Scanning

CS-480b

Dick Steflik

What Can We Scan For

• Modems (and other telephone devices)

• Live Hosts

• TCP ports

• UDP ports

• Promiscuous NICs

Modems• Repeatedly dial phone numbers looking for a modem to

answer or other things• War Dialers – used to find modems

• ToneLoc – 1994 by Minor Threat & Mucho Maas– THC-Scan 2.0 – VanHouser, releaces by Hackers Choice

• thc.inferno.tusclum.edu• Win9x, NT, W2000• 100 lines/hour

• TBA – LOpht (www.Lopht.com)– War dialing on a PALM

• Demon Dialers – once a modem is found repeatedly dial it and guess passwords

• Other things• Free phone calls – if the phone answers and gives a dial tone you

have dialed into a number the will let you dial another number, some companies do this so that roaming employees can dial into the company or into a company owned 800 number

Live Hosts• Try pinging (ICMP Echo request) all hosts on a particular

subnet to see who replies• No reply indicates host is not live

• Incoming ICMP messages are blocked

• It’s a good idea to block incoming ICMP messages at the firewall

• If no reply a hacker would try connecting to a commonly open port (TCP port 80) or sending a UDP packet to a commonly open port.

• In java (which doesn’t do ICMP) send a ping using JNI to execute the ping command as an OS command line command.

Mapping your network

• Once the live hosts are known, a map of your network can be arrived at by determining how the hosts are connected together

• traceroute (unix/linux) / tracert (w2000) Microsoft(R) Windows NT(TM)(C) Copyright 1985-1996 Microsoft Corp.C:\users>tracert mail.binghamton.eduTracing route to mail.binghamton.edu [128.226.1.18]over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 128.226.121.1 2 <10 ms <10 ms <10 ms 128.226.100.25 3 <10 ms <10 ms <10 ms bingnet2.cc.binghamton.edu [128.226.1.18]Trace complete.

Mapping (more)

• By doing repetitive traceroutes to the hosts discovered in the host scan the network topology can be discovered.

• Another way to do this is by using a mapping program like Cheops (www.marko.net/cheops>• runs on Linux and automates the process of inventorying a

network

• does operating system identification by using TCP Stack Fingerprinting

Port Scanning

• Once and attacker knows the topology of your network the tedious task of identifying open ports and services

• TCP and UDP scans are fine if you are scanning your own network looking for vulnerabilities but are to easily detectable for a hacker

• Nmap (www.insecure.org/Nmap)• most versions of Unix

• ported to W/NT by eEye (www.eeye.com/html/Databases/Software/Nmapnt.html)

• does many types of scans

Port Scanning (more)

• TCP Connect - completes 3-way handshake

• TCP SYN - sends only initial SYN and waits for SYN-ACK

• TCP FIN - send TCP FIN to each port, reset indicates port is closed; violates the protocol

• TCP Xmas Tree - Sends packet with FIN, URG, PUSH set; reset indicates port is closed, no resp. may mean port is open. This actually violates the protocol; doesn’t work on Windows machine as MS didn’t follow the RFC

• NULL - send packet with no code bits set, reset indicates port closed;

• TCP ACK - Send a packet with ACK bit set, helps determine a packet filter’s rules

• Window - similar to ACK scan but focuses on TCP window size to determine if ports are open or closed

Port Scanning (more)

• FTP Bounce - Bounces a TCP scan off of an FTP server to obscure the originator of the scan

• RPC Scanning - Scans for Remote Procedure Call (RPC) services on the target machine, send an RPC null command to determine if an RPC program is listening

Windows Specific Services

NetBIOS (TCP Ports 137, 138, 139) – used for Windows networking to connect clients to file and print servers. Should never be allowed through the Firewall except through an encrypted tunnel (as in a VPN)

RPC Locator (TCP Port 135) – used by Windows networking to locate network services that use the RPC protocol. Should never be allowed through the Firewall.

Terminal Services (TCP Port 3389) – gives the connecting complete control over the host machine. Should never be allowed through the Firewall except through an encrypted tunnel (as in a VPN)

Standard UNIX Services

• Chargen (TCP and/or UDP port 19)

• Daytime (TCP and/or UDP Port 13)

• Discard (TCP and/or UDP Port 9)

• Echo (TCP and/or UDP Port 7)

• Finger (TCP Port 79)

• NFS (TCP and/or UDP Port 2049)

• Quote (UDP Port 17)

• RPC (UDP Port 111)

• RSH (TCP Port 514)

• SSH (TCP Port 22)

Platform Neutral Services

• Telnet (TCP Port 23)

• TFTP (UDP Port 69)

• Bootp (UDP Port 67)

• DHCP (UDP Port 68)

• LDAP (TCP and/or UDP Port 389)

• SNMP (UDP Port 161)

• VNC (TCP Ports 5800+, 5900+)

• HTTP (TCP Port 80)

• HTTPS (TCP Port 443)

UDP Scans

• Because UDP is a much simpler protocol than TCP is it is inherently less reliable for scanning

• A UDP packet is sent to each UDP port• If an ICMP “Port Unreachable” message is received then interpret

the port as being closed

• Otherwise assume the port is open

• False positives are very common

TCP Stack Fingerprinting

• The TCP RFC defines how TCP should respond under normal conditions (no protocol violations) but not how to act in response to protocol violation• If you spend the time attempting a number of protocol violation

and record the responses they will always be the same for specific operating systems/versions

• These responses can be treated as fingerprints and allow a hacker to determine what OS is being addressed.

• Nmap maintains a rather complete database of known operating system fingerprints and can pretty reliably identify most major operating systems

Defenses Against Port Scanning

• Harden your systems• Make sure all OS patches are installed• Close all ports not needed• Delete all programs associated with closed ports• If you are comfortable managing your server via a command line

interface remember to disable the GUI interface• Don’t forget to delete the X Windows software

• Remove all unneeded software from your server• A production web server shouldn’t need software development

software, so remove all of the compilers

• Scan your systems before the hackers do, find your vulnerabilities before they do.

Defenses (more)

• Use stateful packet filtering so that not only the current packet is taken into consideration• Intruders can scan right past a standard packet filter

• Use a proxy based firewall • Gives application layer protection

• Requires complete connections• SYN Scans and ACK Scans can’t get through

Determining Firewall Rules

• Firewalk • www.packetfactory.net/Projects/firewalk-final.html

• Allows you to determine what packets are allowed through a firewall

• Nmap allows you to check what is happening at the end-point machines, Firewalk allows you to send packets through a packet filtering device to determine what it is set up to pass

• Similar to traceroute, works off of the TTL field in the IP header

Review

• List of Live Hosts – Ping and Cheops

• Network Topology – traceroute and Cheops

• List of Open Ports – Nmap

• Operating Systems on Live Hosts – Nmap

• Ports Open Through Packet Filters - Firewalk

Vulnerability Scanning

• Connect to a host and automatically detect if a vulnerability exists

• Common configuration errors

• Default configuration weaknesses

• Well known system vulnerabilities

Vulnerability Scanning Tools

• Vulnerability Database

• User Configuration Tool

• Scanning Engine

• Knowledge base of current active scan

• Results repository and Report Generator

Vulnerability

Database

User

Configuration

Tool

Scanning

Engine

Knowledge

Base of

Active Scan

Results

Repository

And Reports

Target

Target

Target

Target

Bunch of Vulnerability Scanners

• Free• SARA – www-arc.com/sara

• SAINT – www.wwdsi.com/saint

• VLAD – razor.bindview.com/tools

• Nessus – www.nessus.org

• Commercial• CyberCop Scanner – www.mcafeeb2b.com/services/cybercop-asap.asp

• ISS Internet Scanner – www.iss.net

• eEye Retina Scanner – www.eeye.com

• Qualys’ QualysGuard – subscription based – www.qualys.com

• Vigilante SecureScan – subscription based – www.vigilante.com

Wi-Fi• Wardriving

• Name comes from movie War Games• Similar in concept to Wardialing• Also Warwalking and Warbiking• Drive around and discover wireless hot spots

• Publish where located (GPS coordinates) : www.wigle.net

• Legality• US : Not clearly defined

– New Hampshire – working on bill to clarify responsibility to secure wireless networks

• UK : "use of a computer for a purpose for which one does not have permission" is against the law

• Tools• Netstumbler

– Windows active mode tool that polls looking for wi-fi networks

• Kismet– Most platforms – passive mode tool; does network detection, packet

sniffing and IDS