Port Scanning Port Scanning
Total Page:16
File Type:pdf, Size:1020Kb
Internet Security ECOM 5347 lab 2 Port Scanning Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem run many services that listen at certain ports. A service is a program that waits inside a loop for a request message from a client, and acts on the request. By port scanning, one discovers which ports are available (i.e., being listened to by a service). Essentially, a port scan consists of sending a message to each port, one at a time and examining the response received. If the port is in use, it can then be probed further for weakness. Port Scanning is one of the most popular among the reconnaissance techniques attackers use. Port Scanning Terms: Port Numbers: Both UDP and TCP use source and destination port numbers in their packets; the source and destination IP addresses are provided by the underlying IP. Port numbers are an abstraction manufactured by the network layer of the operating system in accordance with the TCP/IP standards These are 16-bit unsigned numbers. The port numbers are divided into three ranges: 1- Well Known Ports (from 0 through 1023) 2- Registered Ports (from 1024 through 49151) 3- Dynamic and/or Private Ports (from 49152 through 65535). 13 Internet Security ECOM 5347 lab 2 Port Scanning Sockets: A socket is an abstraction, similar to a file descriptor, constructed by socket(). A socket so constructed is bound to an IP address and port number via the bind() call. A server program then waits for a connection via the listen(), and accept()s a connection. A socket is said to be active after the server has accepted a connection. It is connected to a remote active socket via an open data connection. Closing the connection destroys the active sockets at both endpoints. A passive socket is not connected, but rather awaits an incoming connection in the listen(), which will spawn a new active socket. A socket is not a port, though there is a close relationship between them. Each port can have a single passive socket, awaiting incoming connections, and multiple active sockets, each corresponding to an open connection on the port. Servers use bind(), listen(), and accept(). A client uses connect(). The read(), write() are used by both clients and servers. The process of connection is show in figures 1 ,2 and 3. Figure 1 14 Internet Security ECOM 5347 lab 2 Port Scanning Figure 2 Socket calls for connection-oriented communication Figure 3 Socket calls for connectionless communication 15 Internet Security ECOM 5347 lab 2 Port Scanning Open Port: A service process is listening at the port. A port is opened by the OS at the request of a specific process. The OS receives packets arriving at this port and gives the messages to the service process. If the OS receives a SYN at an open port, this is the first packet of the three way handshake. Closed Port: No process is listening at the port. If the OS receives a SYN at a closed port, an RST is sent. Filtered Port: A packet filter is listening at the port. UDP scan: Finds open UDP ports. Note that TCP and UDP both have the same port numbers, even though the OS distinguishes them as completely separate; see the file named /etc/services. The source port of UDP is an optional field. When meaningful, it indicates the port of the sending process. If it is not meaningful, a value of zero is used. UDP responds in a different manner from a TCP scan. In order to find UDP ports, the attacker generally sends empty UDP datagrams at the port. If the port is listening, the service process will send back an error message or ignore the incoming datagram. If the port is closed, then the operating system sends back an "ICMP Port Unreachable" message. Fingerprinting an OS Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. To make this more effective, unexpected but well-chosen combinations of data are sent to the system in order to trigger unique-enough responses. This is because while most systems respond alike with correct data, they rarely respond the same way when sent unusual data. Port Scanning Tools 1. SAINT 2. nmap (zenmap) , which we discuss below. 3. nessus. 16 Internet Security ECOM 5347 lab 2 Port Scanning Nmap: The nmap port scanner (www.nmap.org) is widely known. According to its author Foydor, nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities. All these scanning technique you will found in nmap. Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Uses of Nmap : While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime Nmap output : The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap 17 Internet Security ECOM 5347 lab 2 Port Scanning cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. 18 Internet Security ECOM 5347 lab 2 Port Scanning Lab Experiment Requirements: Setup a network contains at least two machines (in the lab) or you can use software like VMware or Virtual PC to built you virtual lab (in your home). In this experiment you can use BackTrack 3 live cd to run Nmap or you can install windows version for your machine. Procedures : 1. From windows : Graphical interface: 1. From PC1 (windows xp or backtrack 3) setup nmap , in the target field type the ip address or name of the target 2. Determine the scan type according your need ; you can change scan type from profile field (each scan has different parameters and will return different results) as an example 3. Click Scan to start scanning , be patient until the result appears , the time it takes depend on the scan type. 4. Nmap output give you a summary for scanning process and other tabs give you the output in different shape. The output will be as previously discussion. 5. An example for these is shown in figure 1 Command line: Note that the previous process can be done using command line interface ; Click start, run and type the following command : Nmap [nmap switches] (ip address of the target) Example : Nmap –a –t4 192.168.1.1 The summary will appear in command line with no GUI as in figure 2 and 3. To use nmap from command line from windows need from you Compiling and Installing it to do this try http://nmap.org/book/inst-windows.html; a similar procedures found if you want to install it in linux. May someone say that nmap work with me in command line without do the compiling and installation procedure , this because of ypu are already install a self- installer version of nmap, so I recommend you to try. 2. From backtrack : Graphical interface: 1. Click start – All Applications – Backtrack – Network Mapping – choose Zenmap ; then a GUI similar to that will appear in windows appears and we use it like windows. 19 Internet Security ECOM 5347 lab 2 Port Scanning Command line: 2. Click start – All Applications – Backtrack –Network Mapping – choose Nmap ; then the shell will opened with help contains switches of nmap, usage of each one and examples. 3. you can run nmap using nmap command as examples shown in help, figure 4 shows example of port scanning on IUG website from Backtrack. Figure 1 port scanning using nmap 20 Internet Security ECOM 5347 lab 2 Port Scanning Figure 2 port scanning using command line 21 Internet Security ECOM 5347 lab 2 Port Scanning Figure 3 port scanning using command line.