Determines the Remote Host OS
Different Vendors implement TCP differently
RST is sent to tear down the connection
Connection is never established
Admin/Root access is required
All have the SYN flag omitted
Closed Ports reply with an RST
Open ports do not reply
Packets dropped by inline devices can be
incorrectly assumed to be open ports
As RFC 793 Closed ports reply with a RST
Open ports ignore
Filtered ports are open
Any TTL value less than 64 is filtered
Filtered by an inline device Shows filtered state
Packet sent with NO flags
Does not cover how to respond
If the port is open
Respond with RST
FIN
XMAS Tree Scans show no open ports
Null
SYN Shows open ports
Probably Windows machine
Splits TCP header into small fragments
Due to reassembly
Linux
By the absence of a response
Not really to port scan
Try to initiate outbound connections
Replies with ICMP HOST UNREACHABLE
Based Upon
Reply determines OS Special crafted packets sent Active Stack Fingerprinting
NMap uses 8 tests
And look at the responses Rather than send packets to the host
Captures traffic coming from the host
Types of Fingerprinting Fingerprinting
What is the TTL on the outbound packet? TTL
What is the TCP Window Size? Window Size Passive Fingerprinting
Does the OS set the Don't Fragment bit? Mainly four areas
DF
If so, what is it? Is a Type of Service set?
TOS
If ICMP is blocked
To determine live hosts
Next step after ICMP discovery fails
To identify potential ports for
These ports are the basis of the next attack stages furthering the attacks Why?
To understand what applications are
running on the ports
To discover the OS
Sent from client SYN
Sent from server SYN/ACK
TCP Three Way Handshake
Sent from client ACK
Not UDP ONLY TCP
Discovers services
Most popular
Potential targets run many services reconnaissance technique
Finds potential vulnerabilities
Also known as a TCP Connect Scan
Also known as a Vanilla scan
Full connection is opened to the target
SYN
SYN/ACK Uses three way handshake
ACK
Open scan
Easy to detect
Easy to block Problems
Cannot be spoofed
Provides great information
Best scan for Benefits
determining port state
Differs from the full connect scan
SYN
SYN/ACK
Three way handshake is not completed Motivation and Study Techniques to help Cisco
RST you learn, remember, and pass your
CISSP
technical exams!
Half-open scan CEH
Sophisticated IDS and Firewalls
can now detect these More coming soon...
Problems
You have to make a custom IP Packet
Visit us www.mindcert.com
Harder to log
Benefits
Does not establish a connection
Group of scans considered stealth
Subscribe via RSS
All use Inverse mapping
SYN+ACK
Operation ARIN
RST Information can be obtained from
After gathering information, next step is to IANA Providers APNIC
find the network range of the target
SYN+ACK is sent to all ports SYN/ACK Scan RIPE
Exploits the IP TTL
Can register large false positives Reveals path IP packets take
Locate the Network Range Trace the route between your
Sends out consecutive UDP packets
FIN Traceroute with ever increasing TTLs
Operation network and the target
ACK Device sends back an ICMP TTL
Works like SYN/ACK scan Exceeded message
Some devices will also reply with DNS information
FIN sent to all ports FIN Scan
1 - Unearth Initial Information
Exploits a BSD flaw
2 - Locate the network range
Some machines are patched
Does NOT work against Windows 3 - Ascertain active machines Scanning
ACK
Operation 4 - Discover open ports / access
RST Information Gathering points Scanning
Takes Advantage of IP routing function Methodology
5 - Detect operating systems
Deduces port from TTL value ACK Scan 6 - Uncover services on ports
7 - Map the
Works on most UNIX machines network
Does not show open or closed state Understanding Port Scanning
To Determine the Perimeter of the network
To Facilitate network mapping
Why?
Operation On target network
RFC 793 Stealth scan Accessible systems
To build an inventory
Port Scanning Techniques
Scans
Scanning classifications Tool used to scan a large pool of
Most UNIX machines
telephone numbers
Act differently Dials one after another
Windows machines Starts with one number
Until it gets a modem
NULL Scan
The Hackers Choice Scan
War Dialers MSDOS Program
Can be used with THC Login Hacker to
Good way of OS detecting THC-Scan
Hacking Tool brute force systems
Contains a "Boss Key" that changes the
screen to a bitmap
Does NOT work against Windows
Sends out an ICMP Echo Request
ACK Awaits for an ICMP Echo Reply
FIN Can also send TCP/UDP packets if
RST ICMP is blocked
All flags are set
SYN Operation Timestamps each packet
URG Can resolve host names
PSH Ping Windows
XMAS Scan
Built in program Linux
Hence the name Ornamental Look Certified Ethical OSX
Works on UNIX Hacker Different from port scanning ICMP has no ports
Sends RST Closed port Module 3 - Scanning Ping Sweeps Sees if the TCP/IP Stack is loaded
Does NOT work against Windows Does not guarantee that the machine is operable
Discovering Services on
Ping Sweeps are the basic step in
Target Systems network mapping
May cause abnormal results
TCP Fragmenting Normally the precursor to an attacks
Some Firewalls block fragments Can be detected with tools
Snort is an IDS System that can detect ping sweeps Can detect sweeps on the network segment
Snort
ICMP Ping Sweeps
Sweeps Delphi application
Detect the host based upon ICMP Echo
and Echo replies Genius Contains a Port Scan Detection Routine
Detecting Ping Sweeps
Also performs scanning
One of the first stealth scans
Detection Tools Personal Firewall
Indicated if the machine is alive Detecting Live Systems
Personal IDS
Uses customised flags
Inverse Mapping Scan on Target Network BlackICE
Types of Tools Can report against ping sweeps Only on the host it is installed on
Used to map out networks
Detects port scans
UNIX only Scanlogd
Writes to syslog
Port 113 Ident Scanning
IDENT Fast ICMP sweep scanner
Queries the running services
Ping Utilities Pinger Identifies live hosts between given IP Addresses
With read/write access Can resolve hostnames
Uses FTP servers
Often scripted and attacks padded
Great Tool
Connect to an FTP server Windows
32 bit graphical Ping client
FTP Bounce Misc
Port is open 150 Tracert
Responses DNS Lookup
Port is closed 225 WS_Ping Pro Pack Finger
Includes Whois
So no three way handshake UDP has no connection
LDAP
Subtopic SNMP
Sent to the target Zero Byte UDP packet SCAN IP
UDP Scan An integrated collection of internet
Does not respond Open port information gathering utilities for
Operation
Windows 2003/XP/2000
NetScan Tools
Closed Port Hacking Tools Contains a custom ICMP Packet Generator
ICMP can be rate limited CLI TCP/IP packet assembler/analyzer
TCP
Command line Port Scanner UDP
Supports
2000/XP Windows Only ICMP
hping
RAW-IP
Not as powerful
ipEye Firewall testing
SYN
Can be used for Port scanning
FIN Similar to NMAP
Can do Scan Types Network testing
NULL
XMAS ICMP Echo
Uses ICMP Timestamp
Looks for machines that are IPSec enabled
ICMP Information
AH 50 icmpenum
Uses different ICMP packets that may
IP Protocol be allowed if ICMP Echo is blocked
ESP ipSecScan
51 Scans the IPSec Ports Promiscuous listening for return packets
Supports spoofing
ISAKMP UDP 500
An integrated collection of Internet
information gathering utilities for
Windows 2003/XP/2000
NetScan Tools
Contains a custom ICMP Packet Generator
And Versatile Extremely Fast
Pinger
Connect Based TCP port scanner SuperScan
Hostname Resolver
Windows Only
The best port scanning tool
MAC OSX
Originally UNIX only but now
Linux supported on
Windows
MAC OSX
Windows Also now has GUIs
Linux
nmap -S 172.18.1.1 Port Scanning Tools
nmap -sS <targetip>
SYN Scan
Needs root access
nmap -sT <targetip> Connect Scan
nmap -sF <targetip> FIN Scan
nmap -sA <targetip> ACK Scan
nmap -sP 172.16.0.0/16
nmap -sP <targetip's> Scans
nmap -sP 172.14.1.0-255 ICMP Scan/Sweep
nmap -sU <targetip> UDP Scan NMap
nmap -sI <targetip> Idle Scan
nmap -sW <targetip> Windows Scan
nmap -sR <targetip> RPC Scan
nmap -sS SYN Scan
Root User
Default Scans
namp -sT Connect Scan
Normal User
Spoof source IP
Spoofing
-S
Spoofed scans from Decoy machines
Actual scan is injected in between
Decoy Other Features
Better the more decoys used
-D
Fragments the packets Fragmentation