Hands-On Ethical Hacking and Network Defense

Second Edition

Chapter 5Port Scanning

Objectives

• After reading this chapter and completing the exercises, you will be able to:– Describe port scanning and types of port scans– Describe port-scanning tools– Explain what ping sweeps are used for– Explain how shell scripting is used to automate

security tasks

Hands-On Ethical Hacking and Network Defense, Second Edition 2

Introduction to Port Scanning

• Port Scanning– Finds which services are offered by a host– Identifies vulnerabilities

• Open services can be used on attacks– Identify vulnerable port and launch exploit

• Scans all ports when testing– Not just well-known ports

Hands-On Ethical Hacking and Network Defense, Second Edition 3

Hands-On Ethical Hacking and Network Defense, Second Edition 4

Figure 5-1 The AW Security Port Scanner interface

Introduction to Port Scanning (cont’d.)

• Port scanning programs report:– Open ports– Closed ports– Filtered ports– Best-guess running OS

Hands-On Ethical Hacking and Network Defense, Second Edition 5

Types of Port Scans

• SYN scan– Stealthy scan

• Connect scan– Completes three-way handshake

• NULL scan– Packet flags are turned off

• XMAS scan– FIN, PSH and URG flags are set

Hands-On Ethical Hacking and Network Defense, Second Edition 6

Types of Port Scans (cont’d.)

• ACK scan– Used to get past firewall

• FIN scan– Closed port responds with an RST packet

• UDP scan– Closed port responds with ICMP “Port Unreachable”

message

Hands-On Ethical Hacking and Network Defense, Second Edition 7

Using Port-Scanning Tools

• Port-scanning tools– Hundreds available– Not all are accurate

• Be familiar with a variety

• Practice often

• Some tools include:– Nmap– Unicornscan– Nessus and OpenVAS

Hands-On Ethical Hacking and Network Defense, Second Edition 8

Nmap

• Originally written for Phrack magazine– One of the most popular tools– New features frequently added

• GUI front end– Zenmap

• Standard tool for security professionals– Command: nmap 193.145.85.201

• Scans every port on computer with this IP address

Hands-On Ethical Hacking and Network Defense, Second Edition 9

Hands-On Ethical Hacking and Network Defense, Second Edition 10

Figure 5-2 The Nmap help screen

Unicornscan

• Developed to assist with large network tests – Ideal for large-scale endeavors– Scans 65,535 ports in three to seven seconds

• Handles port scanning using: – TCP– ICMP– IP

• Optimizes UDP scanning

Hands-On Ethical Hacking and Network Defense, Second Edition 11

Nessus and OpenVAS

• Nessus– First released in 1998– No longer under GPL license

• Still available for download

• OpenVAS– Open-source fork of Nessus– Performs complex queries while client interfaces with

server– Capable of updating security check plug-ins

• Security test programs (scripts)

Hands-On Ethical Hacking and Network Defense, Second Edition 12

Hands-On Ethical Hacking and Network Defense, Second Edition 13

Figure 5-3 OpenVAS with a safe checks warning

Hands-On Ethical Hacking and Network Defense, Second Edition 14

Figure 5-4 OpenVAS discovers a vulnerability

Conducting Ping Sweeps

• Ping sweeps– Identify which IP addresses belong to active hosts

• Ping a range of IP addresses

• Problems– Shut down computers cannot respond– Networks may be configured to block ICMP Echo

Requests– Firewalls may filter out ICMP traffic

Hands-On Ethical Hacking and Network Defense, Second Edition 15

FPing

• Ping multiple IP addresses simultaneously

• Accepts a range of IP addresses – Entered at a command prompt– File containing multiple IP addresses

• Input file – Usually created with shell-scripting language

Hands-On Ethical Hacking and Network Defense, Second Edition 16

Hands-On Ethical Hacking and Network Defense, Second Edition 17

Figure 5-5 Fping parameters

Hands-On Ethical Hacking and Network Defense, Second Edition 18

Figure 5-6 Results of an Fping command

Hping

• Used to:– Perform ping sweeps– Bypass filtering devices

• Allows users to inject modified IP packets

• Powerful tool– All security testers must be familiar with tool– Supports many parameters

Hands-On Ethical Hacking and Network Defense, Second Edition 19

Hands-On Ethical Hacking and Network Defense, Second Edition 20

Figure 5-7 Hping help, page 1

Hands-On Ethical Hacking and Network Defense, Second Edition 21

Figure 5-8 Hping help, page 2

Hands-On Ethical Hacking and Network Defense, Second Edition 22

Figure 5-9 Hping help, page 3

Crafting IP Packets

• Packet components– Source IP address– Destination IP address– Flags

• Helps obtain information about a service

• Tools:– Hping– Fping

Hands-On Ethical Hacking and Network Defense, Second Edition 23

Understanding Scripting

• Modify tools to better suit your needs

• Customized scripts – Automates tasks– Time saving– Requires basic programming skills

Hands-On Ethical Hacking and Network Defense, Second Edition 24

Scripting Basics

• Similar to DOS batch programming

• Script or batch file– Text file– Contains multiple commands

• Repetitive commands – Good candidate for scripting

• Practice is the key

Hands-On Ethical Hacking and Network Defense, Second Edition 25

Hands-On Ethical Hacking and Network Defense, Second Edition 26

Table 5-1 Summary of vi commands

Hands-On Ethical Hacking and Network Defense, Second Edition 27

Figure 5-10 A shell script

Summary

• Port scanning (i.e., service scanning)– Scanning a range of IP address– Determines running services

• Port scan types– SYN– ACK– FIN

Hands-On Ethical Hacking and Network Defense, Second Edition 28

Summary (cont’d.)

• Port scanning tools– Nmap– Nessus– OpenVAS– Unicornscan

• Ping sweeps– Determine which computers are “live”

• Scripts– Automate time-consuming tasks

Hands-On Ethical Hacking and Network Defense, Second Edition 29