Port Scanning

(based on nmap tool)

NETW4006-Lecture05 Part 2 1
Content

 Definition
 Port Numbers
 TCP 3 Way-handshake
 Different Port Scanning Types
 Detecting Scan

NETW4006-Lecture05 Part 2 2
Port Scanning
 Attackers: reconnaissance technique to discover
available services/open ports
 send a packet to different ports
 response indicates state of ports
 open, closed, filtered
 type of response: different info about the system (OS)
(fingerprinting)

NETW4006-Lecture05 Part 2 3
 Port Numbers
part of the addressing information used to identify the senders and
receivers of messages (0- 65535)

 TCP/UDP: source & destination port numbers

NETW4006-Lecture05 Part 2 4
Well Known Ports
 Listed by Internet Assigned Numbers
Authority (IANA) at the Information Sciences
Institute (ISI) –(responsible for global coordination of the DNS
root, IP addressing and Internet protocol resources. )
 Requires root privilege on UNIX systems
 List: http://www.iana.org/assignments/port-numbers
 Example:
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control] # Jon Postel [email protected]
ssh 22/tcp SSH Remote Login Protocol
ssh 22/udp SSH Remote Login Protocol # Tatu Ylonen [email protected]
telnet 23/tcp Telnet
NETW4006-Lecture05 Part 2 5
 Registered Ports
1024 - 49151
 Listed by IANA, as a convenience to reduce
any port number conflicts
 Used by ordinary user processes or
programs executed by ordinary users
 Example:
shockwave2 1257/tcp Shockwave2

NETW4006-Lecture05 Part 2 6
 Other Ports
(Dynamic/Private 49152 - 65535)
 Private and/or dynamic ports.
 Used by ordinary programs.
 Commonly used for ephemeral (short-lived)
ports.
 Most commonly for source ports on outgoing
connections.

NETW4006-Lecture05 Part 2 7
TCP 3Way-Handshake
 TCP handshaking technique to open connections: SYN-SYN-ACK
 2 systems attempting to initiate a connection for communication can negotiate
one connection at a time independently of each other.
 Description
 Host A sends a TCP SYNchronize packet → Host B
 Host B receives A's SYN
 Host B sends SYN → Host A
 Host A receives B's SYN
 Host A sends ACKnowledge → Host B
 Host B receives ACK
 → TCP connection is established.
 TCP knows the state of a connection by using the SYN and ACK
 Once connected, TCP hands off to the application for data transfer and
communication
 (Reference: http://www.inetdaemon.com/tutorials/internet/tcp/3-
way_handshake.shtml) NETW4006-Lecture05 Part 2 8
 TCP connect() Scan
 With connect() call used by the operating system to
initiate a normal TCP connection to a remote
device (3-way handshake)
 No need of any special privileged access: Any user
can use it.
 TCP connect scan is often logged by target host
service.

NETW4006-Lecture05 Part 2 9
TCP connect() Scan
 Closed Port:
 Like the TCP
SYN scan

 Open Port:
 completes the TCP
3W-Handshake (3WHS).
 Then sends RST.
Figures taken from [4]: http://www.networkuptime.com/nmap/index.shtml
NETW4006-Lecture05 Part 2 10
 TCP SYN Scan/Half-Open Scan
 Send a SYN packet , wait for a response &
A SYN/ACK indicates the port is listening
if a SYN.ACK is received, send an RST to
tear down the connection immediately
 Requires Root privileges to create raw SYN
 Often not logged: 3WHAS not completed

NETW4006-Lecture05 Part 2 11
 TCP SYN Scan/Half-Open Scan
 Closed Port:
 No difference with TCP
connect scan

 Open Port:
 SYN/ACK: port is open
 SYN/ACK then RST

NETW4006-Lecture05 Part 2 12
 TCP ACK Scan
 Random TCP ACK sent to destination
 If active, RST is returned If not active or the
port is filtered,
filtered no response to the ACK
 Useful to see if a firewall is stateful or simple
 Requires privileged access or send TCP
connect() Port 80 is used by default:
 filtered connection

NETW4006-Lecture05 Part 2 13
ICMP Ping Scan
 ICMP echo (ping) request to destination IP @
 If an ICMP echo reply (pong) received, station is
active
 If no response -station
- not active or connection is
filtered
 ICMP does not have
a notion of port
numbers, it has types
and codes

NETW4006-Lecture05 Part 2 14
 ICMP Echo & TCP ACK
 ICMP echo request + TCP ACK
 Response if system alive & if port 80 not
filtered

NETW4006-Lecture05 Part 2 15
 TCP FIN Scan
 Send a FIN (finish) packet without SYN
 For when trying to hide from SYN loggers
 Requires Root privileges to create raw TCP packet
 FIN may be dropped by firewall/pass through:
 no differentiation with open port

NETW4006-Lecture05 Part 2 16
TCP FIN Scan
 Closed Port:
 Reply with RST

 Open Port:
 No reply to FIN

NETW4006-Lecture05 Part 2 17
 FTP Bounce Scan
connect to an FTP server behind a firewall,
firewall and then scan ports that are
more likely to be blocked
 Use a FTP vulnerability: proxy
 No required privileges., Harder to trace, Potential to
Advantages
bypass firewalls.
 Requires a third host as proxy for FTP (passive)
 Must
Disadvantages be logged in. Slow, Many FTP servers have
disable the proxy features
 Either Anonymous or User,
 User sends PORT command to FTP server that redirects
data towards different host/port!
 User can send arbitrary data to open ports
 Don’t accept connections from your FTP server
 Many FTP servers disable proxy
 This technique can be generalized to eg. SMTP (spam)
NETW4006-Lecture05 Part 2 18
FTP Bounce Scan

 Closed Port:
 Send Port(IP@+Port)
+ List (launch data connection)
(or PUT to send arbitrary data)
 FTP server can’t build the connection

 Open Port:
 FTP Transfer is
completed

NETW4006-Lecture05 Part 2 19
UDP Scan
 Scan is more difficult
 No ACK from open ports
 Most host send an ICMP_ Port_ Unreached error
when you send a packet to a closed UDP port.
 Reading ICMP packets requires root privileges
 Can find out if system is alive
 If ICMP is filtered, no response to UDP ping

NETW4006-Lecture05 Part 2 20
UDP Ping Scan
 Closed Port:
 UDP ping,
If ICMP Port Unreachable
system is alive

 Open Port:
 If no response: remote system unavailable.
 Could be incorrect because UDP applications don’t
necessarily send a response to empty requests

NETW4006-Lecture05 Part 2 21
Other Scan Techniques
 Stealth scan: refers to scanning techniques
that can avoid being logged
 fragmented packets, SYN scanning, FIN
scanning, scan slowly etc
 identd protocol: gives username of the owner
of process connected via TCP
 Connect http port (80) + use identd
 Ident (aka auth) protocol use is uncommon
NETW4006-Lecture05 Part 2 22
Detect Scan
 Rapid Scan detected: several packets rapidly sent to
different ports from same source
 SYN to a closed port
 Port scan logged by the services/application
 Firewall log scanning

A detector can inform is that we have been port

NETW4006-Lecture05 Part 2 23