Tuesday, October 30, 2007

Port Scanning

The purpose of this blog entry is to give the reader an introduction to port scanning, some examples of tools used to perform port scanning and some examples of where port scanning may be useful.


What is Port Scanning?

Port scanning is where a port or a range of ports are scanned to find out I they are open or closed and what service or program is listening on that port.

I should also point out that port scanning can cause the devices to crash or may have other unintentional effects. a service may hang or become unresponsive or a printer may print out garbage. So always get permission, be aware of the effects if scanning production systems and know your tools.


Why Port Scan?

A good port scanner such as nmap will often be able to identify the port is open or closed or is filtered by a firewall, and if open, details of the program listening on that port. This information is very useful to both a systems administrator and an attacker. From a system administration point of view you may want to test firewall rules. Or if you were to discover a unauthorised program such as a trojan on your network that is listening on a port you may want to see if other hosts are also affected. Also when hardening hosts a port scan of that host is very useful to look for open ports.

From an attackers point of view, he may want to discover what programs or services are on a host to identify it’s role or to see if these programs are vulnerable to a known exploit.


What is a Port?

Often the analogy used to describe a port is that of a window in a house. Think of your computer as a house and each window or door as a port. Now, the port can either be open or closed, if it’s closed nothing can get in through that port, if it’s open, it will have a program listening that will accept connections through the port. There are 2 types of port, TCP and UDP and each type there are 65536 (0-65535) ports of each type.

Port scanning is akin to rattling the windows and doors to see if any of them are open.


Common Ports

Certain programs and services have standard ports they listen on, such as web servers listening on TCP port 80. This is so your browser knows where to go to by default when just browsing to a web page with HTTP. DNS knows to listen on UDP port 53 and Telnet knows to use TCP port 23. The range of ports between 0-1024 are reserved for use by the computer for standard programs such as FTP, Telnet, DNS, SNMP, SMTP etc…. and ports above this range, known as ephemeral ports, can then be set up with other services such as MSRDP on port 3389 or MSSQL on 1334. It is useful to note that almost any service can be set up to listen on almost an port and in almost all cases the port that a packet is destined for (destination port) is not the port it will go out on (source port).

The link below provides details of known port assignments:

http://www.iana.org/assignments/port-numbers

Knowledge of the standard port assignments is very useful when port scanning as it will help you to recognise the ports you are interested in and prevent scanning an entire range which may trigger an IDS or IPS. However, it should be noted that in some situations it may be necessary to scan the entire range because as i said, most services can be set to listen on non-standard ports.


Tools

Tools may vary depending on the platform you are using. There are many good port scanners out there but the one I prefer is Nmap by Fyodor. Nmap should work under both Windows and Linux, however I find it screws up my network card under Windows so I will often use sl from Foundstone or if I require a GUI I’ll user SuperScan4. Netcat can also be used to port scan if you get in a pinch but has limitations. There are plenty of other scanners out there but in this blog entry I'll stick mostly with Nmap. I’ll briefly cover the syntax of ScanLine and Netcat also.

Nmap

Nmap is network exploration tool and port scanner. It was created by Fyodor and can be downloaded from www.insecure.org free of charge. I have always had issues with the Win32 port of Nmap so I have only used it from Linux. Nmap is available for most Linux distributions.

A few things to be aware of when using Nmap is it will ping the target before it scans to see if it is up. If the target is blocking ICMP the scan may fail. This initial ping can be prevented by using the -P0 switch which will then allow Nmap to continue the port scan.

When specifying a target the following syntax can be used:

nmap target option

The target is the host or network to be scanned and the options are the list of ports and type of scan. target can be entered as a hostname (www.yahoo.com), the IP address (87.248.113.14), or CIDR addressing (192.168.1.1/24). Nmap can also be told to use an input file for target specification. There are additional methods of target specification listed in the Nmap man pages.

Options can be the scan type (SYN scan, ACK scan, list scan etc..), can be turning off certain functions such as DNS resolution or ping, can be setting the options for output such as to XML or text file, can be setting OS or version detection, can be setting up scanning through a FTP server or another host, or can be selecting the ports to be scanned. Ports can be entered in as a list (-p 21,23,80) or as a range (-p 1-1024,3389,5000) or by port type for UDP or TCP (-p U:161,53 T:80,443).

The following are some basic examples of Nmap scans.

1. Ping Scan (ping sweep)

nmap -sP 10.20.2.1/24

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:23 GMT
Host 10.20.2.4 appears to be up.
MAC Address: 00:0C:F1:5E:0B:05 (Intel)
Host 10.20.2.6 appears to be up.
MAC Address: 00:30:C1:21:0B:9C (Hewlett-packard)
Host 10.20.2.69 appears to be up.
MAC Address: 00:E0:81:6C:94:53 (Tyan Computer)
Host 10.20.2.70 appears to be up.
MAC Address: 00:60:B0:20:D0:C0 (Hewlett-packard CO.)
Host 10.20.2.71 appears to be up.
MAC Address: 00:00:84:AE:70:BF (Ricoh Company)
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.398 seconds


This scan was used to quickly identify host that are up on a particular range of IP addresses.


2. Basic Host Scan

nmap 10.20.2.41

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:13 GMT
Interesting ports on 10.20.2.41:
(The 1666 ports scanned but not shown below are in state: closed)
PORT
STATE SERVICE
21/tcp
open ftp
23/tcp
open telnet
80/tcp
open http
280/tcp
open http-mgmt
443/tcp
open https
515/tcp
open printer
631/tcp
open ipp
9100/tcp open
jetdirect
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)

This scan picks a performs a TCP connect scan of a selected host. This scan would likely be picked up by an IDS. The basic scan would scan all ports including 1024 and below and certain high numbered ports listed in the nmap-services file. This file can be customised for your own environment. To peform a fast scan use the -F switch. This will just scan ports listed in the nmap-services file. Nmap will also automatically randomise the ports to be scanned, this can be disabled with the -r switch.


3. Version Scan

nmap 10.20.2.41 -sV -p 23

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:14 GMT
Interesting ports on 10.20.2.41:
PORT
STATE SERVICE VERSION
23/tcp open
telnet HP JetDirect printer telnetd (No password)
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Service Info: Device: printer
Nmap finished: 1 IP address (1 host up) scanned in 2.059 seconds

This scan picked a particular port and attempted to enumerate the service listening on that port.


4. OS Scan

nmap 10.20.2.41 -O -p 23,81

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:16 GMT
Interesting ports on 10.20.2.41:
PORT
STATE SERVICE
23/tcp open
telnet
81/tcp closed hosts2-ns
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Device type: print server
Running: HP embedded
OS details: HP printer w/JetDirect card
Uptime 74.890 days (since Wed Aug 15 16:55:33 2007)
Nmap finished: 1 IP address (1 host up) scanned in 2.579 seconds

This scan performed an OS scan on the host and correctly identified it as a HP Printer.


5. SYN Scan (Half-Open Scan)

nmap 10.20.2.41 -sS -p 23,80

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:17 GMT
Interesting ports on 10.20.2.41:
PORT
STATE SERVICE
23/tcp open
telnet
80/tcp open
http
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 0.440 seconds

This scan performed a half-open scan (-sS) on ports 23 & 80. Half-open means that a full TCP connect scan was not completed. A SYN packet was sent from Nmap followed by a RST packet if a SYN/ACK was received (indicating an open port). If a RST packet was received by Nmap the port will be listed as closed. You must have root permissions to perform a SYN scan otherwise the scan will drop down to a full TCP Connect scan. SYN scans are relatively stealthy and are very fast for the reasons already mentioned. If Nmap receives no response or if an ICMP unreachable is received by Nmap the port is marked as filtered.


6. Stealthy Scan

nmap 10.20.2.41 -sS -p 23,80 -T 1

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:22 GMT
Interesting ports on 10.20.2.41:
PORT
STATE SERVICE
23/tcp open
telnet
80/tcp open
http
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 45.422 seconds

This scan performs a half-open scan but the packets are sent at a very slow rate (-T 1). This is to avoid detection by an IDS. Note the time that Nmap took to scan compared to the previous examples.


7. Idle Scan (Zombie Scan)

nmap 10.20.2.41 -p 23 -T 2 -sI 10.20.2.70 -P0

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-10-29 14:29 GMT
Idlescan using zombie 10.20.2.70 (10.20.2.70:80); Class: Incremental
Interesting ports on 10.20.2.41:
PORT
STATE SERVICE
23/tcp open
telnet
MAC Address: 00:0E:7F:E2:E5:93 (Hewlett Packard)
Nmap finished: 1 IP address (1 host up) scanned in 7.650 seconds

In this example Nmap has used another host (-sI 10.20.2.70) to perform the scan on behalf of the attacker. The way this works is Nmap sends a packet to the Zombie to check the IP ID and then sends it’s scan to Target but spoofs the IP of the Zombie (10.20.2.70). Nmap then checks the IP ID of the Zombie to see how much it has increased by. This tells Nmap whether the port was open or closed due to response (ACK or RST) sent from the real target to the zombie. It has also prevented nmap from pinging the host (-P0) at the beginning of the scan.


Useful Nmap Options

-sT: Full TCP connect scan.

-sS: SYN scan. Stealthier than a TCP connect scan.

-sF: FIN scan. Stealthy. A RST indicates the port is closed

-sR: Scans RPC services and attempts to identify listening programs.

-sI: Idle scan.

-b: Bounces the scan of a FTP server.

-sX: Xmas tree scan. All flags are set. A RST indicates a port is closed, no response may mean the port is open.

-sU: Scan for status of UDP ports.

-sL: Performs a list scan. Will attempt to perform a reverse lookup of hosts

-sP: Ping scan, not a scan as such but can be used initially to locate alive hosts.

-O: OS Fingerprinting.

-sV: Identifies the service and version in some cases.

-A: Both version and OS fingerprinting.

-T 1: Timing is slow (1). Can be increased to 2, 3, 4 or 5 (5 being the fastest)

-sA: TCP ACK scan. This may get through certain packet filtering devices.

-iL : Input from list of hosts/networks

-sP: Ping Scan - go no further than determining if host is online

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

-p : Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080

-r: Scan ports consecutively - don't randomize

-D: : Cloak a scan with decoys

-S: : Spoof source address

-e: : Use specified interface

-g/--source-port : Use given port number

OUTPUT:

-oN/-oX/-oS/-oG : Output scan in normal, XML, s|

and Grepable format, respectively, to the given filename.

-oA: : Output in the three major formats at once

-v: Increase verbosity level (use twice for more effect)

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES



ScanLine (sl)

ScanLine does not have anywhere near the same amount of functionality as a tool such as Nmap. But it can be used to quickly identify if a port is open, a host is up . To perform a basic scan with ScanLine (sl) use the following syntax:

Sl 192.168.1.1

This will ping the host and perform a basic scan of known ports below is the result.

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 1 IP started at Thu Oct 25 21:51:36 2007
--------------------------------------------------------
192.168.1.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 21 80 1723
UDP ports:

We can see from the result that it has found open TCP ports 21, 80, 1723

As some devices are configured to drop ICMP sl may assume the host is not up if it get’s no response and quit. To prevent this use the –p option. The –t or –u option can also be specified followed by port numbers to address only certain ports. Below is an example of this.

sl -vpbt 80 192.168.1.1

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Adding IP 192.168.1.1
Banner grabbing enabled.
No pinging before scanning.
Scan of 1 IP started at Thu Oct 25 22:01:16 2007
Scanning 1 IP...
------------------------------------------------------
192.168.1.1
Responds with ICMP unreachable: No
TCP ports: 80
TCP 80:
[HTTP/1.0 401 Unauthorized Access Denied]
------------------------------------------------------
Scan finished at Thu Oct 25 22:01:16 2007
1 IP and 1 port scanned in 0 hours 0 mins 0.05 secs

Above you can see that I have discovered a web server listening on port 80.

You can also specify a range of ports or addresses to sl such as:

sl –pt 21,23,80-250 192.168.1.1-10

The output of scan can also be output to a file using the –o switch followed by a filename.

For additional info on the other switches available use sl /?



Netcat

Netcat can pretty much do anything from being a proxy, transfer files, a chat client, a backdoor and yes, port scanning. Now, it’s not fast and it’s not pretty but it’ll do it. The syntax is below.

nc -vv -z -n -w1 192.168.1.1 23 80 34

And the output is……..

(UNKNOWN) [192.168.1.1] 23 (?): connection refused
(UNKNOWN) [192.168.1.1] 80 (?) open
(UNKNOWN) [192.168.1.1] 34 (?): TIMEDOUT
sent 0, rcvd 0: NOTSOCK

So I can see that I have open ports 23 and 80.


Links




No comments: