Escolar Documentos
Profissional Documentos
Cultura Documentos
Outline
2
What is Scanning?
Method to gather information regarding the de
vices running on the network
Typically to discover services or servers on a
network
Which hosts are up?
Which services are offering?
3
Why Scanning?
Network Security assessment
4
nmap
A well known and free security scanner
written by Fyodor (http://insecure.org/nmap/ )
First released Sept 1, 1997 in Phrack 51 The Art of Port
Scanning (http://www.phrack.org/issues.html?issue=51
Many updates since then:
OS Detection (
http://www.phrack.org/issues.html?issue=54&id=9#article )
Version scanning
ARP Scanning
Version 5.00 as of this doc
Usage:
nmap [scan types] [options] <host or net
>
5
Why nmap
An excellent tool
Long history of development and support
Continuous development and
improvements
Industry Standard port scanner
6
nmap features
Host Discovery: Which host is alive?
Identifying computers on a network, for example listing the
computers which respond to pings (Ping Sweeps)
7
Host Discovery
Querying multiple hosts using this method is
referred to as ping sweeps
8
Host Discovery : ICMP Sweeps
Technique
sending an ICMP ECHO request (ICMP type 8)
If an ICMP ECHO reply (ICMP type 0) is received : target is alive;
No response: target is down
Pros & Cons
easy to implement
fairly slow, easy to be blocked
Scanner Target
a host is alive
ICMP ECHO request
No response
10
Host Discovery : Non-ECHO
ICMP
ICMP type 13 messages (TIMESTAMP),
Query Current Time
11
Host Discovery : TCP Sweeps
12
Host Discovery : UDP Sweeps
13
nmap Host Discovery summary
sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is
online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given
ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request
discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default:
sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
-sU:UDPScan
14
Port Scanning
To determine what services are running or in
a LISTENING
15
Port Scanning : TCP Connect
Scan
Use basic TCP connection establishment mechanism; complete 3-ways handshake
Easily to detect by inspecting the system log
SYN
SYN/ACK
ACK
Scanner Target
a port is opened
SYN
RST/ACK
Scanner Target
a port is closed
16
Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open
scanning)
send a SYN packet and wait for a response
If an SYN/ACK is received=> the port is LISTENING
immediately tear down the connection by sending a RESET
If an RST/ACK is received =>a non-LISTENING port.
SYN
SYN/ACK
RST
Scanner Target
a port is opened
SYN
RST/ACK
Scanner Target
a port is closed
17
Port Scanning : Stealth Scan
To gather information about target sites while
avoiding detection
Try to hide themselves among normal network
traffic
Not to be logged by logging mechanism (stealth)
Techniques
Flag Probe packets (Also called Inverse mapping)
Response is sent back only by closed port
By determining what services do not exist, an intruder can
infer what service do exist
Slow scans rate
difficult to detect =>need long history log
CERT reported this technique in CERT Incident Note IN-98.04
http://www.cert.org/incident_notes/IN-98.04.html
18
Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets
closed ports : reply with a RESET packet to wrong state packets
opened ports : ignore any packet in question
Technique
A RST scan
A FIN probe with the FIN TCP flag set
An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set
A NULL probe with no TCP flags set
Probe packet
No response
Probe packet
RST/ACK
19
Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control communication connection, ask the FTP
server to initiate an active server data transfer process
Rather slow
Some FTP servers disable the Proxy
Proxy feature, but there are still many who do not
PORT 10,0,0,5,0,22
Scanner FTP Target
(10.0.0.4) (10.0.0.5)
TCP SYN
RST
425 Cannot build data connection
20
Port Scanning with nmap
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon
scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-b <FTP relay host>: FTP bounce scan
21
Services and Versions Detection
22
Operating System Detection
Banner, DNS HINFO and
TCP/IP fingerprinting (IP stack
implementation will response
differently)
FIN probe, Bogus Flag probe
TCP initial sequence number sampling, TCP initial
window, ACK value
ICMP error quenching, message quoting, ICMP echo
integrity
IP: DF, TOS, Fragmentation
23
OS Detection : Examples
24
Version and OS Detection with
nmap
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all
probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for
debugging)
OSDETECTION:
-O:EnableOSdetection
--osscan-
limit:LimitOSdetectiontopromisingtargets
--osscan-guess:GuessOSmoreaggressively
25
Port Scanning Detection
26
Port Scanning Detection
27