4.

Port Scanning
Role of port scanning

Identification of active systems, open communication ports
and services running on computer networks

Port scanning techniques:
– ARP Ping
– ICMP Ping
– TCP connect() Scan
– TCP SYN Scan
– TCP FIN, Xmas Tree, Null Scan
– UDP Scan

2
ARP Ping

May be used to discover active systems in the local network only

Does not work if Proxy ARP is enabled on routers

Tools:
– arping
– nmap –PR

3
ICMP Ping

Uses ICMP queries

– ICMP ECHO_REQUEST (Type 8)
– ICMP ECHO_REPLY (Type 0)

Usually, ping is blocked at firewall

Tools:
– ping / fping
– nmap –sP –PE
– hping3 --icmp

4
TCP Connect() Scan

Uses the connect() system call to establish a TCP connection

with the remote host

Full three-way handshake for open ports

Usually, this event is logged by the remote host

Tools:
– telnet
– netcat
– nmap –sT

5
TCP SYN Scan

Half open connections

– a SYN packet is sent to ask for a new connection
– after receiving SYN/ACK, the connection is dropped by sending a RST
packet

Hard to detect
– usually, IDS and firewall systems does not log SYN packets

Tools:
– nmap –sS
– hping3 --syn
6
TCP FIN, Xmas Tree, Null Scan

Stealth scans

The working principle is the same for all these scans
– manipulation of control flags in the TCP packet header

According to RFC 793, when a system receives a packet on a
closed port, it must answer with a RST
– if no RST is sent back it means that the port is opened or the
communication is filtered by the firewall

It does not work for Windows systems
– a RST is returned even if the port is opened

In order to run these scans the user must have administrative
privileges

7
TCP FIN Scan

Closed Port

Opened Port

Sends a FIN packet to the targeted port then waits for a

response

Tools:
– nmap –sF
– hping3 --fin

8
TCP Xmas Tree Scan

Closed Port

Opened Port

Sends a TCP packet with the FIN, URG, and PUSH flags set
then waits for a response

Tools:
– nmap –sX
– hping3 --fin --urg --push

9
TCP Null Scan

Closed Port

Opened Port

Sends a TCP packet with no flags set then waits for a response

Tools:
– nmap –sN
– hping3

10
UDP Scan

Similar to TCP scan but using UDP packets

Send a UDP packet and wait for a response; if an ICMP Port
Unreachable is received, then the port is closed otherwise the
port is opened

Scanning process takes time
– response delay of 1-4 sec

Tools:
– nmap –sU
– hping3 --udp

11
OS Fingerprinting

RFCs do not contain complete specifications

There are differences in TCP/IP stack implementation
– TTL (time-to-live)
– Initial sequence numbers
– Window size
– DF (Don't fragment bit)
…

Passive fingerprinting
– sniffing to examine packets for certain characteristics
– low precision

Active fingerprinting
– send packets to the target in order to analyze it's behavior
– high precision

12
Passive OS fingerprinting

p0f (http://lcamtuf.coredump.cx/p0f.shtml)

p0f can identify the operating system of:
– machines that connect to you (SYN mode)
– machines you connect to (SYN+ACK mode)
– machines you cannot connect to (RST mode)
– machines whose communications you can observe

p0f output
<Wed Feb 27 18:26:58 2008> 213.215.x.x:45291 - Linux 2.6
(newer, 2) (up: 1421 hrs) -> 208.83.x.x:2703 (distance 0,
link: ethernet/modem)

<Wed Feb 27 18:27:02 2008> 212.24.x.x:62994 - FreeBSD 5.3-

5.4 (up: 4556 hrs) -> 213.215.x.x:80 (distance 9, link:
ethernet/modem)

<Wed Feb 27 18:27:16 2008> 90.2.x.x:1322 - Windows 2000 SP4,

XP SP1+ -> 213.215.x.x:80 (distance 9, link: pppoe (DSL))

13
Active OS fingerprinting

nmap –O <target>

7 TCP probes, 1 ICMP, 1 UDP. TCP probes are sent exactly 110 milliseconds
apart

14
Other scanning tools

nmap (http://www.insecure.org/nmap/)

hping3 (http://www.hping.org)

IPEye (http://ntsecurity.nu/toolbox/)

NetScan Tools Pro (http://www.netscantools.com/)

SuperScan (http://www.foundstone.com )

Cheops-ng (http://cheops-ng.sourceforge.net/)

15
16