Scribd
Upload
142 views

Hands-On Ethical Hacking and Network Defense

This document discusses port scanning and provides an overview of various port scanning techniques and tools. It describes what port scanning is used for, different types of port scans like SYN scans and connect scans, and popular port scanning tools like Nmap, Unicornscan, NetScanTools Pro, and Nessus. It also covers related topics like ping sweeps, crafting IP packets, shell scripting, and the legal issues around port scanning.

Uploaded by

shabir Ahmad
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
142 views

Hands-On Ethical Hacking and Network Defense

This document discusses port scanning and provides an overview of various port scanning techniques and tools. It describes what port scanning is used for, different types of port scans like SYN scans and connect scans, and popular port scanning tools like Nmap, Unicornscan, NetScanTools Pro, and Nessus. It also covers related topics like ping sweeps, crafting IP packets, shell scripting, and the legal issues around port scanning.

Uploaded by

shabir Ahmad
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 41

Hands-On Ethical

Hacking and Network


Defense
Chapter 5
Port Scanning

Last updated 9-18-08


Objectives
 Describe port scanning
 Describe different types of port scans
 Describe various port-scanning tools
 Explain what ping sweeps are used for
 Explain how shell scripting is used to
automate security tasks

2
Introduction to Port Scanning
 Port Scanning
 Finds out which services are offered by a host
 Identifies vulnerabilities
 Open services can be used on attacks
 Identify a vulnerable port
 Launch an exploit
 Scan all ports when testing
 Not just well-known ports
3
AW Security Port Scanner

 A commercial tool to identify vulnerabilities


4
Introduction to Port Scanning
(continued)
 Port scanning programs report
 Open ports
 Closed ports
 Filtered ports
 Best-guess assessment of which OS is
running

5
Is Port Scanning Legal?
 The legal status of port scanning is
unclear
 If you have permission, it's legal
 If you cause damage of $5,000 or more, it
may be illegal
 For more, see links Ch 5a and Ch 5b

6
Normal TCP Handshake
Client SYN  Server
Client  SYN/ACK Server
Client ACK  Server

After this, you are ready to send data


7
SYN Port Scan
Client SYN  Server
Client  SYN/ACK Server
Client RST  Server

The server is ready, but the client decided


not to complete the handshake 8
Types of Port Scans
 SYN scan
 Stealthy scan, because session handshakes are
never completed
 That keeps it out of some log files
 Three states
 Closed

 Open

 Filtered

9
Types of Port Scans
 Connect scan
 Completes the three-way handshake
 Not stealthy--appears in log files
 Three states
 Closed

 Open

 Filtered
10
Types of Port Scans
 NULL scan
 All the packet flags are turned off
 Two results:
 Closed ports reply with
RST
 Open or filtered ports give
no response

11
Types of Port Scans
 XMAS scan
 FIN, PSH and URG flags are set
 Works like a NULL scan – a closed port
responds with an RST packet
 FIN scan
 Only FIN flag is set
 Closed port responds with an RST packet

12
Windows Machines
 NULL, XMAS and FIN scans don't work on
Windows machines
 Win 2000 Pro and Win Server 2003 shows all
ports closed
 Win XP Pro all ports open/filtered
 See the NMAP tutorial (link Ch 5c)

13
Types of Port Scans
 Ping scan
 Simplest method sends ICMP ECHO
REQUEST to the destination(s)
 TCP Ping sends SYN or ACK to any port
(default is port 80 for Nmap)
 Any response shows the target is up

14
Types of Port Scans
(continued)
 ACK scan
 Used to get information about a firewall
 Stateful firewalls track connection and block
unsolicited ACK packets
 Stateless firewalls just block incoming SYN
packets, so you get a RST response
 UDP scan
 Closed port responds with ICMP “Port
Unreachable” message
 Rarely used 15
Using Port-Scanning Tools
 Nmap
 Unicornscan
 NetScanTools Pro 2004
 Nessus

16
Nmap
 Originally written for Phrack magazine
 One of the most popular tools
 GUI versions
 Xnmap and Ubuntu's NmapFE
 Open source tool
 Standard tool for security professionals

17
The Matrix Reloaded
 Trinity uses Nmap
 Video at link Ch 4e

18
Unicornscan
 Developed in 2004 for Linux & UNIX only
 Ideal for large networks
 Scans 65,535 ports in three to seven
seconds
 Optimizes UDP scanning
 Alco can use TCP, ICMP, or IP
 Free from http://unicornscan.org/ (link Ch 5f)

19
NetScanTools Pro
 Robust easy-to-use commercial tool
 Runs on Windows
 Types of tests
 Database vulnerabilities
 DHCP server discovery
 IP packets viewer
 Name server lookup
 OS fingerprinting
 Many more (see link Ch 5g)
20
21
Nessus
 First released in 1998
 Free, open source tool
 Uses a client/server technology
 Can conduct tests from different locations
 Can use different OSs for client and
network

22
Nessus (continued)
 Server
 Any *NIX platform
 Client
 Can be *NIX or Windows
 Functions much like a database server
 Ability to update security checks plug-ins
 Some plug-ins are considered dangerous
23
24
Nessus (continued)
 Finds services running on ports
 Finds vulnerabilities associated with
identified services

25
26
Conducting Ping Sweeps
 Ping sweeps
 Identify which IP addresses belong to active
hosts
 Ping a range of IP addresses
 Problems
 Computers that are shut down cannot respond
 Networks may be configured to block ICMP
Echo Requests
 Firewalls may filter out ICMP traffic

27
FPing
 Ping multiple IP addresses simultaneously
 www.fping.com/download
 Command-line tool
 Input: multiple IP addresses
 To enter a range of addresses
 -g option
 Input file with addresses
 -f option
 See links Ch 5k, 5l
28
29
Fping on Ubuntu 8.04
 sudo apt-get install fping

30
Hping2
 Used to bypass filtering devices
 Allows users to fragment and manipulate IP
packets
 www.hping.org/download
 Powerful tool
 All security testers must be familiar with tool
 Supports many parameters (command
options)
 See links Ch 5m, Ch 5n
31
hping2 on Ubuntu 8.04
 sudo apt-get install hping2
 The command below sends three SYN
packets to port 80 on the 147.144.1.2
server
 Response is SYN/ACK, as expected

32
33
34
35
Broadcast Addresses
 If you PING a broadcast address, that can
create a lot of traffic
 Normally the broadcast address ends in
255
 But if your LAN is subnetted with a subnet
mask like 255.255.255.192
 There are other broadcast addresses ending
in 63, 127, and 191

36
Smurf Attack
 Pinging a broadcast address on an old network
resulted in a lot of ping responses
 So just put the victim's IP address in the "From"
field
 The victim is attacked by a flood of pings, none of
them directly from you
 Modern routers don't forward broadcast packets,
which prevents them from amplifying smurf
attacks
 Windows XP and Ubuntu don't respond to
broadcast PINGs
 See links Ch 5o, 5p 37
Crafting IP Packets
 Packet components
 Source IP address
 Destination IP address
 Flags
 Crafting packets helps you obtain more
information about a service
 Tools
 Fping
 Hping
38
Understanding Shell Scripting
 Modify tools to better suit your needs
 Script
 Computer program that automates tasks
 Time-saving solution

39
Scripting Basics
 Similar to DOS batch programming
 Script or batch file
 Text file
 Contains multiple commands
 Repetitive commands are good candidate
for scripting
 Practice is the key

40
41

You might also like