Scanning

slides (c) 2015

based on Hacking Exposed

 What is Scanning?
How does it differ from footprinting?
– Footprinting did not necessarily attempt to access the target system(s)
directly
Direct examination of target systems
– Determine if system is alive – network ping sweep
– Determining which services are up
– Determining OS type/version
– Determining protocol stack versions
 Determining if system is alive
Popularity=10; Simplicity=9; Impact=3; Risk Rating=7

- Purpose
– Find out which IP addresses have live hosts on them
– No point in detailed examination of empty address!
- Network Ping sweep
– ARP Host discovery
– ICMP Host discovery
– OS Utilities
– Network discovery tools
– TCP/UDP Host discovery
- Ping sweep countermeasures
 ARP Host discovery - 1
- Address Resolution Protocol
– Works on top of layer 2, in parallel with network layer
• Has its own ethertype value
– Needed for “plug-and-play” autoconfiguration and mobility
– Request is broadcast to all hosts on LAN
– Host with matching address is required to respond
– Attacker needs to be on same LAN
- arp-scan by NTA Monitor (nta-monitor.com/tools/arp-scan)
– Must be run as super-user
– Takes CIDR subnet address range as input
– Returns all responding hosts with IP and MAC addresses
– Includes OUI of MAC if known
- Nmap by Fyodor (nmap.org)
 ARP Host discovery - 2
- Nmap by Fyodor (nmap.org)
– De facto tool of choice
• Works on Linux, Windows, Mac
– Does much more than ARP scanning
– ARP scan through -PR <CIDR address> option
– Turn off port scan using -sn option
– Reports IP address, MAC address, OUI's name, and latency
- CAIN (oxid.it/cain.html)
– Windows tool
– Does much more than ARP scanning
– GUI-based tool
- Limitations of ARP scanning
– Targets on distant network segments
 ICMP Host discovery - 1
- Internet Control Message Protocol (ICMP) intended uses
– Diagnostics and trouble shooting needed on internet
– ICMP used for diagnostics, error reporting, management, etc.
- ICMP messages
– Echo request/reply (ping)
– Destination unreachable
– Source quench
– Redirect
– Time exceeded (TTL reached 0)
– Timestamp/reply (used in enumeration)
– Information request/reply
– Address mask request/reply (used in enumeration)
 ICMP Host discovery - 2
- OS ping utility uses ICMP echo request/reply messages
– If receive request, must reply
– Can also be used in smurf attack (using broadcast)
- host may be configured not to respond to echo requests
– May still respond to other messages
 Network discovery tools - 1
- Nmap
– Beside ICMP ping sweep also does ARP sweep and TCP pings
– Limit activity (to avoid detection by IDS) using -sn (no port scan),
-PE (use echo request), and --send-ip (no ARP scan)
– If on different subnet, --send-ip not needed
– Individual and CIDR subnet addressing
– Gives responding host IP, MAC, OUI name, latency
– Has -PM option for address mask and -PP option for timestamp
• In case host configured to ignore ECHO REQUEST messages
 Network discovery tools - 2
- hping3 and nping
– Very flexible tools
• Select flags, message types
• Spoof source address (IP and MAC)
• Set number of messages to send
– nping ships with nmap
- superscan
– Windows tool
– Free from Foundstone
– Fast ping sweep
– GUI with options for echo request, timestamp, address mask, and
information request messages
– Also supports UDP and TCP port scans and more
– Can give HTML output
 TCP/UDP Host discovery - 1
- Especially useful when ICMP responses are limited
- Servers provide services over network
– Must be able to take clients
– May be open through firewall
- May have to probe multiple ports to find open service
– Any response indicates host is alive
– More probing = higher visibility to IDS
- Local hosts (not servers) may also have services
– File sharing
– Remote desktop
– Management tools
– Often have local firewall
 TCP/UDP Host discovery - 2
- nmap
– -sn option also include port 80 (www)
– -Pn option for 1000 common ports
– -p <portnumber> option to specify one particular port
– --open option to suppress IP addresses that don't respond
- nping
– Also provides port scan option
– Output noisier
- superscan
– Also provides options to probe particular ports or port ranges
– Can take file with list of IP addresses to scan
 Ping sweep countermeasures
- Detection
– May want to leave ICMP diagnostic abilities in place for legit use
– May want to use as “early warning” of impending attack
– Most standard network and desktop firewall tools can be
configured to detect ping sweeps
– Many OS tools available for this also
– Detection does little good if nobody is watching
- Prevention
– Limit which ICMP messages will be allowed
– Limit where they will be received from/sent to
– Pingd allows handling at user level (flexible access control)
– Can prevent exchange of info by compromised system using data
field in ECHO REQUEST (loki2, etc.)
 Determining services that are up

Popularity=10; simplicity=10; impact=7; Risk Rating=9

- Port scanning
– Send packets to TCP and UDP ports to find listening servers
– Find live hosts
– Determine which services are open
– Help identify OS type, version
– Identify specific applications/versions of particular service
 Scan Types - 1
- TCP connect scan
– Completes 3-way handshake
– Takes longer
– Can be run as regular user
- TCP SYN scan (half-open scan)
– Sends SYN, waits for SYN-ACK
– SYN-ACK = open, RST = not open (usually)
– Stealthier
– Can produce DOS attack on target
- TCP FIN scan
– Sends FIN
– Should receive RST (see RFC 793)
– Usually works on Unix-based stacks
 Scan Types - 2
- TCP Xmas tree scan
– Sends FIN, URG, and PUSH TCP packet
– Should receive RST on closed ports
- TCP Null scan
– Sends TCP segment with no flags set
– Should receive RST on closed ports
- TCP ACK scan
– Sends packet with ACK set
– Helps determine firewall policies, capabilities
- TCP Windows scan
– Looks at how rwnd is handled with RST to ACK segment
See http://www.networkuptime.com/nmap/page3-13.shtml
- TCP RPC scan
- UDP scan
 Scan Types - 3
- TCP RPC scan
– Many Unix systems implement portmapper
– Used with RPC/RMI to find services
– Server registers service with portmapper (with pgm/version)
– Client contacts portmapper to request service, get port#
- UDP scan
– Connectionless
– Send ICMP “port unreachable” message if not listening
– May be up if error message not received
 Identifying Services - 1
- TCP SYN port scan using nmap
– Use -sS option
– Use -oN <file> to save human readable output
– Use -oG <file> to save tab-delimited version
– Use -oX <file> to save XML
– -oA saves in all formats
– Lists open ports with nominal services
– -f option to fragment packets
• Some firewalls will not reassemble fragments, just pass packet
• May make it harder for IDS to detect scan
– -D option provides for decoy source addresses
• Burdens target with having to track down all scans
• Take care to use real IP addresses to avoid SYN attack DOS
– -b option to use FTP bounce scanning
• Uses older FTP servers to reflect packets
 Identifying Services - 2
- SuperScan (Foundstone.com)
– Windows/GUI-based alternative to nmap
– Port scans in addition to ICMP and ARP scans
– Select port or port range to scan, and protocol
– Select special techniques for TCP, UDP
– UDP data+ICMP method
• Multiple UDP packets to a port
• May overwhelm ICMP response capability
• Very accurate, but slow
- ScanLine
– Windows/command-line tool (also Foundstone)
– Single executable
•Easier to load onto compromised system
– Many options
- Netcat (nc)
– Older, command-line tool - “Swiss army knife”
 Port Scanning Countermeasures
- Detection
– IDS (e.g., Snort – snort.org)
– Unix scanlogd (openwall.com/scanlogd)
• TCP scans
– See openwall.com/scanlogd/P53-13.gz for more
– Configure firewall to detect
• Email alerts
• Use grouping to avoid DOS on email
– Attacker (Foundstone.com)
• Can monitor specific ports
• Mostly useful against naive attackers
- Prevention
– Disable all unnecessary services
– System specific
 Detecting the OS - 1
Active OS Detection
Popularity=10; Simplicity=8; Impact=4; Risk Rating=7

- Banner grabbing (later)

- Available ports signature
– Some systems use particular ports for services
- Active Stack Fingerprinting
– Responses to probes is implementation dependent
– Multiple types of probes used to narrow field
– See insecure.org/nmap/nmap-fingerprinting-article.html

Hard to prevent, not so hard to detect

 Detecting the OS - 2
Active Stack Fingerprinting Probes

- FIN probe
– Correct not to respond, but some send FIN/ACK
- Bogus flag probe (in SYN packet)
– Correct to ignore, but some set flag in SYN-ACK
- Initial Sequence Number (ISN) sampling
– Patterns may be found in ISNs for connections that depend on OS
- DF bit monitoring
– Some OS's may set DF in IP header to improve performance
- TCP initial window size
– Some systems have characteristic initial rwnd size
– Note that rwnd is indication of buffer space at receiver, set by OS
- ACK value
– May use last SN (less common) or last SN+1 (usual)
 Detecting the OS - 3
- ICMP error message quenching
– Systems may limit the number of ICMP error messages (RFC 1812)
– Send UDP packets to random port, determine rate of ICMP
unreachable port messages
-ICMP message quoting
– ICMP error messages include some initial portion of the offending
datagram
– Amount of data included varies according to system
- ICMP error message-echoing integrity
– Some systems change IP headers quoted in ICMP error messages
- TOS on ICMP port unreachable message
– Usually TOS=0, but may vary
- Fragmentation handling
– Observe how probe packets with overlapping fragments are
reassembled
- TCP options
– Which options set (e.g., RFC 793, or 1323 also) varies
 Detecting the OS - 4
Passive OS Detection
Popularity=5; Simplicity=6; Impact=4; Risk Rating=5

- Less obtrusive than active OS fingerprinting

- Monitor traffic to/from target
– Requires favorable position
- Passive signatures
– TTL on outbound datagrams
– Initial window size (rwnd)
– DF (don't fragment) bit set?
– Siphon tool (packetstormsecurity.org)

Hard to prevent, hard to detect

 Storing and Processing Scan Data
- Large amounts of data may be produced
- Desirable to have ways to sift through data, select items of
interest
- Metasploit (metasploit.com)
– Postgres database for querying
– Can run nmap from metasploit
– Can import nmap output into database
– Then run queries to select desired items