe against the silent host, and the attacker scans the server, spoofed with the IP address of the silent host.

Step 2, a spoofed scan of the server by the attacker

# hping -I eth0 -a 192.168.10.1 -S 192.168.10.33 -p ++20

HPING 192.168.10.33 (eth0 192.168.10.33): S set, 40 headers + 0 data bytes

40

Step 1, 4: a continuous probe from the attacker to the Silent host to

monitor the IP IDENTIFICATION field:# hping -I eth0 -r -S 192.168.10.1 -p 2000

HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 databytes..len=46 ip=192.168.10.1 flags=RA seq=86 ttl=255 id=+1 win=0

rtt=1.6 mslen=46 ip=192.168.10.1 flags=RA seq=87 ttl=255 id=+2 win=0

rtt=1.6 ms(port 21)len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0




rtt=1.4 ms(port 25)

41

Scenario 1:◦ If the attacker scans an open port at the server with a

SYN packet, the server will respond with a SYN/ACK packet to the silent host.

◦ The Silent host will react by sending a RESET packet to the server, and will increase the IP_ID by one

◦ The next probe the attacker sends will have the next IP_ID in return 2 units higher then the previous probe.

42

Scenario 2:◦ If the attacker sends a SYN packet to a closed port of the

server◦ The server sends a RST to the silent host, which does not

imply sending any packet from the silent host. IP_ID is not increased, since this RST will be discarded

by the silent host.

43

Example: against an IIS 5.0 W2Ksp4 Professional machine.◦ To avoid sending a TCP reset packet from the

attacking machine, use a spoofed IP address with the -a switch.

◦ To increase the pps rate, use the -u switch to indicate the interval E.g., -i u1000, means every 1000 microseconds.

# hping -I eth0 -a 192.168.10.99 -S 192.168.10.33 -p 80 -i u1000

44

-i --interval Wait the specified number of seconds or micro seconds betweensending each packet. --interval X set wait to X seconds, --interval

uX set wait to X micro seconds. The default is to wait one second between each packet. Using hping2 to transfer files tune this option is really important in order to increase transfer rate.

--fast Alias for -i u10000. Hping will send 10 packets for second.

--faster Alias for -i u1. Faster then --fast ;) (but not as fast as your computer

can send packets due to the signal-driven design).

--flood Sent packets as fast as possible, without taking care to show

incoming replies. This is ways faster than to specify the -i u0 option.

45

Documents

SCSC 555 Frank Li. Port scanning Port-scanning tools Ping sweeps 2