2. 2
Outline
What is IP network scanning?
Concepts, motivation
Example Tool
nmap
Scanning types
Host discovery
port scanning
Version detection
OS detection
3. 3
What is Scanning?
Method to gather information regarding the
devices running on the network
Typically to discover services or servers on a network
Which hosts are up?
Which services are offering?
Do not confuse with “host vulnerability scanner”
which further explore a computer by testing for
common vulnerabilities (nessus, SAINT)
4. 4
Why Scanning?
Network Security assessment
Evaluation and Auditing the security
Firewall Penetration Test (Policy auditing)
IDS proof/evaluation
Identifying unexpected new servers
Identifying open ports for
proactively protect the network (Network and security
admin)
attacking it (Hackers)
5. 5
nmap
A well known and free security scanner written
by Fyodor (http://insecure.org/nmap/)
First released Sept 1, 1997 in Phrack 51 “The Art of Port
Scanning” (http://www.phrack.org/issues.html?issue=51
Many updates since then:
OS Detection (http://www.phrack.org/issues.html?issue=54&id=9#article)
Version scanning
ARP Scanning
Version 5.00 as of this doc
Usage:
nmap [scan types] [options] <host or net …>
6. 6
Why nmap
An excellent tool
Long history of development and support
Continuous development and improvements
“Industry Standard” port scanner
7. 7
nmap features
Host Discovery: Which host is alive?
Identifying computers on a network, for example listing the computers
which respond to pings (Ping Sweeps)
Port Scanning : What services are available?
Enumerating the open ports on one or more target computers
Service and Version Detection : Which version is running?
Determine the application name and version number
OS Detection: What platforms are served?
Remotely determining the OS and some hardware characteristics of
network devices
8. 8
Host Discovery
Querying multiple hosts using this method is
referred to as ping sweeps
The most basic step in mapping out a network.
Several Sweeps technique
ICMP Sweeps
Broadcast ICMP
NON Echo ICMP
TCP sweep
UDP sweep
9. 9
Host Discovery : ICMP Sweeps
Technique
sending an ICMP ECHO request (ICMP type 8)
If an ICMP ECHO reply (ICMP type 0) is received : target is alive;
No response: target is down
Pros & Cons
easy to implement
fairly slow, easy to be blocked
Scanner Target
ICMP ECHO request
ICMO ECHO reply
Scanner Target
a host is alive
a host is down/filtered
ICMP ECHO request
No response
10. 10
Host Discovery : Broadcast ICMP
Sending ICMP ECHO request to the network
and/or broadcast addresses
Windows ignored this
Most routers blocked this
11. 11
Host Discovery : Non-ECHO ICMP
ICMP type 13 messages (TIMESTAMP),
Query Current Time
ICMP type 17 messages (ADDRESS MASK REQUEST)
diskless systems to obtain its subnet mask at bootstrap time
(RFC 792)
12. 12
Host Discovery : TCP Sweeps
Sending TCP ACK or TCK SYN packets
The port number can be selected to avoid blocking
by firewall
Usually a good pick would be 21 / 22 / 23 / 25 / 80
But.. firewalls can spoof a RESET packet for an IP
address, so TCP Sweeps may not be reliable.
13. 13
Host Discovery : UDP Sweeps
Relies on the ICMP PORT UNREACHABLE
Assume the port is opened if no ICMP PORT
UNREACHABLE message is received after sending a UDP
datagram
Cons:
Routers can drop UDP packets as they cross the Internet
Many UDP services do not respond when correctly probed
Firewalls are usually configured to drop UDP packets (except for
DNS)
UDP sweep relies on the fact that a non-active UDP port will
respond with an ICMP PORT UNREACHABLE message
14. 14
nmap Host Discovery summary
sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery
probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
-sU: UDP Scan
15. 15
Port Scanning
To determine what services are running or in a
LISTENING
Some well known types
TCP Connect Scan
TCP SYN scan
Stealth scan
FTP bounce scan
16. 16
Port Scanning : TCP Connect Scan
Use basic TCP connection establishment mechanism;
complete 3-ways handshake
Easily to detect by inspecting the system log
Scanner Target
SYN
SYN/ACK
ACK
Scanner Target
SYN
RST/ACK
a port is opened
a port is closed
17. 17
Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open
scanning)
send a SYN packet and wait for a response
If an SYN/ACK is received=> the port is LISTENING
immediately tear down the connection by sending a RESET
If an RST/ACK is received =>a non-LISTENING port.
Scanner Target
SYN
SYN/ACK
Scanner Target
SYN
RST/ACK
a port is closed
a port is opened
RST
18. 18
Port Scanning : Stealth Scan
To gather information about target sites while
avoiding detection
Try to hide themselves among normal network traffic
Not to be logged by logging mechanism (stealth)
Techniques
Flag Probe packets (Also called “Inverse mapping”)
Response is sent back only by closed port
By determining what services do not exist, an intruder can infer
what service do exist
Slow scans rate
difficult to detect =>need long history log
CERT reported this technique in CERT® Incident Note IN-98.04
http://www.cert.org/incident_notes/IN-98.04.html
19. 19
Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets
closed ports : reply with a RESET packet to wrong state packets
opened ports : ignore any packet in question
Technique
A RST scan
A FIN probe with the FIN TCP flag set
An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set
A NULL probe with no TCP flags set
Scanner Target
Probe packet
No response
Scanner Target
RST/ACK
a port is closed
a port is opened
Probe packet
20. 20
Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control
communication connection, ask the FTP server to initiate an
active server data transfer process
Rather slow
Some FTP servers disable the “Proxy” feature, but there are still
many who do not
PORT 10,0,0,5,0,22
(10.0.0.4) (10.0.0.5)
TCP SYN
RST
425 Cannot build data connection
Scanner FTP Target
21. 21
Port Scanning with nmap
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
22. 22
Services and Versions Detection
The nmap-service-probes database contains
probes for querying various services and match
expressions to recognize and parse responses
23. 23
Operating System Detection
Banner, DNS HINFO and …
TCP/IP fingerprinting (IP stack
implementation will response differently)
FIN probe, Bogus Flag probe
TCP initial sequence number sampling, TCP initial
window, ACK value
ICMP error quenching, message quoting, ICMP echo
integrity
IP: DF, TOS, Fragmentation
24. 24
OS Detection : Examples
ACK : sending FIN|PSH|URG to a closed port
most OS : ACK with the same sequence number
Windows: ACK with sequence number+1
Type of Service: Probing with an ICMP_PORT_UNREACHABLE
message
most OS : TOS = 0
Linux : TOS= 0xC0
25. 25
Version and OS Detection with nmap
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for
debugging)
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
26. 26
Port Scanning Detection
For Administrators to detect scanning
Logs suspicious packets
Identifies connections not properly terminated
Records ports usage
27. 27
Port Scanning Detection
For hacker to dodge from detection
Randomize the sequence of ports to prevent detection
Slow scan: exceed the site detection threshold in IDS, 2
packets/day/site!
Decoy: spoofed address in attack
Coordinated Scans: multiple scanners probe the same
host or network