Abstract: This lecture introduces the techniques of port scanning that an attacker may use to discover vulnerable services on an Internet host. We also describe a lab experiment based on the port scanning audit tool nmap.
PowerPoint Slides for this lecture
All machines connected to a LAN run many services that listen at certain ports. A service is a process that waits/listens inside a loop for a request message from a client, and acts on the request. By port scanning, one discovers which ports are available (i.e., being listened to by a service). Essentially, a port scan consists of sending a packet to each port, one at a time, and examining the response received. If the port is in use, it can then be probed further for weakness.
Port Scanning is one of the most popular among the reconnaissance techniques attackers use. The various techniques in scanning are summarized in the book by Foydor (see References). A full understanding of these depends on understanding IP filtering and other firewall techniques. So re-read this chapter afterwards.
Port scanning usually, but not always, means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker.
Port Numbers: Both UDP and TCP use source and destination port numbers in their packets; the source and destination IP addresses are provided by the underlying IP. Port numbers are an abstraction manufactured by the network layer of the operating system in accordance with the TCP/IP standards. These are 16-bit unsigned numbers. The port numbers are divided into three ranges: (i) the Well Known Ports (from 0 through 1023), (ii) the Registered Ports (from 1024 through 49151), and (iii) the Dynamic and/or Private Ports (from 49152 through 65535). The authoritative list is at http://www.iana.org/assignments/ port-numbers and the file typically stored as /etc/services is a subset of these. Web-search for current lists of port numbers used by Trojan programs.
Sockets: A socket is an abstraction, similar to a file descriptor, constructed by socket(). A socket is bound to an IP address and a port number via the bind() call. The server process then waits for a connection via the listen(), and accept()s a connection. A client uses connect(). The read(), write() are used by both clients and servers. A socket is said to be active after the server has accepted a connection. Closing the connection destroys the active sockets at both end points. A passive socket is not connected; it awaits an incoming connection in the listen(), which will spawn a new active socket. Each port can have a single passive socket, and multiple active sockets.
Open Port: A service process is listening at the port. A port is opened by the OS at the request of a specific process. The OS receives packets arriving at this port and gives the messages to the service process.
Closed Port: No process is listening at the port. The OS, of course, can detect "arrivals". If the OS receives a SYN packet at a closed port, an RST packet may be sent. The OS can be configured to log this.
Filtered Port: A packet filter is listening at the port.
UDP scan: Finds open UDP ports. Note that TCP and UDP both have the same port numbers, even though the OS distinguishes them as completely separate; see Port Numbers above. The source port of UDP is an optional field. UDP responds in a different manner from a TCP scan. In order to find UDP ports, the attacker generally sends empty UDP datagrams at the port. If the port is open, the service process will send back an error message or ignore the incoming datagram. If the port is closed, then the operating system typically sends back an "ICMP Port Unreachable" message.
Sweep: Scans one port number on a lot of machines.
SOCKS is a system targeted at the home Windows PC user that allows multiple machines to share a common Internet connection. The reason that attackers scan for this is because a large percentage of users misconfigure SOCKS.
The problem with SOCKS is that the source and destination addresses are not carefully checked. A misconfigured host will allow external machines to access the internal home network, and also it may allow an attacker access to other Internet machines. This allows the attacker to hide his/her true location.
Many IRC chat servers often scan clients for open SOCKS servers. They will kick off such people with a message indicating how to fix the problem.
The ability to hide their tracks is important to attackers. Therefore, attackers scour the Internet looking for systems they can bounce their attacks through. Here are some examples.
This used to be a standard service on Unix machines. Most finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as "rob@foo@bar" will ask machine "bar" to resolve "rob@foo", causing "bar" to query "foo".
When a file is requested from an FTP server S, the client process specifies the IP address and port number of the recipient of that file. This should be the address of the client machine C, and the port that the client has prepared to receive the file. But, the IP address can be any system, say B, on the Internet. For example, a spammer can previously upload a file containing e-mail messages to S, then cause S to transfer them to B, an SMTP server. B then sends them out to the recipients.
One problem with port scanning, from the perspective of the attacker, is that it is easily logged by services listening at the ports because they see an incoming connection, but no data, so they log an error. Stealth scan techniques (hope to) avoid this.
The TCP half-open scan, known also as a SYN scan, only sends the SYN packet of the TCP three-way handshake, and then does not proceed with the the third packet of the handshake. This stops the service from ever being notified of the incoming connection.
On receiving erroneous packets, open ports will likely send back different error messages than closed ports. The most common of these scans is the FIN scan which sends the TCP FIN packet even though no connection was established earlier. If the port is closed, an RST is sent. If the port is open, the OS may silently drop the incoming packet (does not respond), if the SEQ/ACK numbers are incorrect. Therefore, no response indicates an open port. However, since packets can be dropped accidentally on the wire or by firewalls, this is not a very effective scan.
XMAS scan: All flags in the TCP packet are "lit up" (set). NULL scan: None of the bits are set. There is no standard response to these scans, and over many scans the attacker can catalog the OS the target host is running.
Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. To make this more effective, unexpected but well-chosen packets are sent to the system in order to trigger unique-enough responses. This is because while most systems respond alike with correct data, they rarely respond the same way when sent unusual data. See Required Reading below.
There are several network security audit tools, commercial as well as open source. Of these, nmap is clearly and primarily a port scanner; so it is discussed here.
The nmap port scanner (www.nmap.org) is widely known. According to its author Foydor, "nmap is a utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is the slogan of Perl scripting language, but it is equally applicable to scanners. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities. Thus I incorporated virtually every scanning technique I know into nmap."
Writing a non-stealth scan detector is straightforward in UNIX, in which you open a SOCK_RAW, make the protocol type IPPROTO_IP, then call recvfrom() and capture the packets and analyze them.
Discovering stealth scans requires kernel level work. One heuristic used for detecting port scans is "several packets to different destination ports from the same source address within a short period of time". Another such signature could be "SYN to a non-listening port". Obviously, there are many other ways to detect port scans.
Remember that an attacker might also be spoofing the IP source address. So a detector can inform us that we have been port-scanned but not necessarily where from. However, port scanners sometimes leak extra information that can be used to tell something about the real origin of a spoofed port scan. For example, if the packets we receive have an IP TTL of 255 at our end, we know for sure that they are being sent from our local network regardless of what the source address field says. However, if TTL is 250, we can only tell that the attacker was no more than 5 hops away. Starting TTL and source port number(s) can also give us a hint of what port scanner type (for "stealth" scans) or operating system (for full TCP connection scans) is used by the attacker. We can never be sure though. For example, nmap sets TTL to 255 and source port to 49724, while an OS may set TTL to 64.
Objective: Deliberately misconfigure certain services on a machine. Run a port scanner productively on another machine and discover the vulnerabilities of the first.
All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ. Use any of the PCs numbered 19 to 30. No other WSU facilities are allowed.
In the context of this lab experiment, it is worth reproducing a few paragraphs from the SAINT manuals:
Being a very unfriendly neighbor It is generally considered to be very rude and anti-social behavior to scan someone else's hosts or networks without the explicit permission of the owner. Always ask if it would be okay to scan their networks. Please be considerate and smart; unauthorized scanning of your Internet neighbors, even if you think you're doing them a favor, can be seen as a serious transgression on your part, and could engender not only ill will or bad feelings, but legal problems as well.
Attacking vs. probing vs. scanning What is an attack, or a probe, or a scan? It's not always clear, especially as system administrators are getting more savvy and aware of the enormous amount of traffic present on the Internet. For instance, is a finger from a remote site an attack? Without knowing any of the motivations involved, it can't be ascertained. "Finger wars", or two sites that use the "tcp wrappers" or similar software that will automatically finger a remote site that connects to it can bring down hosts inadvertently.
Be aware that probes often generate messages on the console or set off various alarms on the remote target. Be aware of the potential for accusations that might be leveled against you.
Read about nmap; see References below.
Link to Grading Sheet
This article has been pieced together from the materials on the web, and from the documentation of nmap. This work was supported in part by NSF DUE-9951380. Figures are not mine; downloaded from a website; thanks.