NMCSP

2008 Batch-I

Module III
Scanning
Scenario
Jack and Dave were colleagues. It was Jack’s
idea to come up with an e-business company.
However, conflicts in ideas saw them split
apart. Now, Dave heads a Venture-Capital
funded e-business start-up company. Jack felt
cheated and wanted to strike back at Dave’s
company.
He knew that due to intense pressure to get
to market quickly, these start-ups often build
their infrastructures too fast to give security the
thought it deserves.
• Do you think that Jack is correct in his
assumption?
• What information does Jack need to launch
an attack on Dave’s company?
• Can Jack map the entire network of the
company without being traced back?
Module Objectives

 Definition of scanning
 Objectives of scanning
 Scanning techniques
 Scanning tools
 OS fingerprinting
 Countermeasures
Module Flow

Scanning definition Types of Scanning

Scanning Methodology Scanning Objectives

Scanning Classification Scanning Tools

Use of Proxy Servers in

Countermeasures
attack
Scanning - Definition

Scanning is one of three

components of intelligence gathering
for an attacker. The attacker finds
information about the:
• specific IP addresses
• operating systems
• system architecture
• services running on each
computer.
The various types of scanning are as
follows:
Port scanning
Network Scanning
Vulnerability Scanning
Types Of Scanning
Port scanning: A port scan is a series of
messages sent by someone attempting to
break into a computer to learn about the
computer network services, each service
is associated with a "well-known" port
number.
Network scanning: Network scanning is
a procedure for identifying active hosts
on a network, either to attack them or as
a network security assessment.
Vulnerability scanning: The automated
process of proactively identifying the
vulnerabilities of computing systems in a
network.
Objectives Of Scanning

To detect the live systems running on the

network.
To discover which ports are active/running.
To discover the operating system running on the
target system (fingerprinting).
To discover the services running/listening on the
target system.
To discover the IP address of the target system.
Scanning Methodology

Check for live systems with a

wide range of IP addresses

Check for open Ports

Fingerprint OS

Draw network diagrams

Of vulnerable hosts

Identify vulnerabilities of the OS:

Bypass proxies

Surf anonymously
Scanning – Various Classifications

Vanilla or TCP connect() ICMP scanning

scanning
 REVERSE IDENT
Half open or TCP SYN scanning
scanning
 IDLE scan
Stealth scanning
 LIST scan
TCP FTP proxy (bounce
attack) scanning  RPC scan

SYN/FIN scanning using  WINDOW scan

IP fragments Ping Sweep
UDP scanning
Strobe scanning
TCP Connect / Full Open Scan

This is the most reliable

form of TCP scanning. The
connect() system call
provided by the operating
system is used to open a ACK
connection to every open
SYN
port on the machine.
ACK
If the port is open then the
connect() will succeed and SYN+ ACK

if it is the port is closed then

it is unreachable.
SYN Stealth / Half Open Scan
 It is often referred to as a half open scan because it
doesn’t open a full TCP connection.
 First a SYN packet is sent to a port of the machine
suggesting a request for connection and the response
is awaited.
 If the port sends back a SYN/ACK packet then it is
inferred that a service at the particular port is
listening. If an RST is received, then the port is not
active/listening. As soon as the SYN/ACK packet is
received an RST packet is sent to tear down the
connection.
 The key advantage of this scan is that fewer sites log
this.
FIN Stealth Scan

FIN packets can pass through some programs which

detect SYN packets sent to restricted ports.
This is because closedports tend to report the FIN
packets while open ports ignore the packets.

FIN
 FTP Bounce Scan

 It is a type of port scanning which makes use of the

Bounce Attack vulnerability in FTP servers.
 This vulnerability allows a person to request that the
FTP server open a connection to a third party on a
particular port. Thus the attacker can use the FTP
server to do the port scan and then send back the
results.
 Bounce attack: This is an attack that is similar to IP
spoofing. The anonymity of the attacker can be
maintained.
 The scan is hard to trace, permits access to local
networks, and evades firewalls.
FTP Bounce Attack
SYN/FIN scanning using IP fragments

 It is not a new scanning method but a

modification of earlier methods.
 The TCP header is split into several packets so
that the packet filters are not able to detect what
the packets intend to do.
UDP Scanning

 UDP RAW ICMP Port Unreachable Scanning

• This scanning method uses the UDP protocol instead
of the TCP protocol.
• Though this protocol is simpler, the scanning
process is more difficult.
 UDP RECVFROM() Scanning
• While non root users can not read port unreachable
errors directly, LINUX is cool enough to inform the
user indirectly when they have been received.
• This is the technique used for determining the open
ports by non-root users.
ICMP Scanning

 ICMP scanning sends a ping to all hosts on the network

to determine which ones are up.
 ICMP scanning can be run parallel so that it can run
quickly.
 It is also helpful to tweak the ping timeout value with
the –t option.
Reverse Ident Scanning

 The ident protocol allows for the disclosure of

the username of the owner of any process
connected via TCP, even if that process didn’t
initiate the connection.
 A connection can be established to the http port
and then, using ident, discover whether the
server is running as root. This can be done only
with a full TCP connection to the target port.
List Scan and Idle Scan

 List Scan
• This type of scan simply generates and prints a list of
IPs/Names without actually pinging or port scanning
them.
• A DNS name resolution will also be carried out.

 Idle Scan
• This advanced scan method will allow for a truly
blind TCP port scan of the target.
• It is extraordinarily stealthy in nature.
RPC Scan

 This method works in combination with all

other port scan methods.
 It scans for all the TCP/UDP ports and then
floods them with SunRPC program null
commands in an attempt to determine whether
they are RPC ports, and if so, what version
number and programs they serve.
 Window Scan

This scan is similar to the ACK scan, except that it

can sometimes detect open ports, as well as
filtered/unfiltered ports, due to an anomaly in the
TCP window size reporting by some operating
systems.
Ping Sweep

 A ping sweep (also known as an ICMP sweep) is

a basic network scanning technique used to
determine which of a range of IP addresses map
to live hosts (computers).
 A ping sweep consists of ICMP ECHO requests
sent to multiple hosts.
 If a given address is live, it will return an ICMP
ECHO reply.
Different Scanning Tools
 Nmap
 Nessus
 Retina
 SAINT
 HPING2
 Firewalk
 NIKTO
 GFI LANGUARD
 ISS Security Scanner
 Netcraft
Different Scanning Tools (contd.)

ipEye, IPSecScan SocksChain

NetScan Tools Pro Proxy Servers
2003 Anonymizers
SuperScan
Bypassing Firewall
THC Scan using Httptunnel
Pinger HTTPort
Cheops
Nmap
www.insecure.org
Nmap is a free open
source utility for network
exploration
It is designed to
rapidly
scan large networks.
Nmap: Scan Methods
Some of the scan methods used
by Nmap:
• Xmas tree: The attacker
checks for TCP services by
sending "Xmas-tree" packets.
• SYN Stealth: Referred to as
"half-open" scanning, as a full
TCP connection is not
opened.
• Null Scan: An advanced scan
that may be able to pass
through firewalls unmolested.
• Windows scan: Similar to the
ACK scan and can also detect
open ports.
• ACK Scan: Used to map out
firewall rulesets.
Features

 Nmap is used for port scanning, OS detection,

version detection, ping sweeps, and various
other methods of enumeration.
 Scanning of large number of machines in a
single session.
 Supported by many operating systems.
 Carries out all port scanning techniques.
 Nessus
www.nessus.org/download.html Features
Nessus is a Plug-in architecture
vulnerability
scanner, a program that looks NASL (Nessus Attack
for bugs in software. Scripting Language)
An attacker can use this tool Can test an unlimited
to violate the security aspects number of hosts at a same
of a software product. time.
Smart service recognition
Client/server architecture
Smart plug-ins
Up-to-date security
vulnerability database
Screenshot Of Nessus
Retina

http://www.securityconfig.com/
 Retina network security scanner is a network
vulnerability assessment scanner.
 It can scan every machine on the target network
including a variety of operating system
platforms, networking devices, databases and
third party or custom applications.
 It has the most comprehensive and up-to-date
vulnerability database and scanning technology.
Retina: Screenshot
Features

 Ease of use
 Non-intrusive scanning
 Frequent updates of new vulnerabilities
 Rogue wireless access detection
 Ability to uncover unknown vulnerabilities
 High speed scanning capability
 Superior OS detection
 SAINT
http://www.saintcorporation.com/
It is also
known as Security
Administrator's Integrated
Network Tool.
Detects network
vulnerabilities on any remote
target in a non-intrusive
manner.
Gathers information
regarding what type of OS is
running and what all ports
are open.
Features

 Data management
 Scan configuration
 Scan scheduling
 Data analysis
 Interface engines to discover vulnerabilities
 Reports are presented in plain text format.
HPING2

 HPING2 is a command-line oriented TCP/IP

packet assembler/analyzer.
 It not only sends ICMP echo requests but also
supports TCP, UDP, ICMP and raw-IP
protocols, has a Traceroute mode, the ability to
send files between covered channels.
Features

 Firewall testing
 Advanced port scanning
 Network testing, using different protocols, TOS,
fragmentation
 Advanced Traceroute, under all the supported
protocols
 Remote OS fingerprinting
 Remote uptime guessing
 TCP/IP stacks auditing
Tool: Firewalk

 Firewalk is a network-auditing tool.

 It attempts to determine the type of transport protocols
a given gateway will allow to pass.
 Firewalk scans work by sending out TCP, or UDP,
packets with an IP TTL which is one greater than the
targeted gateway.
Tool: Firewalk
Destination Host

internet

PACKET FILTER Firewalking Host

Hop n

Hop n+m (m>1)

Hop 0
NIKTO
www.zone-h.org/ Uses RFP’s libwhisker as a
NIKTO is an open source base for all network
web server scanner. functionality.
It performs For easy updates, the
comprehensive tests against main scan database is of
webservers for multiple CSV format.
items. SSL support.
Ittests web servers in the Output to file in simple
shortest time possible. text, html or CSV format.
Plug-in support
Generic and server type
specific checks.
GFI LANGUARD
www.gfi.com/downloads
GFI LANGuard
analyzes the operating
system and the
applications running on
a network and finds out
the security holes
present.
It scans the entire
network, IP by IP, and
provides information
such as the service pack
level of the machine,
missing security
patches, and a lot more.
Features
 Fast TCP and UDP port scanning and identification.
 Finds all the shares on the target network.
 It alerts the pinpoint security issues.
 Automatically detects new security holes.
 Check password policy.
 Finds out all the services that are running on the target
network.
 Vulnerabilities database includes UNIX/CGI issues.
ISS Security Scanner
http://www.iss.net
Internet Security
Scanner provides
automated vulnerability
detection and analysis of
networked systems.
It performs automated,
distributed or event-
driven probes of
geographically dispersed
network services, OS,
routers/switches,
firewalls and applications
and then displays the
scan results.
Netcraft

It is a tool that can be used to find out

the OS, Web Server and the Hosting
History of any web site.
IPSecScan

www.microsoft.com
IPSecScan is a tool that can scan either a single IP address or a range
of IP addresses looking for systems that are IPSec enabled.
 NetScan Tools Pro 2003

www.netscantools.com/
NetScan determines ownership of IP addresses, translation of IP addresses to
hostnames, network scanning, port probe target computers for services, validate e-mail
addresses, determine ownership of domains, list the computers in a domain, etc.
 SuperScan

http://www.globalshareware.com/Utilities/System-Utilities/SuperScan.htm
SuperScan is a TCP port scanner, pinger and hostname resolver. It can
perform ping scans, port scans using any IP range, and scan any port range
from a built-in list or specified range.
War Dialer

 Companies do not control the dial-in ports as

strictly as the firewall, and machines with
modems attached are present everywhere.
 A tool that identifies the phone numbers that
can successfully make a connection with a
computer modem.
 It generally works by using a predetermined list
of common user names and passwords in an
attempt to gain access to the system.
 THC Scan

It is a type of War Dialer that scans a defined range of phone numbers

 FriendlyPinger

•http://www.kilievich.com/fpinger/download.htm
It is a powerful and user-friendly application for network administration, monitoring
and inventory. It can be used for pinging of all devices in parallel, at once, and in
assignment of external commands (like telnet, tracert, net.exe) to devices.
Cheops

cheops-ng.sourceforge.net/download.php
It is a network management tool that can be used for OS detection, mapping, to find
out the list of services running on a network, generalized port scanning, etc.
SATAN(Security Administrator’s Tool
for Analyzing Networks)
 Security Administrator’s Tool for Analyzing Networks.
 Security-auditing tool developed by Dan Farmer and
Weitse Venema.
 Examines UNIX-based systems and reports the
vulnerabilities.
 Provides information about the software, hardware, and
network topologies.
 User-friendly program with an X Window interface.
 Written using C and Perl languages. Thus, to run
SATAN, the attacker needs Perl 5 and a C compiler
installed on the system.
 In addition, the attacker needs a UNIX-based operating
system and at least 20MB of disk space.
SAFEsuite Internet Scanner,
IdentTCPScan
 SAFEsuite Internet Scanner
• Developed by Internet Security Systems (ISS) to examine the
vulnerabilities in Windows NT networks.
• Requirements are Windows NT 3.51, or 4.0 and a product
license key.
• Reports all possible security gaps on the target system.
• Suggests possible corrective actions.
• Uses three scanners: Intranet, Firewall and Web Scanner.
 IdentTCPScan
• Examines open ports on the target host and reports the services
running on those ports.
• A special feature that reports the UIDs of the services.
PortScan Plus, Strobe
 PortScan Plus
• Windows-based scanner developed by Peter
Harrison
• The user can specify a range of IP addresses and
ports to be scanned
• When scanning a host, or a range of hosts, it displays
the open ports on those hosts
 Strobe
• A TCP port scanner developed by Julian Assange
• Written in C for UNIX-based operating systems
• Scans all open ports on the target host
• Provides only limited information about the host
Blaster Scan

 A TCP port scanner for UNIX-based operating

systems
 Pings target hosts for examining connectivity
 Scans subnets on a network
 Examination of FTP for anonymous access
 Examination of CGI bugs
 Examination of POP3 and FTP for brute force
vulnerabilities
OS Fingerprinting

OS fingerprinting is the term used for the method that is used

to determine the operating system that is running on the
target system. The two different types of fingerprinting are:

Activefingerprinting
Passive fingerprinting
Active Stack Fingerprinting

 It is based on the fact that various OS vendors

implement the TCP stack differently
 Specially crafted packets are sent to the remote
OS and the response is noted
 The responses are then compared to a database
to determine the OS
Tools for Active Stack Fingerprinting

 XPROBE2
A remote OS detection tool which determines the OS
running on the target system with minimal target
disturbance.

 RING V2
http://www.sys-security.com/
Designed with a different approach to OS detection, this
tool identifies the OS of the target system with a matrix
based fingerprinting approach.

Most of the port scanning tools like Nmap are used for
active stack fingerprinting
 Passive Fingerprinting

 Also based on the differential implantation of

the stack and the various ways an OS responds
to it.
 It uses sniffing techniques instead of scanning
techniques.
 It is less accurate than active fingerprinting.
 Scenario

Jack traces the IP address of a company’s Web

Server and then runs several types of Nmap scans
to find the open ports and, therefore, the services
running. As presumed by him, most of the
unnecessary services were running. It provided
him with the perfect place to exploit the
vulnerabilities.
• Which services do you think that Jack would target?
• Can Jack use the open ports to send commands to a
computer, gain access to a server, and exert command
over the networking devices?
• What are the countermeasures against Port Scanning?
• How can firewalls be evaded during scanning?
 Proxy Servers
 Proxy is a network computer that can serve as an
intermediary for connection with other computers. They
are usually used for the following purposes:
• As a firewall, a proxy protects the local network from outside
access.
• As an IP-address multiplexer, a proxy allows a number of
computers to connect to the Internet when you have only one IP-
address.
• Proxy servers can be used (to some extent) to anonymize web
surfing.
• Specialized proxy servers can filter out unwanted content, such as
ads or 'unsuitable' material.
• Proxy servers can afford some protection against hacking attacks.
 Use of Proxies for Attacking

(1)
DIRECT ATTACK/ NO PROXIES

Logged proxy
VICTIM
PROXY

CHAIN OF PROXIES
ATTACKER

(3)
P1 P2 P3 P4

The last proxy IP address

Is logged. There can be
P4 P5 P6 P7 thousands of proxies used in
the Process. Traceback can
be very difficult

P7 P8 P8 P9
SocksChain

http://www.sharewaresoft.com/SocksChain-download-14819.htm

 SocksChain is a program that

allows to work through a
chain of SOCKS or HTTP
proxies to conceal the actual
IP-address.
 SocksChain can function as a
usual SOCKS-server that
transmits queries through a
chain of proxies.
Anonymizers

 Anonymizers are services that helps to make web

surfing anonymous.

 The first anonymizer developed was Anonymizer.com,

created in 1997 by Lance Cottrell.

 An anonymizer removes all the identifying information

from a user’s computers while the user surfs the
Internet, thereby ensuring the privacy of the user.
Surfing Anonymously

Bypasses the3.
security line
www.proxify.com

User wants to access

sites (e.g. www.target.com) which have been
blocked as per company policy Get access to
www.target.com
Httptunnel
http://www.nocrew.org/software/httptunnel.html
It is used to create bidirectional virtual data path
tunneled in HTTP requests. The requests can be
sent via an HTTP proxy if so desired. It can be used
to bypass firewalls.
HTTPort

http://www.htthost.com/
It allows the bypassing of an HTTP proxy, which blocks
access to the Internet. With HTTPort the following
software maybe used (from behind an HTTP proxy):
e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable
software, etc.
Countermeasures

 The firewall of a particular network should be good

enough to detect the probes of an attacker. The firewall
should carry out stateful inspections with it having a
specific rule set.
 Network intrusion detection systems should be used to
find out the OS detection method used by some tools
such as Nmap.
 Only needed ports should be kept open and the rest
should be filtered,
 All the sensitive information that is not to be disclosed
to the public over the internet should not be displayed.
Countermeasures

 The system administrators should change the

characteristics of the system’s TCP/IP stack
frequently as this will help in cutting down the
various types of active and passive
fingerprinting.
 Also, the staff of the organization using the
systems should be given appropriate training on
security awareness. They should also be aware
of the various security policies which are
required to be followed by them.
 Proper security architecture should be followed.
Summary

 Scanning is one of three components of

intelligence gathering for an attacker.
 The objective of scanning is to discover live
systems, active/running ports, the Operating
Systems, and the Services running on the
network.
 Some of the popular scanning tools are Nmap,
Nessus, and Retina.
 A chain of proxies can be created to evade the
traceback of the attacker.