College of Engineering & CS
Wright State University
Dayton, Ohio 45435-0001
Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a LAN or connected to Internet via a modem run many services that listen at well-known and not so well-known ports. By port scanning the attacker finds which ports are available (i.e., being listened to by a service). Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness.
The various techniques in scanning are summarized below. A full understanding of these depends on understanding IP filtering and other firewall techniques. So re-read this chapter afterwards.
As you know, public IP addresses are controlled by world-wide registrars, and are unique globally. Port numbers are not so controlled, but over the decades certain ports have become standard for certain services. The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers. The port numbers are divided into three ranges: the Well Known Ports (0..1023), the Registered Ports (1024..49151), and the Dynamic and/or Private Ports (49152..65535).
All the operating systems now honor the tradition of permitting only the
super-user open the ports numbered 0 to 1023. These well-known ports (also
called standard ports) are assigned to services by the IANA (Internet Assigned
Numbers Authority, www.iana.org).
On Unix, the text file named
/etc/ services (on Windows 2000 the
%windir%\ system32\ drivers\ etc\ services) lists these
service names and the ports they use. Here are a few lines extracted from
echo 7/tcp Echo ftp-data 20/udp File Transfer [Default Data] ftp 21/tcp File Transfer [Control] ssh 22/tcp SSH Remote Login Protocol telnet 23/tcp Telnet domain 53/udp Domain Name Server www-http 80/tcp World Wide Web HTTPAttempts to open a port in the range of 0..1023 by an unprivileged user program will fail. A user program can open any unallocated port higher than 1023.
By a non-standard port, we simply mean a port whose number is higher than 1023. In this range also, several services are "standard." For example,
wins 1512/tcp # Microsoft Windows Internet Name Service radius 1812/udp # RADIUS authentication protocol yahoo 5010 # Yahoo! Messenger x11 6000-6063/tcp # X Window System
Some malicious program have spread so wide that there are several collections of port numbers known to have been used by these.
The simplest port scan tries (i.e., sends a carefully constructed packet with a chosen destination port number) each of the ports 0..65535 on the victim to see which ones are open.
TCP connect(): The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable.
Strobe A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. The name comes from one of the original TCP scanning programs, though now virtually all scanning tools include this feature.
ident protocol allows for the disclosure of the username of
the owner of any process connected via TCP, even if that process didn't initiate
the connection. So, e.g., one can connect to port 80 and then use
to find out whether the HTTP server is running as root.
Port scanners scan a host rapidly by firing off packets at different ports. So, scanning very slowly (taking a day or more) becomes a stealth technique.. Another stealth scanning technique is "inverse mapping", where you try to find out all hosts on a network by generating "host unreachable" ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets (e.g. RST packets sent without any previous packet).Fragmented packets The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing.
SYN scanning: This technique is also called half-open scanning, because a TCP connection is not completed. A SYN packet is sent (as if we are going to open a connection), and the target host responds with a SYN+ACK, this indicates the port is listening, and an RST indicates a non- listener. The server process is never informed by the TCP layer because the connection did not complete.
FIN scanning: The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. This is required TCP behavior. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn't a very effective scan.
Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.
SOCKS is a system that allows multiple machines to share a common Internet connection. The reason that attackers scan for this is because a large percentage of users misconfigure SOCKS.
Many products support SOCKS. A typical product for home users is WinGate, which is installed on a single machine that actually connects to the Internet. All the other machines within the home connect to the Internet through the machine running WinGate.
A misconfigured SOCKS permits arbitrary the sources and destinations. Just as it allows internal machines access to the Internet, it will allow external machines to access the internal home network. Most importantly, it may allow a attacker access to other Internet machines through your system. This allows the attacker to hide his/her true location.
IRC chat servers will often scan clients for open SOCKS servers. They will kick off such people with a message indicating how to fix the problem. If you receive such a message, then you can check the client to see if it is a WinGate bot performing such a check. A false-positive may occur if an application is temporarily unavailable. In this case, it will look like your internal machines are "attacking" the SOCKS server.
FTP bounce scanning takes advantage of a vulnerability of the FTP
protocol itself. It requires support for proxy ftp connections. This
bouncing through an FTP server hides where the attacker comes from. This
technique is similar to IP spoofing in that it hides where the attacker comes
from. For example,
evil.com establishes a control connection to the
FTP server-PI (protocol interpreter) of
target.com . Then
request that the server-PI initiate an active server-DTP (data transfer process)
to send a file anywhere on the Internet.
A port scanner can exploit this to scan TCP ports from a proxy ftp server. Thus you could connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked (e.g., port 139). If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open. Our technique is to use the PORT command (of FTP) to declare that our passive user-DTP is listening on the target box at a certain port number. Then we try to LIST the current directory, and the result is sent over the server-DTP channel. If our target host is listening on the specified port, the transfer will be successful (generating a 150 and a 226 response). Otherwise we will get "425 Can't build data connection: Connection refused." Then we issue another PORT command to try the next port on the target host. The advantages to this approach are obvious (harder to trace, potential to bypass firewalls). The main disadvantages are that it is slow, and that some FTP server implementations have finally disabled the proxy "feature".Finger: Most finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as "rob@foo@bar" will ask "bar" to resolve "rob@foo", causing "bar" to query "foo". This technique can be used to hide the original source of the request.
E-mail: Spammers try to relay their spam through SMTP servers. As a result, probes for SMTP are commonly seen by machines on the Internet.
SOCKS Allows almost any protocol to be tunneled through the intermediate machine. As a result, attackers probing for SOCKS is common scan seen on the Internet.
HTTP proxy: Most web servers support proxying so that all web traffic can be directed to a single server for filtering as well as caching to improve performance. A lot of these servers are misconfigured to allow proxying of any request from the Internet, allowing attackers to relay attacks against web-sites through a third party. Probes for HTTP proxies is one of the more common scans seen today.
IRC BNC: Attackers love to hide their IRC identities by bouncing their connections through other machines. A particular program called "BNC" is used for this purpose on compromised machines.
Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an "ICMP Port Unreachable" message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives). Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, the Linux kernel limits destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.
Some people think UDP scanning is lame and pointless -- not so.
Consider the recent Solaris
rpcbind hole (Sun Microsystems
Security Bulletin Bulletin Number: #00167, April 8, 1998).
can be found hiding on an undocumented UDP port somewhere above 32770. So it
doesn't matter that port 111 is blocked by the firewall. But can you find which
of the more than 30,000 high ports it is listening on? With a UDP scanner you
write() scanning: While non-root
users cannot read port unreachable errors directly, Linux informs the user
indirectly when they have been received. For example, a second write() call to a
closed port will usually fail. A lot of scanners, e.g.,
and pscan.c (written by email@example.com,
Jan 22, 1995), do this. Note also that
recvfrom() on non-blocking
UDP sockets usually return the error EAGAIN ("Try Again") if the ICMP
error hasn't been received, and ECONNREFUSED ("Connection refused") if
This isn't really port scanning, since ICMP does not have a port abstraction. But it is sometimes useful to determine what hosts in a network are up by pinging them all. ICMP scanning can be done in parallel, so it can be quite fast.
Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. Unusual combinations of data are sent to the system in order to trigger these responses. Systems respond the same with correct data, but they rarely respond the same way for wrong data.
There are three security audit tools that stand out: SAINT,
and nessus. Of these,
nmap is clearly and primarily a port
scanner; so it is discussed here. SAINT and nessus are discussed in the
chapter on Security Audit.
nmap is a widely known port scanner written by Foydor.
According to its author, "
nmap is a utility for port scanning
large networks, although it works fine for single hosts. The guiding philosophy
for the creation of
nmap was TMTOWTDI (There's More Than One Way To
Do It). This is the Perl slogan, but it is
equally applicable to scanners. Sometimes you need speed, other times you may
need stealth. In some cases, bypassing firewalls may be required. Not to mention
the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.).
You just can't do all this with one scanning mode. And you don't want to have 10
different scanners around, all with different interfaces and capabilities. Thus
I incorporated virtually every scanning technique I know into
Part of the lab experiment is based on
Writing a non-stealth scan detector is straightforward in Unix,
in which you open a SOCK_RAW, make the protocol type IPPROTO_IP, then call
and capture the packets and analyze them. Discovering stealth scans
requires kernel level work. One signature that could be used for detecting
port scans is "several packets to different destination ports from the same
source address within a short period of time". Another such signature could
be "SYN to a non-listening port". Obviously, there are many other ways
to detect port scans.
Remember that an attacker might also be IP source address
spoofing. So a detector can inform us that we have been port-scanned but
not necessarily where from. However, port scanners sometimes leak extra
information that can be used to tell something about the real origin of a
spoofed port scan. For example, if the packets we receive have an IP TTL of 255
at our end, we know for sure that they're being sent from our local network
regardless of what the source address field says. However, if TTL is 250, we can
only tell that the attacker was no more than 5 hops away, we cannot tell how far
exactly she was for sure. Starting TTL and source port numbers can also give us
a hint of what port scanner type (for "stealth" scans) or
operating system (for full TCP connection scans) is used by the attacker. We can
never be sure though. For example,
nmap sets TTL to 255 and source
port to 49724, while Linux kernel sets TTL to 64.
In the context of this lab experiment, it is worth reproducing a few paragraphs from the SAINT manuals:
It is generally considered to be very rude and anti-social behavior to scan someone else's hosts or networks without the explicit permission of the owner. Always ask if it'd be okay to scan outside of your own networks.
Being a very unfriendly neighbor
Please be considerate and smart; unauthorized scanning of your
Internet neighbors, even if you think you're doing them a favor, can be seen as
a serious transgression on your part, and could engender not only ill will or
bad feelings, but legal problems as well.
Attacking vs. probing vs. scanning
Attacking vs. probing vs. scanningWhat is an attack, or a probe, or a scan? It's not always clear, especially as system administrators are getting more savy and aware of the enormous amount of traffic present on the Internet. For instance, is a finger from a remote site an attack? Without knowing any of the motivations involved, it can't be ascertained. "Finger wars", or two sites that use the "tcp wrappers" or similar software that will automatically finger a remote site that connects to it can bring down hosts inadvertently.
Be aware that many of the probes will generate messages on the console or set off various alarms on the remote target, however, so you should be aware of the potential for false alarms and accusations that might be leveled against you.
Objective: Deliberately misconfigure certain services on a machine. Run a port scanner productively on another machine and discover the vulnerabilities of the first.
All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ. Use any of the PCs numbered 19 to 30. No other WSU facilities are allowed.
nmapare installed on all machines in the lab. Local copies of portsentry, and zonealarm are located in the anonymous FTP area on the machine
Cocke. osis. cs. wright. edu.Download these into your Zip disk. Among these files ZoneAlarm is a self-install executable for Windows NT/2000; the others are for Linux.
portsentry. Save the executables onto your zip disk. You will be using these on P1.
nmapfe on P0 to probe all ports on P1 and P2.
This article has been pieced together from the materials on the site http://advice.networkice.com/,
and from the documentation of
Ron Gula, How to Handle and Identify Network Probes, April 1999, www.securitywizards.com [Local Copy] Required Reading.
nmap/ hobbit.ftpbounce.txt Reference.
nmap-fingerprinting-article.html Required Reading.
|06/29/01 01:28:54 PM|
|Open Content Copyright © 2001 firstname.lastname@example.org|