hands-on ethical hacking and network defense second edition chapter 5 port scanning
TRANSCRIPT
Hands-On Ethical Hacking and Network Defense
Second Edition
Chapter 5Port Scanning
Objectives
• After reading this chapter and completing the exercises, you will be able to:– Describe port scanning and types of port scans– Describe port-scanning tools– Explain what ping sweeps are used for– Explain how shell scripting is used to automate
security tasks
Hands-On Ethical Hacking and Network Defense, Second Edition 2
Introduction to Port Scanning
• Port Scanning– Finds which services are offered by a host– Identifies vulnerabilities
• Open services can be used on attacks– Identify vulnerable port and launch exploit
• Scans all ports when testing– Not just well-known ports
Hands-On Ethical Hacking and Network Defense, Second Edition 3
Hands-On Ethical Hacking and Network Defense, Second Edition 4
Figure 5-1 The AW Security Port Scanner interface
Introduction to Port Scanning (cont’d.)
• Port scanning programs report:– Open ports– Closed ports– Filtered ports– Best-guess running OS
Hands-On Ethical Hacking and Network Defense, Second Edition 5
Types of Port Scans
• SYN scan– Stealthy scan
• Connect scan– Completes three-way handshake
• NULL scan– Packet flags are turned off
• XMAS scan– FIN, PSH and URG flags are set
Hands-On Ethical Hacking and Network Defense, Second Edition 6
Types of Port Scans (cont’d.)
• ACK scan– Used to get past firewall
• FIN scan– Closed port responds with an RST packet
• UDP scan– Closed port responds with ICMP “Port Unreachable”
message
Hands-On Ethical Hacking and Network Defense, Second Edition 7
Using Port-Scanning Tools
• Port-scanning tools– Hundreds available– Not all are accurate
• Be familiar with a variety
• Practice often
• Some tools include:– Nmap– Unicornscan– Nessus and OpenVAS
Hands-On Ethical Hacking and Network Defense, Second Edition 8
Nmap
• Originally written for Phrack magazine– One of the most popular tools– New features frequently added
• GUI front end– Zenmap
• Standard tool for security professionals– Command: nmap 193.145.85.201
• Scans every port on computer with this IP address
Hands-On Ethical Hacking and Network Defense, Second Edition 9
Hands-On Ethical Hacking and Network Defense, Second Edition 10
Figure 5-2 The Nmap help screen
Unicornscan
• Developed to assist with large network tests – Ideal for large-scale endeavors– Scans 65,535 ports in three to seven seconds
• Handles port scanning using: – TCP– ICMP– IP
• Optimizes UDP scanning
Hands-On Ethical Hacking and Network Defense, Second Edition 11
Nessus and OpenVAS
• Nessus– First released in 1998– No longer under GPL license
• Still available for download
• OpenVAS– Open-source fork of Nessus– Performs complex queries while client interfaces with
server– Capable of updating security check plug-ins
• Security test programs (scripts)
Hands-On Ethical Hacking and Network Defense, Second Edition 12
Hands-On Ethical Hacking and Network Defense, Second Edition 13
Figure 5-3 OpenVAS with a safe checks warning
Hands-On Ethical Hacking and Network Defense, Second Edition 14
Figure 5-4 OpenVAS discovers a vulnerability
Conducting Ping Sweeps
• Ping sweeps– Identify which IP addresses belong to active hosts
• Ping a range of IP addresses
• Problems– Shut down computers cannot respond– Networks may be configured to block ICMP Echo
Requests– Firewalls may filter out ICMP traffic
Hands-On Ethical Hacking and Network Defense, Second Edition 15
FPing
• Ping multiple IP addresses simultaneously
• Accepts a range of IP addresses – Entered at a command prompt– File containing multiple IP addresses
• Input file – Usually created with shell-scripting language
Hands-On Ethical Hacking and Network Defense, Second Edition 16
Hands-On Ethical Hacking and Network Defense, Second Edition 17
Figure 5-5 Fping parameters
Hands-On Ethical Hacking and Network Defense, Second Edition 18
Figure 5-6 Results of an Fping command
Hping
• Used to:– Perform ping sweeps– Bypass filtering devices
• Allows users to inject modified IP packets
• Powerful tool– All security testers must be familiar with tool– Supports many parameters
Hands-On Ethical Hacking and Network Defense, Second Edition 19
Hands-On Ethical Hacking and Network Defense, Second Edition 20
Figure 5-7 Hping help, page 1
Hands-On Ethical Hacking and Network Defense, Second Edition 21
Figure 5-8 Hping help, page 2
Hands-On Ethical Hacking and Network Defense, Second Edition 22
Figure 5-9 Hping help, page 3
Crafting IP Packets
• Packet components– Source IP address– Destination IP address– Flags
• Helps obtain information about a service
• Tools:– Hping– Fping
Hands-On Ethical Hacking and Network Defense, Second Edition 23
Understanding Scripting
• Modify tools to better suit your needs
• Customized scripts – Automates tasks– Time saving– Requires basic programming skills
Hands-On Ethical Hacking and Network Defense, Second Edition 24
Scripting Basics
• Similar to DOS batch programming
• Script or batch file– Text file– Contains multiple commands
• Repetitive commands – Good candidate for scripting
• Practice is the key
Hands-On Ethical Hacking and Network Defense, Second Edition 25
Hands-On Ethical Hacking and Network Defense, Second Edition 26
Table 5-1 Summary of vi commands
Hands-On Ethical Hacking and Network Defense, Second Edition 27
Figure 5-10 A shell script
Summary
• Port scanning (i.e., service scanning)– Scanning a range of IP address– Determines running services
• Port scan types– SYN– ACK– FIN
Hands-On Ethical Hacking and Network Defense, Second Edition 28
Summary (cont’d.)
• Port scanning tools– Nmap– Nessus– OpenVAS– Unicornscan
• Ping sweeps– Determine which computers are “live”
• Scripts– Automate time-consuming tasks
Hands-On Ethical Hacking and Network Defense, Second Edition 29