Port Scanning

Prabhaker Mateti

PowerPoint Slides for this lecture | This article is part of Internet Security Lectures

Table of Contents

1. Educational Objectives
2. Port Scanning
   1. Port Scanning Terms
   2. FTP bounce scan
   3. Stealth scan
   4. Fingerprinting an OS
   5. Port scanners
   6. Port scan detection tools
3. Lab Experiment
4. Acknowledgements
5. References

Educational Objectives

1. Introduce the techniques of port scanning.
2. Use port scanning audit tools such as nmap.
3. Use port scan detector tools

Port Scanning

All machines connected to a LAN or connected to Internet via a modem run many services that listen at certain ports.  A service is a program that waits inside a loop for a request message from a client, and acts on the request. By port scanning, one discovers which ports are available (i.e., being listened to by a service).  Essentially, a port scan consists of sending a message to each port, one at a time and examining the response received.  If the port is in use, it can then be probed further for weakness.

Port Scanning is one of the most popular among the reconnaissance techniques attackers use.  The various techniques in scanning are summarized in the paper by Foydor (see References).  A full understanding of these depends on understanding IP filtering and other firewall techniques.  So re-read this chapter afterwards.

Port Scanning Terms

Port scanning usually, but not always, means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker.

Port Numbers: Both UDP and TCP use source and destination port numbers in their packets; the source and destination IP addresses are provided by the underlying IP.  Port numbers are an abstraction manufactured by the network layer of the operating system in accordance with the TCP/IP standards.  These are 16-bit unsigned numbers.  The port numbers are divided into three ranges: the Well Known Ports (from 0 through 1023), the Registered Ports (from 1024 through 49151), and the Dynamic and/or Private Ports (from 49152 through 65535).  The authoritative list is at http://www.iana.org/assignments/ port-numbers and the file typically stored as /etc/services is a subset of these.  A list of port numbers used by Trojan programs is at  http://www.doshelp.com/trojanports.htm .

Sockets: A socket is an abstraction, similar to a file descriptor, constructed by socket().  A socket so constructed is bound to an IP address and port number via the bind() call.  A server program then waits for a connection via the listen(), and accept()s a connection. A socket is said to be active after the server has accepted a connection.  It is connected to a remote active socket via an open data connection. Closing the connection destroys the active sockets at both endpoints. A passive socket is not connected, but rather awaits an incoming connection in the listen(), which will spawn a new active socket. A socket is not a port, though there is a close relationship between them.  Each port can have a single passive socket, awaiting incoming connections, and multiple active sockets, each corresponding to an open connection on the port. Servers use bind(), listen(), and accept(). A client uses connect(). The read(), write() are used by both clients and servers.

Open Port: A service process is listening at the port.  A port is opened by the operating system at the request of a specific process. The OS receives packets arriving at this port and gives the messages to the service process.  If the OS receives a SYN at an open port, this is the first packet of the three way handshake.

Closed Port:  No process is listening at the port.  If the OS receives a SYN at a closed port, an RST is sent.

Filtered Port:  A packet filter is listening at the port.

Strobe:  A strobe is a narrow scan, only looking for those services the attacker knows how to exploit. The name comes from one of the original TCP scanning programs, though now virtually all scanning tools include this feature.

Fragmented packets: This stealth approach fragments the IP datagrams within the TCP header. Some packet filter firewalls let these through because they cannot see a complete TCP header that can match their filtering rules.

UDP scan: Finds open UDP ports.  The source port of UDP is an optional field.  When meaningful, it indicates the port of the sending  process.  If it is not meaningful, a value of zero is used. UDP responds in a different manner from a TCP scan. In order to find UDP ports, the attacker generally sends empty UDP datagrams at the port. If the port is listening, the service process will send back an error message or ignore the incoming datagram. If the port is closed, then the operating system sends back an "ICMP Port Unreachable" message.

Sweep Connects to one port on a lot of machines.

Bounce scan

The ability to hide their tracks is important to attackers. Therefore, attackers scour the Internet looking for systems B they can bounce their attacks through. Here are some examples.

finger

Most finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as "rob@foo@bar" will ask machine "bar" to resolve "rob@foo", causing "bar" to query "foo".

e-mail

Spammers try to relay their spam through SMTP servers.

FTP

When a file is requested from an FTP server S, the client process specifies the IP address and port number of the recipient of that file. This should be the address of the client machine C, and the port that the client has prepared to receive the file. But, the IP address can be any system, say B, on the Internet. It may appear to be a file download request from the perspective of the FTP server, but the receiver B may believe that these are commands of some other protocol. For example, a spammer can previously upload a file to the FTP server containing e-mail messages, then cause the FTP server to download them to an SMTP server that then forwards them out to the recipients. 

 

FTP bounce scanning takes advantage of a vulnerability in FTP servers, which honors a request that the FTP server open a connection to a third party on a particular port. This makes the FTP server to scan and send back the results.  This bouncing through an FTP server hides the attacker's address. This technique is similar to IP spoofing.

SOCKS

Allows almost any protocol to be tunneled through the intermediate machine.

HTTP proxy

Most web servers support proxies, or relaying requests to other servers. This allows a company to channel all their web traffic through a single server for filtering as well as caching to improve performance. A lot of these servers are mis-configured to allow proxying of any request from the Internet, allowing attackers to relay attacks against web-sites through a third party.

IRC BNC

IRC (Internet Relay Chat) can bounce its connections through other machines. A particular program called "BNC" is used for this purpose on compromised machines.

Stealth scan

One problem with port scanning, from the perspective of the attacker,  is that it is easily logged by services listening at the ports. They see an incoming connection, but no data, so they log an error. Stealth scan techniques (hope to) avoid this.

The half-open scan only partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet of the three-way handshake. This stops the service from ever being notified of the incoming connection.

Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The most common of these scans is the FIN scan. If the port is closed, an RST is sent. If the port is closed, the operating system will silently drop the incoming packet, and does not respond. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this is not a very effective scan.

Other techniques consist of XMAS scans where all flags in the TCP packet are "lit up" (set), or NULL scans where none of the bits are set. Different operating systems respond differently to these scans, and hence the attacker needs to know what OS the target host is running.

SOCKS port probe

SOCKS is a system targeted at the home PC user that allows multiple machines to share a common Internet connection.  The reason that attackers scan for this is because a large percentage of users misconfigure SOCKS.

The problem with SOCKS is that the source and destination addresses are not carefully checked. A misconfigured host will allow external machines to access the internal home network, and also it may allow an attacker access to other Internet machines. This allows the attacker to hide his/her true location.

Many IRC chat servers often scan clients for open SOCKS servers. They will kick off such people with a message indicating how to fix the problem.

Fingerprinting an OS

Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. To make this more effective, unexpected but well-chosen combinations of data are sent to the system in order to trigger unique-enough responses. This is because while most systems respond alike with correct data, they rarely respond the same way when sent unusual data.

Port Scanning Tools

There are three security audit tools that stand out: SAINT, nmap, and nessus.  Of these, nmap is clearly and primarily a port scanner; so it is discussed here.  SAINT and nessus are discussed in the chapter on Security Audit.

The nmap port scanner (www.nmap.org) is widely known.  According to its author Foydor,

 "nmap is a utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is the slogan of Perl scripting language, but it is equally applicable to scanners. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities. Thus I incorporated virtually every scanning technique I know into nmap." 

Part of the lab experiment is based on nmap.

Port Scan Detection Tools

Writing a non-stealth scan detector is straightforward in UNIX, in which you open a SOCK_RAW, make the protocol type IPPROTO_IP, then call recvfrom() and capture the packets and analyze them.  Discovering stealth scans requires kernel level work.  One "signature" that could be used for detecting port scans is "several packets to different destination ports from the same source address within a short period of time". Another such signature could be "SYN to a non-listening port". Obviously, there are many other ways to detect port scans. 

Remember that an attacker might also be spoofing the IP source address.  So a detector can inform us that we have been port-scanned but not necessarily where from.  However, port scanners sometimes leak extra information that can be used to tell something about the real origin of a spoofed port scan. For example, if the packets we receive have an IP TTL of 255 at our end, we know for sure that they are being sent from our local network regardless of what the source address field says. However, if TTL is 250, we can only tell that the attacker was no more than 5 hops away. Starting TTL and source port number(s) can also give us a hint of what port scanner type (for "stealth" scans) or operating system (for full TCP connection scans) is used by the attacker. We can never be sure though. For example, nmap sets TTL to 255 and source port to 49724, while Linux kernel sets TTL to 64.

Lab Experiment

In the context of this lab experiment, it is worth reproducing a few paragraphs from the SAINT manuals:

Being a very unfriendly neighbor It is generally considered to be very rude and anti-social behavior to scan someone else's hosts or networks without the explicit permission of the owner. Always ask if it'd be okay to scan outside of your own networks.

Please be considerate and smart; unauthorized scanning of your Internet neighbors, even if you think you're doing them a favor, can be seen as a serious transgression on your part, and could engender not only ill will or bad feelings, but legal problems as well.

Attacking vs. probing vs. scanning What is an attack, or a probe, or a scan? It's not always clear, especially as system administrators are getting more savvy and aware of the enormous amount of traffic present on the Internet. For instance, is a finger from a remote site an attack? Without knowing any of the motivations involved, it can't be ascertained. "Finger wars", or two sites that use the "tcp wrappers" or similar software that will automatically finger a remote site that connects to it can bring down hosts inadvertently.

Be aware that many of the probes will generate messages on the console or set off various alarms on the remote target, however, so you should be aware of the potential for false alarms and accusations that might be leveled against you.

Objective:  Deliberately misconfigure certain services on a machine. Run a port scanner productively on another machine and discover the vulnerabilities of the first.

All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 19 to 30.  No other WSU facilities are allowed. 

Read about nmap; see References below.  Make Step 4 below as elaborate as possible.

1. Boot P0 and P1 into BackTrack3.
2. Boot P2 into each of these OS for nmap scanning below: Windows XP, Knoppix, or BackTrack3.
3. Setup a network of at least three PCs, P0, P1, P2 with P1 as a router as in the first lab experiment.
4. Start nmap on P0. Probe all ports on P2.
5. Turn in an analysis regarding the discoveries made by nmap.
6. ZoneAlarm (download free for personal use from http://www.zonelabs.com/) can detect port scans.  Try this, if you wish, on your own (home network of) Windows PCs.

Acknowledgements

This article has been pieced together from the materials on the site http://advice.networkice.com/, and from the documentation of nmap.  This work was supported in part by NSF DUE-9951380.  Figures are not mine; downloaded from a website; thanks.

References

1. Fyodor, "The Art of Port Scanning," 1997, www.nmap.org Old, but good. Required Reading.
2. Fyodor, Nmap Network Scanning, http://nmap.org/book/ , 2008.  Book.  Recommended Reading.
3. Ron Gula, How to Handle and Identify Network Probes, April 1999, www.securitywizards.com [Local Copy] Required Reading.
4. Hobbit, The FTP Bounce Attack,  http://www.insecure.org/nmap/ hobbit.ftpbounce.txt The original paper on the subject. Reference.
5. Fyodor, Remote OS detection via TCP/IP Stack Finger Printing. 1999. http://www.insecure.org/nmap/nmap-fingerprinting-article.html   Required Reading.
6. Solar Designer, Designing and Attacking Port Scan Detection Tools, Phrack Magazine, Volume 8, Issue 53, July 8, 1998, article 13 of 15,  www.phrack.com .  Recommended Reading.