Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Objectives • • • • • Describe port scanning Describe different types of port scans Describe various port-scanning tools Explain what ping sweeps are used for Explain how shell scripting is used to automate security tasks Hands-On Ethical Hacking and Network Defense 2 Introduction to Port Scanning • Port Scanning • Finds out which services are offered by a host • Identifies vulnerabilities • Open services can be used on attacks • Identify a vulnerable port • Launch an exploit • Scan all ports when testing • Not just well-known ports Hands-On Ethical Hacking and Network Defense 3 Hands-On Ethical Hacking and Network Defense 4 Introduction to Port Scanning (continued) • Port scanning programs report • • • • Open ports Closed ports Filtered ports Best-guess assessment of which OS is running Hands-On Ethical Hacking and Network Defense 5 Types of Port Scans • SYN scan • Stealthy scan • Connect scan • Completes the three-way handshake • NULL scan • Packet flags are turned off • XMAS scan • FIN, PSH and URG flags are set Hands-On Ethical Hacking and Network Defense 6 Types of Port Scans (continued) • ACK scan • Used to past a firewall • FIN scan • Closed port responds with an RST packet • UDP scan • Closed port responds with ICMP “Port Unreachable” message Hands-On Ethical Hacking and Network Defense 7 Using Port-Scanning Tools • • • • Nmap Unicornscan NetScanTools Pro 2004 Nessus Hands-On Ethical Hacking and Network Defense 8 Nmap • Originally written for Phrack magazine • One of the most popular tools • GUI version • Xnmap • Open source tool • Standard tool for security professionals Hands-On Ethical Hacking and Network Defense 9 Hands-On Ethical Hacking and Network Defense 10 Unicornscan • Developed in 2004 • Ideal for large networks • Scans 65,535 ports in three to seven seconds • Handles port scanning using • TCP • ICMP • IP • Optimizes UDP scanning Hands-On Ethical Hacking and Network Defense 11 NetScanTools Pro 2004 • Robust easy-to-use commercial tool • Supported OSs • *NIX • Windows • Types of tests • • • • Database vulnerabilities E-mail account vulnerabilities DHCP server discovery IP packets and name servers Hands-On Ethical Hacking and Network Defense 12 Hands-On Ethical Hacking and Network Defense 13 Hands-On Ethical Hacking and Network Defense 14 Nessus • • • • • First released in 1998 Open source tool Uses a client/server technology Conducts testing from different locations Can use different OSs for client and network Hands-On Ethical Hacking and Network Defense 15 Nessus (continued) • Server • Any *NIX platform • Client • Can be UNIX or Windows • Functions much like a database server • Ability to update security checks plug-ins • Scripts • Some plug-ins are considered dangerous Hands-On Ethical Hacking and Network Defense 16 Hands-On Ethical Hacking and Network Defense 17 Nessus (continued) • Finds services running on ports • Finds vulnerabilities associated with identified services Hands-On Ethical Hacking and Network Defense 18 Hands-On Ethical Hacking and Network Defense 19 Conducting Ping Sweeps • Ping sweeps • Identify which IP addresses belong to active hosts • Ping a range of IP addresses • Problems • Computers that are shut down cannot respond • Networks may be configured to block ICMP Echo Requests • Firewalls may filter out ICMP traffic Hands-On Ethical Hacking and Network Defense 20 FPing • • • • Ping multiple IP addresses simultaneously www.fping.com/download Command-line tool Input: multiple IP addresses • Entered at a shell • -g option • Input file with addresses • -f option Hands-On Ethical Hacking and Network Defense 21 Hands-On Ethical Hacking and Network Defense 22 Hands-On Ethical Hacking and Network Defense 23 Hping • Used to bypass filtering devices • Allows users to fragment and manipulate IP packets • www.hping.org/download • Powerful tool • All security testers must be familiar with tool • Supports many parameters (command options) Hands-On Ethical Hacking and Network Defense 24 Hands-On Ethical Hacking and Network Defense 25 Hands-On Ethical Hacking and Network Defense 26 Hands-On Ethical Hacking and Network Defense 27 Crafting IP Packets • Packet components • Source IP address • Destination IP address • Flags • Crafting packets helps you obtain more information about a service • Tools • Fping • Hping Hands-On Ethical Hacking and Network Defense 28 Understanding Shell Scripting • Modify tools to better suit your needs • Script • Computer program that automates tasks • Time-saving solution Hands-On Ethical Hacking and Network Defense 29 Scripting Basics • Similar to DOS batch programming • Script or batch file • Text file • Contains multiple commands • Repetitive commands are good candidate for scripting • Practice is the key Hands-On Ethical Hacking and Network Defense 30 Hands-On Ethical Hacking and Network Defense 31 Hands-On Ethical Hacking and Network Defense 32 Summary • Port scanning • Also referred as service scanning • Process of scanning a range of IP address • Determines what services are running • Port scan types • • • • • SYN ACK FIN UDP Others: Connect, NULL, XMAS Hands-On Ethical Hacking and Network Defense 33 Summary (continued) • Port scanning tools • Nmap • Nessus • Unicornscan • Ping sweeps • Determine which computers are “alive” • Shell scripting • Helps with automating tasks Hands-On Ethical Hacking and Network Defense 34