Port Scanning Techniques - Part 1

Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Furthermore, users occasionally leave needless open ports on their systems without realising it. Such open ports are exploited by an attacker to launch assaults. 

Full Open Scan (-sT)

It is the default TCP scan when SYN is unavailable (generally when the root privilege is unavailable). In this case, Nmap does not craft packets instead the OS's TCP connect() system call sends the request. It is less efficient, as the connect() makes a separate call for every port in a linear manner which takes a longer time and requires more packets to obtain the same result. The drawback of this type of scan is that it is noisier which makes it easily detectable and filterable.  In nmap, the -sT option is used to perform this scan. 

Stealth Scan (-sS)

It is the most powerful and default scan option. Stealth Scan partially opens a connection but stops halfway through. It is also known as a SYN scan because it only sends the SYN packet and if the server responds with a SYN/ACK packet, nmap closes the connection by sending RST and marks the port as open. By doing this, the service is unable to alert the incoming connection, getting under firewall restrictions and logging systems and appearing as normal network traffic. It is quick and can scan hundreds of ports in a second. In nmap, the -sS option is used to perform this scan.

Inverse TCP Flag Scan

Sending SYN packets to target hosts' sensitive ports is detected by security mechanisms like firewalls and intrusion detection systems (IDS). Depending on the security mechanisms installed, probing packets that have been enabled with TCP flags may occasionally slip past filters without being noticed. 

TCP probe packets are sent by attackers with or without TCP flags (FIN, URG, PSH) set. An RST response indicates that the port is closed, whereas no response suggests that the port is open. According to RFC 793, an RST/ACK packet is sent for connection rest when the host closes a port. Not particularly effective against Windows hosts. Considering that Microsoft utterly disregards the RFC 793 norm. On the other hand, this method works well with UNIX-based operating systems.

Inverse TCP flag scanning is known as FIN, URG, and PSH scanning based on the flag sent in the probe packet. 
  • If there is no flag set, it is known as a NULL SCAN. Do not set any bits (the TCP flag header is 0). In nmap, the -sN option is used to perform this scan. 
  • If only the FIN flag is set, it is known as the FIN SCAN. Sets just the TCP FIN bit. In nmap, the -sF option is used to perform this scan. 
  •  If all of FIN, URG, and PSH are set, lighting the packet like a Christmas tree thus the name Xmas SCAN. When all flags are set, some systems hang; hence the flags are often set in URG-PSH-FIN. In nmap, the -sX option is used to perform this scan. 
  • TCP Maimon SCAN is similar to NULL, FIN, and Xmas scan, but the probe used here is FIN/ACK. If there is no response, the port is marked Open|Filtered. In nmap, the -sM option is used to perform this scan. 

ACK Flag Probe Scan

Attackers send TCP probe packets with the ACK flag set to a remote device and then analyze the header information (TTL and WINDOW field) of the received RST packets to determine if the port is open or closed. This type of scanning works exclusively with BSD-derived TCP/IP stack operating systems. Categories of ACK Flag probe scanning include:

TTL-based ACK Flag Probe Scanning

You will send ACK probe packets (several thousand) to different TCP ports and then analyze the TTL field value of the RST packets received. In nmap, the syntax nmap -ttl [time] [target] is used to perform a TTL-Based Scan. A port is open if the TTL value of the RST packet on that port is less than the boundary value of 64.

Windows-Based ACK Flag Probe Scanning

You will send ACK probe packets (several thousand) to different TCP ports and analyze the window field value of the received RST packets. When every port returns the same TTL value, the user can use this scanning strategy. In nmap, the -sW option is used to perform a window scan. A port is open if the windows value of a RST packet on that port is non-zero.

The ACK flag probe scanning technique also helps in checking the filtering systems of the target networks. An ACK probing packet with a random sequence number is sent by the attacker. Receiving an RST response from the target indicates that the port is not filtered (no firewall is present); getting no response from the target indicates that a stateful firewall is present and the port is filtered. In nmap, the -sA option is used to perform an ACK flag probe scan. 

IDLE/IPID Header Scan

Every IP packet on the Internet has a fragment identification number (IPIO); an OS increases the IPID for each packet sent, thus, probing an IPID gives an attacker the number of packets sent after the last probe. 
1. To find the IPID number, send it a SYN + ACK packet.
2. When a zombie computer receives an SYN + ACK packet, it will send an RST packet. To retrieve the IPID, examine the zombie machine's RST packet.
3. Send an SYN packet to the target machine and forge the zombie's IP address.
4. If the port is open, the target will send an SYN + ACK packet to the zombie, and the zombie will send the RST to the target in response. 
5. If the port is closed, the target will send an RST to the zombie, but the zombie will not send anything back. 
6. Check the zombie IPID once more. An open port is indicated by an IPID increase of 2, while a closed port is indicated by an IPID increase of 1.

No comments:

Post a Comment