- "Do I Know This Already?" Quiz
- Foundation Topics: Overview of the Seven-Step Information-Gathering Process
- Information Gathering
- Determining the Network Range
- Identifying Active Machines
- Finding Open Ports and Access Points
- OS Fingerprinting
- Fingerprinting Services
- Mapping the Network Attack Surface
- Summary
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Exercises
- Review Questions
- Suggested Reading and Resources
This chapter is from the book
This chapter is from the book
This chapter is from the book
Finding Open Ports and Access Points
Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are running on the target device. After discovering running applications, open ports, and services, the hacker can then determine the best way to attack the system.
As discussed in Chapter 2, “The Technical Foundations of Hacking,” there are a total of 65,535 TCP and UDP ports. These port numbers are used to identify a specific process that a message is coming from or going to. Table 3-5 lists some common port numbers.
Table 3-5 Common Ports and Protocols
Port |
Protocol |
Service/Transport |
20/21 |
FTP |
TCP |
22 |
SSH |
TCP |
23 |
Telnet |
TCP |
25 |
SMTP |
TCP |
53 |
DNS |
TCP/UDP |
69 |
TFTP |
UDP |
80 |
HTTP |
TCP |
110 |
POP3 |
TCP |
135 |
RPC |
TCP |
161/162 |
SNMP |
UDP |
1433/1434 |
MSSQL |
TCP |
As you have probably noticed, some of these applications run on TCP, others on UDP. Although it is certainly possible to scan for all 65,535 TCP and 65,535 UDP ports, many hackers will not. They will concentrate on the first 1,024 ports. These well-known ports are where we find most of the commonly used applications. You can find a list of well-known ports at http://www.iana.org/assignments/port-numbers. This is not to say that high-order ports should be totally ignored, because hackers might break into a system and open a high-order port, such as 31337, to use as a backdoor. So, is one protocol easier to scan for than the other? The answer to that question is yes. TCP offers more opportunity for the hacker to manipulate than UDP. Let’s take a look at why.
TCP offers robust communication and is considered a connection protocol. TCP establishes a connection by using what is called a three-way handshake. Those three steps proceed as follows:
The client sends the server a TCP packet with the sequence number flag (SYN flag) set and an initial sequence number (ISN).
The server replies by sending a packet with the SYN/ACK flag set to the client. The synchronize sequence number flag informs the client that it would like to communicate with it, and the acknowledgment flag informs the client that it received its initial packet. The acknowledgment number will be one digit higher than the client’s ISN. The server generates an ISN, as well, to keep track of every byte sent to the client.
When the client receives the server’s packet, it creates an ACK packet to acknowledge that the data has been received from the server. At this point, communication can begin.
The TCP header contains a 1-byte field for the flags. Table 3-6 describes the six most common flags.
Table 3-6 TCP Flag Types
Flag |
Description |
|---|---|
SYN |
Synchronize and initial sequence number (ISN) |
ACK |
Acknowledgment of packets received |
FIN |
Final data flag used during the four-step shutdown of a session |
RST |
Reset bit used to close an abnormal connection |
PSH |
Push data bit used to signal that data in the packet should be pushed to the beginning of the queue; usually indicates an urgent message |
URG |
Urgent data bit used to signify that urgent control characters are present in this packet that should have priority |
At the conclusion of communication, TCP terminates the session by using a four-step shutdown:
The client sends the server a packet with the FIN/ACK flags set.
The server sends a packet ACK flag set to acknowledge the client’s packet.
The server then generates another packet with the FIN/ACK flags set to inform the client that it also is ready to conclude the session.
The client sends the server a packet with the ACK flag set to conclude the session.
The TCP system of communication makes for robust communication but also allows a hacker many ways to craft packets in an attempt to coax a server to respond or to try and avoid detection of an intrusion detection system (IDS). Many of these methods are built in to Nmap and other port-scanning tools. Before we take a look at those tools, though, some of the more popular port-scanning techniques are listed here:
TCP Full Connect scan: This type of scan is the most reliable, although it is also the most detectable. It is easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK, and closed ports respond with an RST/ACK.
TCP SYN scan: This type of scan is known as half open because a full TCP three-way connection is not established. This type of scan was originally developed to be stealthy and evade IDSs, although most now detect it. Open ports reply with a SYN/ACK, and closed ports respond with an RST/ACK.
TCP FIN scan: Forget trying to set up a connection; this technique jumps straight to the shutdown. This type of scan sends a FIN packet to the target port. An open port should return no response. Closed ports should send back an RST/ACK. This technique is usually effective only on UNIX devices or those compliant to RFC 793.
TCP NULL scan: Sure, there should be some type of flag in the packet, but a NULL scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, open ports send no reply, whereas closed ports will return an RST.
TCP ACK scan: This scan attempts to determine access control list (ACL) rule sets or identify if a firewall or simply stateless inspection is being used. A stateful firewall should return no response. If an ICMP destination is unreachable, and a communication administratively prohibited message is returned, the port is considered to be filtered. If an RST is returned, no firewall is present.
TCP XMAS scan: Sorry, there are no Christmas presents here, just a port scan that has toggled on the FIN, URG, and PSH flags. Open ports should provide no response. Closed ports should return an RST. Systems must be designed per RFC 793 for this scan to work, as is common for Linux. It does not work against Windows computers.
Certain operating systems have taken some liberties when applying the TCP/IP RFCs and do things their own way. Because of this, not all scan types work against all systems. Results will vary, but Full Connect scans and SYN scans should work against all systems.
These are not the only types of possible scans; there are other scan types. Some scanning techniques can be used to obscure attackers and help hide their identity. One such technique is the idle or zombie scan. Before we go through an example of idle scanning, let’s look at some basics on how TCP/IP connections operate. IP makes use of an identification number known as an IPID. This counter helps in the reassembly of fragmented traffic. TCP offers reliable service; it must perform a handshake before communication can begin. The initializing party of the handshake sends a SYN packet to which the receiving party returns a SYN/ACK packet if the port is open. For closed ports, the receiving party returns an RST. The RST acts as a notice that something is wrong, and further attempts to communicate should be discontinued. RSTs are not replied to; if they were replied to, we might have a situation in which two systems flood each other with a stream of RSTs. This means that unsolicited RSTs are ignored. By combining these characteristics with IPID behavior, a successful idle scan is possible.
An open port idle scan works as follows: An attacker sends an IDIP probe to the idle host to solicit a response. Suppose, for example, that the response produces an IPID of 12345. Next, the attacker sends a spoofed packet to the victim. This SYN packet is sent to the victim but is addressed from the idle host. An open port on the victim’s system will then generate a SYN ACK. Because the idle host was not the source of the initial SYN packet and did not at any time want to initiate communication, it responds by sending an RST to terminate communications. This increments the IPID by one to 12346. Finally, the attacker again queries the idle host and is issued an IPID response of 12347. Because the IPID count has now been incremented by two from the initial number of 12345, the attacker can deduce that the scanned port on the victim’s system is open. Figure 3-9 provides an example of this situation.
)
Figure 3-9 IPID Open Port
But what if the target system has its port closed? In that situation, the scan starts the same way as previously described. An attacker makes an initial query to determine the idle host’s IPID value. Note that the value returned was 12345. In Step 2, the attacker sends a SYN packet addressed to the victim but spoofs it to appear that it originated from the idle host. Because the victim’s port is closed, it responds to this query by issuing an RST. Because RSTs don’t generate additional RSTs, the communication between the idle host and the victim ends here. Finally, the attacker again probes the idle host and examines the response. Because the victim’s port was closed, we can see that the returned IPID was 12346. It was only incremented by one because no communication had taken place since the last IPID probe that determined the initial value. Figure 3-10 provides an example of this situation.
)
Figure 3-10 IPID Port Closed
Although not perfect, this scanning technique enables attackers to obscure their true address. However, limitations apply to the capability of an idle scan. First, the system designated to play the role of the idle host must truly be idle. A chatty system is of little use because the IPID will increment too much to be useful. There is also the fact that not all operating systems use an incrementing IPID. For example, some versions of Linux set the IPID to zero or generate a random IPID value. Again, these systems are of little use in such an attack. Finally, these results must be measured; by this, I mean that several passes need to be performed to validate the results and be somewhat sure that the attacker’s conclusions are valid. Although the concept of idle scanning is interesting, there are a few other scan types worth briefly noting:
ACK scan: Sends an ACK probe with random sequence numbers. ICMP type 3 code 13 responses may mean that stateless firewalls are being used, and an RST can mean that the port is not filtered.
FTP Bounce scan: Uses an FTP server to bounce packets off of and make the scan harder to trace.
RPC scan: Attempts to determine whether open ports are RPC ports.
Window scan: Similar to an ACK scan but can sometimes determine open ports. It does so by examining the TCP window size of returned RST packets. On some systems, open ports return a positive window size and closed ones return a zero window size.
Now let’s look at UDP scans. UDP is unlike TCP. TCP is built on robust connections, but UDP is based on speed. With TCP, the hacker can manipulate flags in an attempt to generate a TCP response or an error message from ICMP. UDP does not have flags, nor does UDP issue responses. It’s a fire and forget protocol! The most you can hope for is a response from ICMP.
If the port is closed, ICMP attempts to send an ICMP type 3 code 3 port unreachable message to the source of the UDP scan. But, if the network is blocking ICMP, no error message is returned. Therefore, the response to the scans might simply be no response. If you are planning on doing UDP scans, plan for unreliable results.
Next, some of the programs that can be used for port scanning are discussed.
Nmap
Nmap was developed by a hacker named Fyodor Yarochkin. This popular application is available for Windows and Linux as a GUI and command-line program. It is probably the most widely used port scanner ever developed. It can do many types of scans and OS identification. It also enables you to control the speed of the scan from slow to insane. Its popularity can be seen by the fact that it’s incorporated into other products and was even used in the movie The Matrix. Nmap with the help option is shown here so that you can review some of its many switches:
C:\ nmap-7.70>nmap -h
Nmap 7.70 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
-sL list scan that simply does a reverse DNS lookup without actually
scanning
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service and app
names/versions
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing
policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes
resolve]
-oN/-oX/-oG <logfile > Output normal/XML/grepable scan logs to
<logfile>
-iL <inputfile > Get targets from file; Use '-' for stdin
-sC Scripting engine
* -S <your_IP >/-e <devicename > Specify source address or network
interface
--interactive Go into interactive mode (then press h for help)
--win_help Windows-specific features
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
As shown in the output of the help menu in the previous listing, Nmap can run many types of scans. Nmap is considered a required tool for all ethical hackers.
The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to create and use simple scripts to automate a wide variety of networking tasks. Nmap’s output provides the open port’s well-known service name, number, and protocol. Ports can either be open, closed, or filtered. If a port is open, it means that the target device will accept connections on that port. A closed port is not listening for connections, and a filtered port means that a firewall, filter, or other network device is guarding the port and preventing Nmap from fully probing it or determining its status. If a port is reported as unfiltered, it means that the port is closed, and no firewall or router appears to be interfering with Nmap’s attempts to determine its status.
To run Nmap from the command line, type nmap, followed by the switch, and then enter a single IP address or a range. For the example shown here, the -sT option was used, which performs a TCP full three-step connection:
C:\ nmap-7.70>nmap -sT 192.168.1.108 Starting nmap 7.70 (https://nmap.org/) at 2015-10-05 23:42 Central Daylight Time Interesting ports on Server (192.168.1.108): (The 1653 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 80/tcpopenhttp 445/tcp opensmb 515/tcp openprinter 548/tcp openafpovertcp Nmap run completed -- 1 IP address (1 host up) scanned in 420.475 seconds
Several interesting ports were found on this computer, including 80 and 139. A UDP scan performed with the -sU switch returned the following results:
C:\ nmap-7.70>nmap -sU 192.168.1.108 Starting nmap 7.70 (https://nmap.org/ ) at 2015-10-0523:47 Central Daylight Time Interesting ports on Server (192.168.1.108): (The 1653 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 69/udpopentftp Nmap run completed -- 1 IP address (1 host up) scanned in 843.713 seconds
Now let’s scan a second system so we can see the difference between a Windows computer and a Linux computer. One big clue is the potential for open ports such as 37, 79, 111, and 6000. Those represent programs such as Time, Finger, SunRpc, and X11.
[root@mg /root]# nmap -O 192.168.13.10 Starting nmap V. 7.70 (https://nmap.org// ) Interesting ports on unix1 (192.168.13.10): (The 1529 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 139/tcp filtered netbios-ssn 513/tcp open login 1103/tcp open xaudio 2049/tcp open nfs 4045/tcp open lockd 6000/tcp open X11 7100/tcp open font-service 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 32775/tcp open sometimes-rpc13 32776/tcp open sometimes-rpc15 32777/tcp open sometimes-rpc17 Remote operating system guess: Solaris 2.6 - 2.7 Uptime 319.638 days (since Wed Aug 09 19:38:19 2017) Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds
Notice that the ports shown from this scan are much different from what was seen from Windows scans earlier in the chapter. Ports such as 37, 79, 111, and 32771 are shown as open. Also note that Nmap has identified the OS as Solaris. If you can, you also want to identify which applications are installed. Commands to find common ones include the following:
ls -alh /usr/bin/ ls -alh /sbin/ ls -alh /var/cache/apt/archivesO dpkg -l rpm -qa
Zenmap is the official Nmap Security Scanner GUI. Most of the options in Zenmap correspond directly to the command-line version. Some people call Zenmap the Nmap tutor because it displays the command-line syntax at the bottom of the GUI interface, as shown in Figure 3-11.
)
Figure 3-11 Zenmap
SuperScan
SuperScan is written to run on Windows machines. It’s a versatile TCP/UDP port scanner, pinger, and hostname revolver. It can perform ping scans and port scans using a range of IP addresses, or it can scan a single host. It also has the capability to resolve or reverse-lookup IP addresses. It builds an easy-to-use HTML report that contains a complete breakdown of the hosts that were scanned. This includes information on each port and details about any banners that were found. It’s free; therefore, it is another tool that all ethical hackers should have.
THC-Amap
THC-Amap is another example of a tool that is used for scanning and banner grabbing. One problem that traditional scanning programs have is that not all services are ready and eager to give up the appropriate banner. For example, some services, such as Secure Sockets Layer (SSL), expect a handshake. Amap handles this by storing a collection of responses that it can fire off at the port to interactively elicit it to respond. Amap was the first to perform this functionality, but it has been replaced with Nmap. One technique is to use this program by taking the greppable format of Nmap as an input to scan for those open services. Defeating or blocking Amap is not easy, although one technique would be to use a port-knocking technique. Port knocking is similar to a secret handshake or combination. Only after inputting a set order of port connections can a connection be made. For example, you may have to first connect on 80, 22, and 123 before connecting to 443. Otherwise, the port will show as closed.
Hping
Hping is another very useful ethical hacking tool that can perform both ping sweeps and port scans. Hping works on Windows and Linux computers and can function as a packet builder. You can find the Hping tool at http://www.hping.org or download the Linux Backtrack distribution, which also contains Hping. Hping2 and 3 can be used for firewall testing, identifying honeypots, and port scanning. Here are some other Hping3 syntax examples of note:
Ping sweep: hping3 -1IP_Address
UDP scan: hping3 -2 IP_Address
SYN scan: hping3 -8 IP_Address
ACK scan: hping3 -A IP_Address
IPID collection: IP_Address-Q -p 139 -s
XMAS scan: hping3 -F -P -U IP_Address
Port Knocking
Port knocking is a method of establishing a connection to a host that does not initially indicate that it has any open ports. Port knocking works by having the remote device send a series of connection attempts to a specific series of ports. It is somewhat analogous to a secret handshake. After the proper sequence of port knocking has been detected, the required port is opened, and a connection is established. The advantage of using a port-knocking technique is that hackers cannot easily identify open ports. The disadvantages include the fact that the technique does not harden the underlying application. Also, it isn’t useful for publicly accessible services. Finally, anyone who has the ability to sniff the network traffic will be in possession of the appropriate knock sequence. A good site to check out to learn more about this defensive technique is http://www.portknocking.org.
War Driving
War driving is named after war dialing because it is the process of looking for open access points. Many pen tests contain some type of war driving activity. The goal is to identify open or rogue access points. Even if the organization has secured its wireless access points, there is always the possibility that employees have installed their own access points without the company’s permission. Unsecured wireless access points can be a danger to organizations because, much like modems, they offer the hacker a way into the network that might bypass the firewall. A whole host of security tools released for Windows and Linux is available to use for war driving and wireless cracking activities.
