IP Network Scanning

Outline

What is IP network scanning?

Concepts, motivation
Example Tool
nmap
Scanning types
Host discovery
port scanning
Version detection
OS detection

2
 What is Scanning?
Method to gather information regarding the de
vices running on the network
Typically to discover services or servers on a
network
Which hosts are up?
Which services are offering?

Do not confuse with host vulnerability

scanner which further explore a computer by
testing for common vulnerabilities (nessus,
SAINT)

3
Why Scanning?
Network Security assessment

Evaluation and Auditing the security

Firewall Penetration Test (Policy auditing)
IDS proof/evaluation
Identifying unexpected new servers

Identifying open ports for

proactively protect the network (Network and
security admin)
attacking it (Hackers)

4
nmap
A well known and free security scanner
written by Fyodor (http://insecure.org/nmap/ )
First released Sept 1, 1997 in Phrack 51 The Art of Port
Scanning (http://www.phrack.org/issues.html?issue=51
Many updates since then:
OS Detection (
http://www.phrack.org/issues.html?issue=54&id=9#article )
Version scanning
ARP Scanning
Version 5.00 as of this doc
Usage:
nmap [scan types] [options] <host or net
>
5
Why nmap

An excellent tool
Long history of development and support
Continuous development and
improvements
Industry Standard port scanner

6
nmap features
Host Discovery: Which host is alive?
Identifying computers on a network, for example listing the
computers which respond to pings (Ping Sweeps)

Port Scanning : What services are available?

Enumerating the open ports on one or more target computers

Service and Version Detection : Which version is

running?
Determine the application name and version number

OS Detection: What platforms are served?

Remotely determining the OS and some hardware characteristics
of network devices

7
Host Discovery
Querying multiple hosts using this method is
referred to as ping sweeps

The most basic step in mapping out a network.

Several Sweeps technique

ICMP Sweeps
Broadcast ICMP
NON Echo ICMP
TCP sweep
UDP sweep

8
Host Discovery : ICMP Sweeps
Technique
sending an ICMP ECHO request (ICMP type 8)
If an ICMP ECHO reply (ICMP type 0) is received : target is alive;
No response: target is down
Pros & Cons
easy to implement
fairly slow, easy to be blocked

ICMP ECHO request

ICMO ECHO reply

Scanner Target
a host is alive
ICMP ECHO request
No response

Scanner a host is down/filtered Target

9
Host Discovery : Broadcast
ICMP
Sending ICMP ECHO request to the
network and/or broadcast addresses
Windows ignored this
Most routers blocked this

10
Host Discovery : Non-ECHO
ICMP
ICMP type 13 messages (TIMESTAMP),
Query Current Time

ICMP type 17 messages (ADDRESS MASK

REQUEST)
diskless systems to obtain its subnet mask at
bootstrap time (RFC 792)

11
Host Discovery : TCP Sweeps

Sending TCP ACK or TCK SYN packets

The port number can be selected to avoid
blocking by firewall
Usually a good pick would be 21 / 22 / 23 / 25 /
80

But.. firewalls can spoof a RESET packet for

an IP address, so TCP Sweeps may not be
reliable.

12
Host Discovery : UDP Sweeps

Relies on the ICMP PORT UNREACHABLE

Assume the port is opened if no ICMP PORT
UNREACHABLE message is received after sending a
UDP datagram
Cons:
Routers can drop UDP packets as they cross the Internet
Many UDP services do not respond when correctly probed
Firewalls are usually configured to drop UDP packets
(except for DNS)
UDP sweep relies on the fact that a non-active UDP port
will respond with an ICMP PORT UNREACHABLE message

13
nmap Host Discovery summary
sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is
online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given
ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request
discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default:
sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
-sU:UDPScan

14
Port Scanning
To determine what services are running or in
a LISTENING

Some well known types

TCP Connect Scan
TCP SYN scan
Stealth scan
FTP bounce scan

15
Port Scanning : TCP Connect
Scan
Use basic TCP connection establishment mechanism; complete 3-ways handshake
Easily to detect by inspecting the system log

SYN
SYN/ACK
ACK
Scanner Target
a port is opened

SYN
RST/ACK

Scanner Target
a port is closed

16
Port Scanning : TCP SYN scan
Do not establish a complete connection (Half Open
scanning)
send a SYN packet and wait for a response
If an SYN/ACK is received=> the port is LISTENING
immediately tear down the connection by sending a RESET
If an RST/ACK is received =>a non-LISTENING port.

SYN
SYN/ACK
RST
Scanner Target
a port is opened

SYN
RST/ACK

Scanner Target
a port is closed
17
Port Scanning : Stealth Scan
To gather information about target sites while
avoiding detection
Try to hide themselves among normal network
traffic
Not to be logged by logging mechanism (stealth)

Techniques
Flag Probe packets (Also called Inverse mapping)
Response is sent back only by closed port
By determining what services do not exist, an intruder can
infer what service do exist
Slow scans rate
difficult to detect =>need long history log
CERT reported this technique in CERT Incident Note IN-98.04
http://www.cert.org/incident_notes/IN-98.04.html
18
Port Scanning : Stealth Mapping
RFC793: to handle wrong state packets
closed ports : reply with a RESET packet to wrong state packets
opened ports : ignore any packet in question
Technique
A RST scan
A FIN probe with the FIN TCP flag set
An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set
A NULL probe with no TCP flags set

Probe packet
No response

Scanner a port is opened Target

Probe packet
RST/ACK

Scanner a port is closed Target

19
Port Scanning : FTP Bounce scanning
Connects to an FTP server, and establishes a control communication connection, ask the FTP
server to initiate an active server data transfer process
Rather slow
Some FTP servers disable the Proxy
Proxy feature, but there are still many who do not

PORT 10,0,0,5,0,22
Scanner FTP Target
(10.0.0.4) (10.0.0.5)

TCP SYN
RST
425 Cannot build data connection
20
Port Scanning with nmap
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon
scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>

21
 Services and Versions Detection

The nmap-service-probes database contains

probes for querying various services and m
atch expressions to recognize and parse re
sponses

22
Operating System Detection
Banner, DNS HINFO and
TCP/IP fingerprinting (IP stack
implementation will response
differently)
FIN probe, Bogus Flag probe
TCP initial sequence number sampling, TCP initial
window, ACK value
ICMP error quenching, message quoting, ICMP echo
integrity
IP: DF, TOS, Fragmentation

23
 OS Detection : Examples

ACK : sending FIN|PSH|URG to a closed port

most OS : ACK with the same sequence number
Windows: ACK with sequence number+1

Type of Service: Probing with an

ICMP_PORT_UNREACHABLE message
most OS : TOS = 0

Linux : TOS= 0xC0

24
 Version and OS Detection with
nmap
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all
probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for
debugging)
OSDETECTION:
-O:EnableOSdetection
--osscan-
limit:LimitOSdetectiontopromisingtargets
--osscan-guess:GuessOSmoreaggressively

25
Port Scanning Detection

For Administrators to detect scanning

Logs suspicious packets
Identifies connections not properly
terminated
Records ports usage

26
Port Scanning Detection

For hacker to dodge from detection

Randomize the sequence of ports to prevent
detection
Slow scan: exceed the site detection threshold in
IDS, 2 packets/day/site!
Decoy: spoofed address in attack
Coordinated Scans: multiple scanners probe the
same host or network

27