-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- -= Remote Host Discovery with PortScanning =- -= By Adept =- -= mark@firstworld.net =- -= http://www.2600slc.org =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= What PortScanning is Querying TCP or UDP ports to see what responds. This is often done to identify listening services on a remote host, and for many hackers, this is the first step in gathering data about their target. Since this is such a fundamental hacking skill, most of you are experienced with it. Feel free to bring up your favorite methods and tools. I know I will be leaving quite a few of my favorite tools out because... It's 2AM right now. Common services on Internet hosts will usually be running somewhere below port 1024. It would make sense to scan every port below 1024 if you wanted to get the most results per attempt. However, some of the most vulnerable services and/or Trojans will be left above that port. For this reason, many portscanners will include a list of common ports, or use your Unix box's service listing. The practice of a known-ports list also returns a very high result ratio; however, any practice other than scanning all 65,535 ports will remain incomplete. Steve Gibson from grc.com claims to have found a way to instantaneously scan all 65,535 ports on your box, and that he is going to come out with a "new FREEWARE HYPER-SPEED PORT SCANNER". Drop an email to this crackhead if you are as interested as me in his "new technology." The interesting thing is if that is really possible, it will take advantage of an IP stack development put out in 1970, most likely. Is there a network or broadcast type address for your TCP stack, maybe port 0 if queried correctly? More importantly is a windows kiddie named Steve Gibson going to be the one to find it? Protocols TCP scanning is the most common protocol on the internet, and most services run on TCP. If you want to find common webservers, ftp servers, or most other services on a box, this is the way to go. There are a few ways to find out if a service is listening on a port. "Connect" is the most basic way, and the easiest for IDS's and firewalls to detect. A TCP "SYN" scan however, does not actually create a TCP connection fully, it only checks for the possibility of creating a connection. The advantage is speed and less chance of being detected with SYN, but the downside is that you can't grab "banners" from the port when it answers since it never really answers. A "Connect" scan is all 5 steps shown on next page, where a "SYN" scan only goes to step 3. Snort (the open source flexible IDS) will always pick up a SYN or CONNECT scan if you have the right SNORT rules in place. TCP A TCP B 1. CLOSED LISTEN 2. SYN-SENT --> --> SYN-RECEIVED 3. ESTABLISHED <-- <-- SYN-RECEIVED 4. ESTABLISHED --> --> ESTABLISHED 5. ESTABLISHED --> --> ESTABLISHED Basic 3-Way Handshake for Connection Synchronization UDP scanning is used for scanning lookup-only DNS and SNMP mainly, not too many other services are common on UDP. With UDP a packet is sent to every port that you scan, and if there is ANY response, it is regarded as an active port. This is simply the way UDP works in general; it is a low-overhead protocol without error checking. Common Tools NMAP by fyodor@insecure.org. This is my favorite portscanner. Available for *NIX and a port is available for NT. Beta Versions of NMAP constantly add functionality; Betas do not get ported to NT AFAIK. Features include high speed TCP, UDP scans, TCP syn scanning (full tcp connection is not made, reduces detection by target). Also, try the new remote uptime feature in beta 22; it calculates the uptime off a number in the headers from most BSD-compatible TCP stacks. Find this at insecure.org. Fscan and Superscan, by Foundstone Inc. Superscan is cheap and dirty TCP scanning for Windows. Fscan is a command line scanner, with TCP/UDP scanning, port order randomization, and port banner grabbing. Find these at www.foundstone.com. Name the Operating System System1: # nmap -sS x.x.x.x Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (x.x.x.x): (The 1519 ports scanned but not shown below are in state: closed) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open listen Nmap run completed -- 1 IP address (1 host up) scanned in 83 seconds System2: # nmap -sS 208.23.65.90 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on jesuslovesunix.1800contacts.net (208.23.65.90): (The 1516 ports scanned but not shown below are in state: closed) Port State Service 13/tcp open daytime 21/tcp open ftp 22/tcp open ssh 37/tcp open time 111/tcp open sunrpc 113/tcp open auth 6969/tcp open acmsoda Nmap run completed -- 1 IP address (1 host up) scanned in 85 seconds Links http://www.insecure.org/nmap - bleeding edge scanning http://www.foundstone.com - White hat hackers interested in full disclosure and good tools. http://grc.com - Crackhead named Steve Gibson will hax0r you from his website. http://www.snort.org - Martin Roesch's open source flexible IDS. http://packetstorm.securify.com/UNIX/scan_detect/ - UNIX portscanner detection. Portscanning and Remote Host Discovery. 2600SLC(Confidential) Page 1 4/6/2001 (0day) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- © 2600SLC.ORG 2001 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-