Internet Security

Scanning

Overview

Art of Port Scanning

Various Scanning Techniques
OS Fingerprinting
Nmap - Introduction
Nmap with Linux and Windows
Basic Commands and Operations
Useful Scanning Techniques

Art of Port Scanning

Scanning is the first phase of active
hacking and is used to locate target
systems or networks for later attack
Enumeration is the follow-on step once
scanning is complete and is used to identify
computer names, usernames, and shares
Scanning and enumeration are discussed
together in this chapter because many
hacking
tools
perform
both
steps
simultaneously

 Scanning is the process of locating systems

that are alive and responding on the network.
Ethical hackers use scanning to identify
target systems IP addresses.
Scanning is also used to determine whether a
system is on the network and available.
Scanning
tools
are
used
to
gather
information about a system such as IP
addresses, the operating system, and
services running on the target computer.

 Table 3.1 lists the three types of

scanning.

Port Numbers
An abstraction of the OS + Net Stds
Part of UDP and TCP packets
UDP and TCP port numbers are disjoint
Typical to use the same port number for both UDP
and TCP service
E.g., 80/TCP and 80/UDP for www

16-bit unsigned integer

Well Known Ports (0 .. 1023)
Registered Ports (1024 .. 49151)
Dynamic and/or Private Ports (49152 .. 65535).
http://www.iana.org/assignments/ port-numbers

Well Known: 0 - 1023

Only root-privileged programs are allowed
to open these ports.
Examples

ftp-data 20/udp
ftp 21/tcp
ssh 22/tcp
telnet 23/tcp
Time 37/tcp
Time 37/udp
Whois 43/tcp
Imap 143/tcp

Registered: 1024 ..49151

Ordinary programs/users can use
these
shockwave2 1257/tcp Shockwave 2
shockwave2 1257/udp Shockwave 2
x11 6000-6063/tcp X Window System
x11 6000-6063/udp X Window
System

Dynamic/Private: 49152 ..
65535
Ordinary programs can use these

State of a Port
Open
A service process is listening at the port. The
OS receives packets arriving at this port and
gives the messages to the service process. If
the OS receives a SYN at an open port, this is
the first packet of the three way handshake.

Closed
No process is listening at the port. If the OS
receives a SYN at a closed port, an RST is sent.

Filtered
A packet filter is listening at the port.
Mateti, Port Scanning

10

FTP Bounce Scan

A port scanner can exploit this to scan
TCP ports form a proxy ftp server.
Connect to an FTP server behind a
firewall, and then scan ports that are
more likely to be blocked.
If the ftp server allows reading from and
writing to a directory (such as
/incoming), you can send arbitrary data
to ports that you do find open.
Mateti, Port Scanning

11

FTP Bounce Scan

Take advantage of a vulnerability of FTP
protocol.
Requires support for proxy ftp connections.
For example, evil.com can establish a control
communication connection to FTP server-PI
(protocol interpreter) of target.com.
Then it is able to request the server-PI to
initiate an active server-DTP (data transfer
process) to send a file anywhere on the
Internet.
Mateti, Port Scanning

12

FTP Bounce Scan

Use the PORT command (of FTP) to declare
that our passive user-DTP is listening on
the target box at a certain port number.
LIST the current directory, and the results
is sent over the server-DTP channel.
If our target host is listening on the port,
the transfer will be successful.
Otherwise, connection will be refused.
Then issue another PORT command to try
the next port on the target.
Mateti, Port Scanning

13

FTP Bounce Scan

Advantages
Harder to trace
Potential to bypass firewalls.

Disadvantages
Slow
Many FTP servers have (finally) disabled
the proxy feature.

Mateti, Port Scanning

14

Scanning Methodology

 Sample Exercise

 Scan Types

Refferensi
Prabhaker Mateti
McClure S., Joel S. Hacking Exposed
5th .
Graves Kimberly. Certified Ethical
Hacker. Study Guide. Wiley
Publishing.Inc.

Selesai .