Embed Size (px)
Citation preview
Technology: INFORMATION SECURITY AND ETHICAL HACKING.
December 2012
Project Title To Find Out Network Vulnerabilities and To Patch
Them.
(Network Scanner).
Submitted By Emmanuel Udeagha
Guided By
Mr. RAVIKANT SHRIVAS (Faculty) Submitted To:- Appin Technology Lab
Ikeja, Lagos Nigeria.
2
ACKNOWLEDGEMENT
Apart from the efforts of myself, the success of any project depends largely on the
encouragement and guidelines of many people who in one way or another
contributed to the completion of the work. I take this opportunity to express my
gratitude to the people who have been instrumental in the successful completion of
this project work. I would like to show my unreserved gratitude to Mr. Ravikant
Shrivas who from the beginning of my class, all through the duration of this piece
of work have been wonderful in terms of support and guidance. My appreciation
goes to all friends, colleagues and Staff members of Appin Technology who in one
way contributed to the success of this work.
Emmanuel Udeagha
3
DEDICATION
This piece of work is dedicated to everyone who rendered unreserved assistance all
through my training period and up till the time this research work.
4
About the Company
Appin Technology Appin Technologies is a global Information Security company
focused on training, consulting and outsourcing services. The company was formed as a
merger of two entities, XIRS Ventures Inc based in Austin Texas and XIRS Appin
incubated inside IIT, Delhi India. Later the name XIRS was dropped from the company
and the merged entity is known as Appin Technologies. From USA & India, the company
has now expanded its operations to Europe, Africa and South East Asia as well.
Appin Knowledge Solutions Appin Knowledge Solutions, education & training arm of
Appin Technologies, runs over 75 training centres globally focused on imparting
instructor led training in Information Security, Ethical hacking, Secured Programming,
Embedded systems & related IT domains. It also sells distance learning courses in over 71
countries across 6 continents. It has trained over 83000 candidates via training products
and services. The company is among top 5 Training providers in India according to the
Week magazine.
Visit the website: www.appinonline.com
5
TABLE OF CONTEENT
Introduction…………………………………………6
Chapter one
Scanning……………………………………………………………………………..7 Types of Vulnerability scanning……………………………………………7 Network scanning…………………………………………………………………8 IP Scanning…………………………………………………………………..………9 Web Application Scanning ……………………………………………….….9 Database Security Scanning………………………………………………..10 Port Scanning………………………………………………………………………11 Types of Port Scanning…………………………………………………………11 TCp vs Port Scans…………………………………………………………………12 Vulnerability Assessment……………………………………………………..13 Chapter Two
Vulnerability Identification and Patch Acquisition……………………….15 Product vendor websites and mailing lists ………………………………...15
Third-party security advisory websites…………………………………………15 Security advisory websites run by CERTs ……………………………………..15 Security advisory websites / resources run by security vendors……16 Risk Assessment and Prioritisation………………………………………………..16 Threats…………………………………………………………………………………………16 Vulnerability………………………………………………………………………………….17 Criticality……………………………………………………………………………………….17 Patch Testing…………………………………………………………………………………17 Deployment and Verification…………………………………………………………18 Patch Distribution and Application Tools……………………………………….18 Cross-platform patch management systems………………………………….18 Platform specific patch management solutions……………………………..19 Patch Management Governance…………………………………………………...19 Security Considerations………………………………………………………………….20 Criteria for Choosing a Patch Management Solution……………………..21 Fewer Vulnerabilities……………………………………………………………………..22 System compatibility……………………………………………………………………….21 Vendor Responsiveness to New Vulnerabilities……………………………….21 Ease of Deployment and Maintenance……………………………………………21 Audit Trail……………………………………………………………………………………….21
Summary…………………………………………………………….……………………22 Nmap Commands…………………………………………………………………………….23 Reference ………………………………………………………………………………………27
6
Introduction
As electronic commerce, online business-to-business operations, and global connectivity
have become vital components of a successful business strategy, enterprises have adopted
security processes and practices to protect information assets. Most companies work
diligently to maintain an efficient, effective security policy, implementing the latest
products and services to prevent fraud, vandalism, sabotage, and denial of service attacks.
However, many enterprises overlook a key ingredient of a successful security policy:
They do not test the network and security systems to ensure that they are working as
expected and there are no vulnerabilities so that an attacker will not take advantage to
steal confidential information.
Network penetration testing—using tools and processes to scan the network environment
for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities,
and ensure that the security implementation actually provides the protection that the
enterprise requires and expects. Regularly performing penetration tests or vulnerability
check helps enterprises uncover network security weaknesses that can lead to data or
equipment being compromised or destroyed by exploits (attacks on a network, usually by
―exploiting‖ a vulnerability of the system), Trojans (viruses), denial of service attacks,
and other intrusions. Testing also exposes vulnerabilities that may be introduced by
patches and updates or by misconfigurations on servers, routers, and firewalls.
SecureTEST, a security scanning service of VeriSign Consulting, uses proven
methodologies and tools to detect vulnerabilities in the enterprise’s network, and to then
recommend repairs or corrections if necessary. SecureTEST services can be tailored to an
enterprise’s specific needs and include three levels of assessment. As the industry leader
in trust services, VeriSign has the expertise, experience, and technology to recognize and
detect security vulnerabilities and to provide effective, enterprise-wide solutions for
them.
GFI LanGuard is another security scanning software that smaller enterprises use in
checking for vulnerabilities and possible loop holes intruders might take advantage of to
compromise company’s network, creating back doors in other to have permanent access.
In this project work, GFI Languard will be solely used as a Network scanning and
vulnerability checking tool to ensure that all backdoors(undocumented access to
network),loop holes are blocked and a proper patching method is applied to reduce the
risk of the network been exploited by attackers.
7
Chapter One: Scanning
In other for a security administrator to discover vulnerability on a Network before hackers
exploit such loop holes to compromise the network and steal confidential information,
there are key steps or must do to ensure Network vulnerabilities and backdoors are
constantly put on check, and those steps are discussed Messer:
Scanning is the process of examining carefully. In this context, a process where Security
administrators examine carefully a Computer Network with a focus on finding
vulnerabilities with the aid of tools and softwares such as Nmap,GFI LanGuard, firewall
and anti virus etc.
Whereas, Network is a collection of computers, software, and hardwares that are all
connected to help their users work together. A Network connects computers by means of
cabling systems, specialized software, and devices that manage data traffic. A Network
enables users to share files and resources, such as printers, as well as send messages
electronically (e-mail) to each other.
Types of Vulnerability Scanning
Below are types of vulnerability scanning, but a few of them listed below will be
discussed in this piece.
Network scanning
Port Scanning
Web application security scanning
Database security scanning
ERP security scanning
Computer worm
We need to understand that Network scanning is a procedure for identifying active hosts
on a network, either for the purpose of attacking them or for network security assessment.
Scanning procedures, such as ping sweeps and port scans, return information about which
IP addresses map to live hosts that are active on the Internet and what services they offer.
Another scanning method, inverse mapping, returns information about what IP addresses
do not map to live hosts; this enables an attacker to make assumptions about viable
addresses. Scanning is one of three components of intelligence gathering for an attacker.
In the foot printing phase, the attacker creates a profile of the target organization, with
information such as its domain name system (DNS) and e-mail servers, and its IP address
range. Most of this information is available online. In the scanning phase, the attacker
finds information about the specific IP addresses that can be accessed over the Internet,
8
their operating systems, the system architecture, and the services running on each
computer.
Network Scanning
In the enumeration phase, the attacker gathers information such as network user and group
names, routing tables, and Simple Network Management Protocol (SNMP) data. It is
however imperative to understand that Network exploitation is 90% information gathering
and 10% attack. This means that an attacker spends most his time gathering information
about a target Network and understanding more of its strength and weaknesses.
9
IP Scanning
IP scanning is a type of scan on your local area Network to determine the identity of all
active machine and internet devices on the LAN. During the period of IP scanning with
the aid of Softwares, one can customize his results once a device is identified.
IP Scanning
Web Application scanning
A web application security scanner is program which communicates with a web
application through the web front-end in order to identify potential security
vulnerabilities in the web application and architectural weaknesses. It performs a black-
box test. Unlike source code scanners, web application scanners don't have access to the
source code and therefore detect vulnerabilities by actually performing attacks.
10
Web Vulnerability Scanning
Web applications have been highly popular since 2000 because they allow users to have
an interactive experience on the Internet. Rather than just view static web pages, users are
able to create personal accounts, add content, query databases and complete transactions.
In the process of providing an interactive experience web applications frequently collect,
store and use sensitive personal data to deliver their service. Customers benefit from the
convenience of these applications, while tacitly taking on risk that private information
stored in web applications will be compromised through hacker attacks, insider leaks etc.
Database Security Scanning
Database scanning is process of scanning Database for vulnerabilities, configuration
issues, weak passwords, missing patches, access control concerns and other issues that
can lead to user privilege escalation with the aid of softwares. Testing systems for the
occurrence of these flaws and generating a report of the findings will help a Security
administrator protect an enterprise’s Database from been exploited by attackers.
11
Checking Risk Level
Port scanning
When live systems are discovered, an attacker will usually attempt to discover which
services are available for exploitation. This is accomplished by a technique commonly
known as Port Scanning. However, every application has a specific port number associated
with that identifies that application. Through the use of port numbers, intruders can gain
access to information on which applications and network services are available to be
exploited. Nmap was the first general purpose port scanning tool available.
The intruder may follow these steps to gain unauthorized access to a web server.
a. DNS query to figure out which web servers are available
b. Ping sweep to see which servers are alive and accessible
c. Port scan to see which services are available for exploitation.
Considering the possible steps a hacker would follow to gain information from a web
server about a target, A Network engineer must ensure the safety of his organization’s
Network is periodically checked to ascertain if it stands at risk of been compromised by
intruders. However, understanding the types of Port scanning will help the IT department
know when a Hacker is carrying out a Scan (Remote or Local) on its Network territory.
12
Types of Port Scans:
Vanilla: the scanner attempts to connect to all 65,535 ports
Strobe: a more focused scan looking only for known services to exploit
Fragmented packets: the scanner sends packet fragments that get through
simple packet filters in a firewall
UDP: the scanner looks for open UDP ports
Sweep: the scanner connects to the same port on more than one machine
FTP bounce: the scanner goes through an FTP server in order to disguise the
source of the scan
Stealth scan: the scanner blocks the scanned computer from recording the
port scan activities.
Port scanning is not a crime. There is no way to stop someone from port scanning your
computer while you are on the Internet because accessing an Internet server opens a port,
which opens a door to your computer. There are, however, software products that can stop
a port scanner from doing any damage to your system.
Port Scanning.
TCP vs. Port-Scanning
TCP
Receiver acks packets.
Timeouts are error
conditions
Sequence numbers
are used
Port-Scanning
Packets my not produce
answers.
Timeouts are not
error-conditions
No sequence
numbers
13
Vulnerability Assessment
Proper methodology is essential to the success of the penetration test. It involves
gathering information and then testing the target environment. The testing process
begins with gathering as much information as possible about the network architecture,
topology, hardware, and software in order to find all security vulnerabilities.
Researching public information such as Whois records, SEC filings, business news
articles, patents, and trademarks not only provides security administrators with
background information, but also gives insight into what information hackers can use to
find vulnerabilities. Tools such as ping, traceroute, and nslookup can be used to retrieve
information from the target environment and help determine network topology, Internet
provider, and architecture. Tools such as port scanners, NMAP, SNMPC, and NAT help
determine hardware, operating systems, patch levels, and services running on each target
device.Also, Open-source or shareware assessment tools are available online and can be
used to supplement commercial scanners.
The Increasing rate of daily vulnerability assessment is alarming; this means that
Security administrators must be on guard because Over 50,000 vulnerability assessments
are carried out across your network, including your virtual environments.
GFI LanGuard checks your operating system, virtual environments and installed
applications using vulnerability check databases such as OVAL and SANS Top 20. It
allows you to analyze the state of your network security, what the risks are, how exposed
your network is and how to take action before it is compromised. Vulnerability
assessment using GFI LanGuard is represented below with fig 1.2 and fig 1.3
respectively.
14
Fig1.3 Scanning complete, Vulnerability discovered.
After scanning your network and vulnerabilities discovered as represented in figures
above, one thing is left, to ensure an effective and secured Network. Patching the
discovered loop holes from disaster is a Security administrator’s last resort.
15
Chapter Two
Vulnerability Identification and Patch Acquisition
There are a number of information resources available to system administrators in order
to monitor vulnerabilities and patches that may be applicable to their installed hardware
and software systems. As each type of resource has its own specialised area, system
administrators need to be able to refer to more than one source for accurate and timely
information on new vulnerabilities and patch releases.
Some common resources are:
1. Product vendor websites and mailing lists
Product vendor websites are probably the most direct and reliable resources for system
administrators on vulnerability and patch related information for specific products.
Many large vendors also maintain support mailing lists that enable them to broadcast
notifications of vulnerabilities, patches and updates to subscribers via email. However,
it should be noted that vendors sometimes do not report new vulnerabilities straight
away, as they may not wish to report a specific vulnerability until a patch is available.
It is therefore necessary to track other IT security resources for timely vulnerability and
patch information.
2. Third-party security advisory websites
A third-party security advisory website is one that is not affiliated with any one vendor,
and may sometimes provide more detailed information about vulnerabilities that have
been discovered. These websites may cover a large number of products and report new
vulnerabilities ahead of the product vendors because, as mentioned, some vendors may
choose to hold a vulnerability notification until a patch is available.
These third-party vulnerability advisory websites can be divided into two categories:
websites run by Computer Emergency Response Teams (CERTs) and websites run by
security vendors.
a) Security advisory websites run by CERTs
One of the most popular vulnerability advisory websites is the US CERT/CC site. It
16
provides technical information about any newly uncovered vulnerability that can assist
system administrators and security professionals in assessing the threat from the
vulnerability. These advisories are updated as soon as new information is available from
the product vendors.
b) Security advisory websites / resources run by security vendors
A number of third party mailing lists, such as NTBugTraq 4 maintained by CyberTrust,
and BugTraq 5 maintained by SecurityFocus, are popular with IT professionals. However,
system administrators should verify the information released in these websites with
product vendors to confirm the accuracy of any newly discovered vulnerabilities. These
websites may also offer newsgroups that system administrators can use to communicate
with other users in the same field. System administrators should be careful not to release
sensitive information through joining and using these mailing lists and newsgroups.
To assist in the task of keeping up to date with patch releases and vulnerability reports, a
number of vulnerability alert services have been developed that allow system
administrators to receive automated and customised notification on any
vulnerabilities in and across the specific systems they are responsible for. Some services
are free to use, while others require a subscription fee. The Talisker website maintains a list
of currently available vulnerability alert services6. An RSS feed is also available that
system administrators can subscribe to and keep abreast of newly discovered
vulnerabilities.
A patch is usually developed and distributed as a replacement for or an insertion in
compiled code (that is, in a binary file or object module). In larger operating systems, a
special program is provided to manage and keep track of the installation of patches.
Risk Assessment and Prioritisation
Timely response is critical to effective patch management. With limited resources, system
administrators may need to prioritise the deployment of new patches, performing a risk
assessment to determine which systems should be patched first. In general, this
prioritisation should be based on the following criteria:
1. Threat – A threat is any potential direct danger to information systems. Examples of
systems facing high threat levels are web servers, email servers and servers containing
sensitive information.
17
2. Vulnerability – A vulnerability signifies the absence of, or a weakness in, a
safeguard which could be exploited by an attacker. It could be a flawed software service
running on a server, or unrestricted modem dial-in access, and so on.
3. Criticality – This is a measure of how important or valuable a system is to business
operations. Systems that are frequently considered as mission critical include mail servers,
database servers and network infrastructure.
In general, systems facing more threats, or that are more vulnerable, or are mission critical
should be accorded a higher priority in the patch management process.
System administrators should identify the associated risks and actions that need to be taken
once a security vulnerability has been confirmed (for example, scheduling system down
time for reboot after installing a patch), and assess any impact associated with installing a
security patch once that patch becomes available. Before applying a patch, system
administrators need to ensure that the new patch is not going to affect the overall
functionality of the system and its applications (see next section).
Patch Testing
Patch testing is vital to ascertain whether or not a new patch will affect the normal operation
of any existing software. It is important that this testing is performed on a mirror system
that has an identical or very similar configuration to the target production system. This is to
ensure that the patch installation does not lead to any unintended consequences on the
production system.
In addition to identifying any unintended problems, patches themselves should be tested to
ensure that they have fully patched the vulnerability in question or corrected the
performance issue as intended. This can be accomplished by:
1. Checking that the files or configuration settings that the patch is intended to correct have
been changed as outlined in the vendor’s documentation.
2. Scanning the host system with a vulnerability scanner that is capable of detecting known
vulnerabilities. This technique however may not always be effective because vulnerability
scanners may not check for the actual presence of the vulnerability in question. Many
vulnerability scanners only check software version numbers or patch levels to determine
whether vulnerabilities exist or not.
18
If it is not feasible to install the patch because, for example, testing results show that the
patch will crash or seriously disrupt the production system, alternate security controls
should be implemented.
Patch Deployment and Verification
Patching vulnerabilities in a system may be as simple as modifying a configuration
setting, or it may require the installation of a completely new version of the software. No
single patch method can apply across all software applications and operating systems.
Product or application vendors may provide specific instructions for applying security
patches and updating their products, and it is recommended that system administrators
read all the relevant documentation provided by vendors before proceeding with patch
installation.
In addition, security patches should be deployed through an established change control
process. Before applying a new patch, administrators may want to conduct a full backup
of the system to be patched. This enables a quick and easy restoration of the system to a
previous state if the patch has an unintended or unexpected impact on the system. After
the patch is deployed, system administrators and users should verify that all systems and
applications are functioning normally, and that they comply with laid down security
policies and guidelines.
Patch Distribution and Application Tools
Organisations may want to consider using automated patch management tools to speed
up the distribution and installation of patches. There are a number of patch management
systems in the market that can help automate the entire patch management process. There
is also a website run by patchmanagement.org that maintains a list of patch management
vendors who offer solutions performing both patch assessment and remediation. They
also maintain a page linking to patch management product comparisons previously
published in industry magazines. Patch management systems can be broadly categorised
into two areas:
1. Cross-platform patch management systems
19
This category of products can handle patches from more than one operating system, or
products from different vendors.
2. Platform specific patch management solutions
This category of products will only support patches from a specific vendor or platform. A
well-known example is the patch management tools provided by Microsoft. Microsoft
Windows Server Update Services (WSUS) is a free tool from Microsoft designed to help
system administrators deploy the latest Microsoft product updates and patches to computers
running the Windows operating system.
Patch Management Governance
All organisations need to protect information systems from known vulnerabilities and
security risks by applying the latest patches recommended by product vendors, or
implement other compensatory security measures. Patch management should be based on
an assessment that balances the security and down time risk of a security breach with the
cost, disruption and availability risks associated with frequent and rapid deployment of
software patches.
Before security patches are applied, proper risk evaluation and testing should be conducted
to minimise any undesirable effects to the normal running of information systems. A clear
operational process that enables rapid testing and deployment should be established.
Depending on the nature of information systems in question, risk levels may be different.
For example, an information system that is only used internally faces fewer threats than an
information system that directly interfaces with the Internet, serving customers or the
general public. Depending on the risk level, organisations should determine the appropriate
patch management strategy for each of their systems, including patch checking and
patching frequency. In short, high-risk information systems should be addressed first.
When evaluating whether to apply a security patch or not, the risks associated with
installing the patch should be assessed. Compare the risk posed by the vulnerability with
the risk of installing the patch. If an administrator decides not to apply a patch, or if no
patch is available, there should be other compensating controls. These may include:
1. turning off services or capabilities related to the vulnerability
20
2. adapting or adding access controls
3. Increased monitoring of systems to detect and prevent actual attacks.
Security Considerations
When deploying a patch management solution, the following security issues should be
considered:
1. The patch management system itself is a software application, and it might have its
own set of security vulnerabilities. Patches to the patch management system and its
components should be applied as soon as possible.
2. The servers that are running a patch management solution should be properly
protected because this will be a central distribution point, sending updates to virtually all
machines in the organisation. It could prove disastrous if the files in the patch
management servers were to become infected with a virus. Any anti-virus software
running on the server should have auto-protection enabled with the latest virus signatures
and malicious code definitions installed in order to protect against any virus outbreak.
3. Access control to the patch management system should be secured, both
physically, by limiting physical access to the central console to authorised personnel
only, and logically, by restricting access to the central console to pre-registered IP
addresses only.
4. Communication channels into the patch management system should be properly
secured and protected. An attacker may be able to sniff network communications for
sensitive information such as authentication credentials or patching statuses to determine
which patches have been installed on particular systems, and hence locate vulnerable attack
targets. Security measures such as data encryption should therefore be put in
Place to protect sensitive information passing through the management system from
leakage.
5. Regular IT security risk assessments and audits should be conducted on the patch
management system.
21
Criteria For Choosing A Patch Management Solution
Besides matching the specific user and business requirements, including product
functionality and budget constraints, organisations should also take the following factors
into consideration when considering a robust and secure patch management solution:
1. Fewer Vulnerabilities: Some patch management products have more vulnerabilities
than the others. Organisations should choose an appropriate solution that looks less likely
to be vulnerable itself, which in turn will reduce the need to patch the software regularly.
Research should be conducted first to independently verify the product concerned. A
complex product may mean more code and services that in turn might introduce more
vulnerabilities. It may be wise to select a less complicated and more mature product;
2. System Compatibility: Some patch management solutions are agent-based and
some are agent-less. Organisations should evaluate any impact to their systems (such as
performance, stability and compatibility), if agents are to be deployed across a large
number of machines;
3. Vendor Responsiveness to New Vulnerabilities: Organisations should also take
note of the speed with which the solution vendor responds to new vulnerabilities with
patches and updates;
4. Ease of Deployment and Maintenance: The easier the patch management
solution is to deploy and maintain, the lower the implementation and ongoing
maintenance costs to the organisation;
5. Audit Trail: A good patch management solution should provide comprehensive
logging facilities that help system administrators easily keep track of the status of
software fixes and patches on individual systems.
22
Summary
In order to combat the constantly increasing number of threats, organizations must
become proactive to identify risks in their network security. Regular vulnerability
scanning is a critical component to all security architectures.
Vulnerability scanning uses a variety of techniques to examine your external network
over the Internet. Your external network likely consists of perimeter devices, such as
routers and firewalls, as well as Internet accessible servers, like your email and web
servers.
When vulnerabilities are detected, the results are categorized in several ways, allowing
customers to target the data they find most useful. Results and corrective
recommendations are risk ranked based on priority and provided in executive summary
and technically detailed formats, appropriate for business executives and technical
administrators.
This constant and early identification of security flaws allows your company the ability to
react quickly and appropriately to close security holes and help prevent attacks and data
compromises.
23
Nmap commands
-sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be
performed quickly, scanning thousands of ports per second on a fast network not
hampered by restrictive firewalls.
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option.
This is the case when a user does not have raw packet privileges. Instead of writing
raw packets as most other scan types do, Nmap asks the underlying operating
system to establish a connection with the target machine and port by issuing the
connect system call. This is the same high-level system call that web browsers,
P2P clients, and most other network-enabled applications use to establish a
connection.
-sU (UDP scans)
While most popular services on the Internet run over the TCP protocol, UDP
services are widely deployed. DNS, SNMP, and DHCP (registered ports 53,
161/162, and 67/68) are three of the most common. Because UDP scanning is
generally slower and more difficult than TCP, some security auditors ignore these
ports. This is a mistake, as exploitable UDP services are quite common and
attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help
inventory UDP ports.
UDP scan is activated with the -sU option. It can be combined with a TCP scan
type such as SYN scan (-sS) to check both protocols during the same run.
-sY (SCTP INIT scan)
SCTP is a relatively new alternative to the TCP and UDP protocols, combining
most characteristics of TCP and UDP, and also adding new features like multi-
homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related
services but has the potential to be used for other applications as well. SCTP INIT
scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly,
24
scanning thousands of ports per second on a fast network not hampered by
restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and
stealthy, since it never completes SCTP associations. It also allows clear, reliable
differentiation between the open, closed, and filtered states.
-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
These three scan types (even more are possible with the --scanflags option
described in the next section) exploit a subtle loophole in the TCP RFC to
differentiate between open and closed ports. Page 65 of RFC 793 says that ―if the
[destination] port state is CLOSED .... an incoming segment not containing a RST
causes a RST to be sent in response.‖ Then the next page discusses packets sent to
open ports without the SYN, RST, or ACK bits set, stating that: ―you are unlikely to
get here, but if you do, drop the segment, and return.‖
When scanning systems compliant with this RFC text, any packet not containing
SYN, RST, or ACK bits will result in a returned RST if the port is closed and no
response at all if the port is open. As long as none of those three bits are included,
any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits
this with three scan types:
Null scan (-sN)
Does not set any bits (TCP flag header is 0)
FIN scan (-sF)
Sets just the TCP FIN bit.
Xmas scan (-sX)
-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines
open (or even open|filtered) ports. It is used to map out firewall rulesets,
determining whether they are stateful or not and which ports are filtered.
25
-sW (TCP Window scan)
Window scan is exactly the same as ACK scan except that it exploits an
implementation detail of certain systems to differentiate open ports from closed
ones, rather than always printing unfiltered when a RST is returned. It does this by
examining the TCP Window field of the RST packets returned. On some systems,
open ports use a positive window size (even for RST packets) while closed ones
have a zero window. So instead of always listing a port as unfiltered when it receives
a RST back, Window scan lists the port as open or closed if the TCP Window value
in that reset is positive or zero, respectively.
-sM (TCP Maimon scan)
The Maimon scan is named after its discoverer, Uriel Maimon. He described the
technique in Phrack Magazine issue #49 (November 1996). Nmap, which included
this technique, was released two issues later. This technique is exactly the same as
NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC
793 (TCP), a RST packet should be generated in response to such a probe whether
the port is open or closed. However, Uriel noticed that many BSD-derived systems
simply drop the packet if the port is open.
--scanflags (Custom TCP scan)
Truly advanced Nmap users need not limit themselves to the canned scan types
offered. The --scan flags option allows you to design your own scan by specifying
arbitrary.
-sZ (SCTP COOKIE ECHO scan)
SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of
the fact that SCTP implementations should silently drop packets containing
COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.
The advantage of this scan type is that it is not as obvious a port scan than an INIT
scan.
-sI <zombie host>[:<probeport>] (idle scan)
26
This advanced scan method allows for a truly blind TCP port scan of the target
(meaning no packets are sent to the target from your real IP address). Instead, a
unique side-channel attack exploits predictable IP fragmentation ID sequence
generation on the zombie host to glean information about the open ports on the
target. IDS systems will display the scan as coming from the zombie machine you
specify (which must be up and meet certain criteria). Full details of this fascinating
scan type are in the section called ―TCP Idle Scan (-sI)‖.
-sO (IP protocol scan)
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP,
etc.) are supported by target machines. This isn't technically a port scan, since it
cycles through IP protocol numbers rather than TCP or UDP port numbers.
b <FTP relay host> (FTP bounce scan)
An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy
FTP connections. This allows a user to connect to one FTP server, then ask that
files be sent to a third-party server.
27
Reference
www.nmap.org
www.lynjonic .com
www.wikipedia.org
www.whatsmyip.org/port-scanner/
www.gfi.com
www.searchsecurity.techtarget.com
www.networkworld.com
www.dslreports.com
www.technlator.com
www.esecurityplanet.com
www.windowsecurity.com
www.ocio.usda.gov
www.features.techworld.com
www.tenable.com
www.autonomio-software.com
