Scanning - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Scanning

Description:

Typically accomplished with port scanning' ... UDP Scan. TCP Connect. Goes through the full connect (3-way handshake) process ... TCP FIN Scan. Sends a FIN packet ... – PowerPoint PPT presentation

Number of Views:145
Avg rating:3.0/5.0
Slides: 18
Provided by: johnmc1
Category:
Tags: scan | scanning

less

Transcript and Presenter's Notes

Title: Scanning


1
Scanning
  • TSM 352

2
What is Scanning?
  • Footprinting casing the joint
  • Scanning knocking on the walls to find doors
    and windows

3
Determining if the System is Alive
  • Typically known as a ping sweep
  • Traditionally uses ICMP ECHO (type 8) packets to
    invoke ICMP ECHO_REPLY (Type 0)
  • This technique is acceptable for a small number
    of systems, but is quite inefficient for larger
    enterprises.
  • Number of tools available, with differing
    capabilities
  • Wait for response before moving to next IP
  • Resolving Hostnames (uses reverse DNS)
  • Resolve hostnames (NetBIOS names)
  • Provides probing techniques other than ICMP UDP
    or TCP for example. This is actually getting into
    port scanning. Any UDP or TCP packet must
    specify a port. However, the port does not need
    to be one that is open. In fact, for identifying
    live systems, the port chosen in such a probe
    is one that is assumed to not be open.
  • The whole idea behind a port probe used to
    identify a machine that is alive, is that the
    machine will return an ICMP Port Unreachable
    message. This will indicate that it is up and
    running.

4
When ICMP is Blocked
  • More and more organizations are blocking incoming
    ICMP traffic (at least echo requests).
  • When this is the case, UDP/TCP sweeping is the
    next choice. The idea is that the firewall will
    have to allow some packets from the outside to
    come through. TCP packets are normally only
    allowed if they are part of an ongoing connection
    established from the inside (ie they will have
    the ACK flag set). However, UDP packets are not
    part of a session and often represent an answer
    to a single query that originated from inside the
    network. An example of this is a packet from a
    DNS server usually returning to a high-order port
    number.
  • Another technique used to slip packets through is
    fragmentation. In many cases, simple access
    control devices are not sophisticated enough (or
    the administrator is not) to handle fragmented
    packets correctly.
  • There are other ICMP messages that invoke a
    response other than ICMP Echo requests. ICMP
    Timestamp request and ICMP Info request are two
    examples. There are utilities (notably
    icmpenum), that allow the user to fashion such
    packets. Often the firewall/router admin will
    specifically disallow ICMP Echo requests, but may
    not even know about these two other
    possibilities.

5
Ping Sweep Countermeasures
  • Important to detect this activity when it happens
    use IDS programs, such as Snort
  • Linux OSs can be set up to detect such activity
  • Windows host-based ping detection tools are
    difficult to come by.
  • Prevention
  • Carefully evaluate the type of ICMP traffic you
    allow into your networks or specific systems
  • Some must be allowed such as host unreachable,
    time-exceeded, etc.
  • Watch for outgoing ping sweeps as well have a
    policy that discourages such activity

6
Other ICMP Queries
  • ICMP Timestamp request to determine time zone
    of host
  • ICMP Address Mask Request to get subnet mask
  • Tool icmpquery

7
Determining which Services are Running/Listening
  • Typically accomplished with port scanning
  • Identifying listening ports is critical to
    determining the type of OS and apps in use
  • Process of connecting to TCP and/or UDP ports
  • Numerous tools and techniques that have evolved
    over the last few years.
  • Objectives
  • ID both the TCP and UDP services running
  • ID the type of OS
  • ID specific applications or versions

8
Scan Types
  • TCP Connect
  • TCP SYN
  • TCP FIN
  • TCP Xmas Tree
  • TCP Null
  • TCP ACK
  • UDP Scan

9
TCP Connect
  • Goes through the full connect (3-way handshake)
    process
  • Then closes the connection with a standard FIN
    process
  • May close with a RST
  • Least likely to set off an alarm, but most likely
    to be logged

10
TCP SYN
  • Also called half-open scanning
  • Full TCP connection is not completed
  • If SYN/ACK is received, machine is assumed to
    have that port open
  • If RST/ACK is received, usually indicates the
    port is not listening, but the machine is alive
  • An RST/ACK will be sent to close the connection
  • Least likely to be logged, but often sets off an
    alarm on IDSs

11
TCP FIN Scan
  • Sends a FIN packet
  • Based on RFC 793 the target should send back an
    RST for all closed ports.
  • Windows does not follow this they simply ignore
    the packet
  • UNIX/Linux follows the RFC

12
TCP Xmas Tree Scan
  • Sends a FIN, URG, and PUSH packet
  • RFC 793 says the target should send back RST for
    all closed ports

13
TCP Null Scan
  • Turns off all flags.
  • RFC 793 says an RST should be returned

14
TCP ACK Scan
  • Sends only an ACK packet
  • Typically used to map out firewall rulesets.
  • It can determine if the firewall is a simple
    packet filter allowing only established
    connections, or a stateful firewall, performing
    advanced packet filtering.

15
UDP Scan
  • Sends a UDP packet
  • If target responds with ICMP port unreachable,
    the port is closed
  • If no ICMP Port Unreachable is received, we can
    deduce that the port is open
  • Accuracy of this technique is highly dependent on
    many factors, however
  • UDP scanning is very slow.
  • In general, UDP scanning provides unreliable
    results

16
Identifying Services Running
  • Most of your port scanners will report a service
    running depending solely on the port that was
    found open. This is pure conjecture, but true in
    most cases.
  • A program like telnet or netcat can be used to
    probe further, once the open ports are found.

17
Some Scanners Compared
Write a Comment
User Comments (0)
About PowerShow.com