Hands-On Ethical Hacking
and Network Defense
Second Edition
Chapter 5
Port Scanning
Objectives
• After reading this chapter and completing the
exercises, you will be able to:
–
–
–
–
Describe port scanning and types of port scans
Describe port-scanning tools
Explain what ping sweeps are used for
Explain how shell scripting is used to automate
security tasks
Hands-On Ethical Hacking and Network Defense, Second Edition
2
Introduction to Port Scanning
• Port Scanning
– Finds which services are offered by a host
– Identifies vulnerabilities
• Open services can be used on attacks
– Identify vulnerable port and launch exploit
• Scans all ports when testing
– Not just well-known ports
Hands-On Ethical Hacking and Network Defense, Second Edition
3
Figure 5-1 The AW Security Port Scanner interface
Hands-On Ethical Hacking and Network Defense, Second Edition
4
Introduction to Port Scanning (cont’d.)
• Port scanning programs report:
–
–
–
–
Open ports
Closed ports
Filtered ports
Best-guess running OS
Hands-On Ethical Hacking and Network Defense, Second Edition
5
Types of Port Scans
• SYN scan
– Stealthy scan
• Connect scan
– Completes three-way handshake
• NULL scan
– Packet flags are turned off
• XMAS scan
– FIN, PSH and URG flags are set
Hands-On Ethical Hacking and Network Defense, Second Edition
6
Types of Port Scans (cont’d.)
• ACK scan
– Used to get past firewall
• FIN scan
– Closed port responds with an RST packet
• UDP scan
– Closed port responds with ICMP “Port Unreachable”
message
Hands-On Ethical Hacking and Network Defense, Second Edition
7
Using Port-Scanning Tools
• Port-scanning tools
– Hundreds available
– Not all are accurate
• Be familiar with a variety
• Practice often
• Some tools include:
– Nmap
– Unicornscan
– Nessus and OpenVAS
Hands-On Ethical Hacking and Network Defense, Second Edition
8
Nmap
• Originally written for Phrack magazine
– One of the most popular tools
– New features frequently added
• GUI front end
– Zenmap
• Standard tool for security professionals
– Command: nmap 193.145.85.201
• Scans every port on computer with this IP address
Hands-On Ethical Hacking and Network Defense, Second Edition
9
Figure 5-2 The Nmap help screen
Hands-On Ethical Hacking and Network Defense, Second Edition
10
Unicornscan
• Developed to assist with large network tests
– Ideal for large-scale endeavors
– Scans 65,535 ports in three to seven seconds
• Handles port scanning using:
– TCP
– ICMP
– IP
• Optimizes UDP scanning
Hands-On Ethical Hacking and Network Defense, Second Edition
11
Nessus and OpenVAS
• Nessus
– First released in 1998
– No longer under GPL license
• Still available for download
• OpenVAS
– Open-source fork of Nessus
– Performs complex queries while client interfaces
with server
– Capable of updating security check plug-ins
• Security test programs (scripts)
Hands-On Ethical Hacking and Network Defense, Second Edition
12
Figure 5-3 OpenVAS with a safe checks warning
Hands-On Ethical Hacking and Network Defense, Second Edition
13
Figure 5-4 OpenVAS discovers a vulnerability
Hands-On Ethical Hacking and Network Defense, Second Edition
14
Conducting Ping Sweeps
• Ping sweeps
– Identify which IP addresses belong to active hosts
• Ping a range of IP addresses
• Problems
– Shut down computers cannot respond
– Networks may be configured to block ICMP Echo
Requests
– Firewalls may filter out ICMP traffic
Hands-On Ethical Hacking and Network Defense, Second Edition
15
FPing
• Ping multiple IP addresses simultaneously
• Accepts a range of IP addresses
– Entered at a command prompt
– File containing multiple IP addresses
• Input file
– Usually created with shell-scripting language
Hands-On Ethical Hacking and Network Defense, Second Edition
16
Figure 5-5 Fping parameters
Hands-On Ethical Hacking and Network Defense, Second Edition
17
Figure 5-6 Results of an Fping command
Hands-On Ethical Hacking and Network Defense, Second Edition
18
Hping
• Used to:
– Perform ping sweeps
– Bypass filtering devices
• Allows users to inject modified IP packets
• Powerful tool
– All security testers must be familiar with tool
– Supports many parameters
Hands-On Ethical Hacking and Network Defense, Second Edition
19
Figure 5-7 Hping help, page 1
Hands-On Ethical Hacking and Network Defense, Second Edition
20
Figure 5-8 Hping help, page 2
Hands-On Ethical Hacking and Network Defense, Second Edition
21
Figure 5-9 Hping help, page 3
Hands-On Ethical Hacking and Network Defense, Second Edition
22
Crafting IP Packets
• Packet components
– Source IP address
– Destination IP address
– Flags
• Helps obtain information about a service
• Tools:
– Hping
– Fping
Hands-On Ethical Hacking and Network Defense, Second Edition
23
Understanding Scripting
• Modify tools to better suit your needs
• Customized scripts
– Automates tasks
– Time saving
– Requires basic programming skills
Hands-On Ethical Hacking and Network Defense, Second Edition
24
Scripting Basics
• Similar to DOS batch programming
• Script or batch file
– Text file
– Contains multiple commands
• Repetitive commands
– Good candidate for scripting
• Practice is the key
Hands-On Ethical Hacking and Network Defense, Second Edition
25
Table 5-1 Summary of vi commands
Hands-On Ethical Hacking and Network Defense, Second Edition
26
Figure 5-10 A shell script
Hands-On Ethical Hacking and Network Defense, Second Edition
27
Summary
• Port scanning (i.e., service scanning)
– Scanning a range of IP address
– Determines running services
• Port scan types
– SYN
– ACK
– FIN
Hands-On Ethical Hacking and Network Defense, Second Edition
28
Summary (cont’d.)
• Port scanning tools
–
–
–
–
Nmap
Nessus
OpenVAS
Unicornscan
• Ping sweeps
– Determine which computers are “live”
• Scripts
– Automate time-consuming tasks
Hands-On Ethical Hacking and Network Defense, Second Edition
29