EC-Council CEH 312-50 v10 – Detecting Live Systems – Port Scanning

1. Introduction to Port Scanning

In this section, we’ll discuss port scanning. We’ll give you an intro into port scanning. The TCP IP Stack the TCP Three Step Startup Sequence port scanning Types port scanning tools OS Fingerprinting, Fuzzy Logic and Countermeasures.

2. Introduction to Port Scanning

In this introduction to port scanning, we know that scanning is a method for discovering exploitable communication channels. In most network services and programs in use today, they run over TCP IP, which is a network protocol actually designed by an organization called DARPA, part of the US. Department of Defense in the 1970s. The system of services listing on their own ports is kind of loosely analogous us to each service or program being assigned its own telephone number. A client can phone the service and establish a conversation to transfer information or request services. When we scan the ports on a server, we do not need the service to hold a conversation.

The fact that the port returns a response, in other words, the phone is answered, indicates that the port is open and a service is listening on it. Now, a port scan is kind of like ringing the doorbell to see if someone’s at home. Law enforcement really can’t do much about that because they have to wait till a crime is committed. Some individuals could even argue that, well, you’re scanning me so much, you’ve denial of service to my machine or Dossed my machine. This actually is what happens if we’re scanning somebody all the time. Although the intent is normally looked at as a deciding factor, in borderline cases, it’s usually wise to ensure you have permission from the owner of target systems for any activities you wish to run.

The Ping Command, on the other hand, stands for Internet Control Messaging Protocol. When I used to teach my TCP IP classes, I used to refer to this as a traffic copter in the sky would be looking over all of the roads to see where the congestion was. Back in my day, we would listen to the traffic reports and a traffic copter would go up there and find out where the congestion was. Now today we pretty much use video cameras to tell that, but it’s used for diagnostic purposes on a network. At its most basic form, it informs the user whether the target is up or at least responding to an ICMP queries. But we also know that Microsoft has turned that off service pack two and above, so we have to take some other mechanism, and I’ll talk about that in the next couple of slides.

Other uses include displaying the route the packet takes to get to the target and showing network congestion. Since ICMP has a number of different fields in its header to help diagnose different problems, there are several ways that it can be exploited for network security issues. These include detecting aspects of the network configuration at the destination, whether or not they have an access control list in place, what protocols the destination is running, and what operating system perhaps is being used.

3. TCP/IP Stack

Now, the next thing we want to talk about is the TCP IP stack itself. And I want you to notice that if we look over here, we have our port numbers and the associated application that runs on those port numbers. This begs the question of who makes these assignments? We’ll get into that in just a couple of moments. But Telnet, we know, runs at port 23, FTP at 20 and TP at 2025. Port 80 runs on Http and HTPs runs at 443. But look at DNS, it runs at TCP 53, but it also runs at UDP 53. What can’t I make of its mind? Usually I’ll throw this out as a trick question in my classes. Which one does it need to use and what’s the difference between the two? In reality, it will first always try UDP. But UDP packet can only hold 512 bytes or simple DNS queries themselves, lookups and that kind of thing, because we’re just simply asking, who is this person? And they respond back with that. And that’s usually less than 512 bytes, although a zone transfer is generally more than 512 bytes. And so it has to fall back to TCP. Have you pay particular attention to Boot, P and DHCP in that it runs UDP. That’s going to be of significant importance in in the next couple of slides that I talk about.

SNNP, which is running on UDP port 161, 162. Now, UDP is like dropping a postcard in the mail. We put our full faith and trust in our postal system, and most of the time they do a pretty good job of getting it there. But we don’t necessarily check, we just assume it got there. TCP is kind of like in the US. We would put a green card on the back of the envelope and as soon as the mailman delivers it, he sends the green card back to us, ensuring that person got that particular piece of mail. That’s kind of what TCP is like. I want you to also notice that we have an Internet layer down here and a physical layer. This physical layer probably should be called the medium because it may not be physical at all.

It could be over the air. One significant thing that I need to add is that UDP is the only protocol that you can spoof. Now think about it. TCP on the next slide will talk about the TCP three way handshake. We send a sin synac act on UDP. We just drop it in the mail. We assume that it’s going to get to the right person, but it hasn’t had to communicate back to anyone else. So which services actually use which ports? That’s the responsibility of an organization called the Internet Assigned Numbers Authority or Iana. The Internet sites at least port numbers and associated ones. And there it says IP address. Now, oftentimes using an assigned port is not just for common programs and services. Malware can also sometimes be recognized from the port it uses. Unfortunately, these often clash with more common services.

For example, port 25, which is used by SMTP and a large range of malware, which spreads by email, meaning that a defense against them is not as simple as simply monitoring or closing these various ports. I want you to also notice that our well known ports are usually referred to as from zero to 1024, the registered port numbers 1024 to 49,152. Anything above that are known as dynamic ports. Dynamic ports are usually used when we return a packet. It basically takes a port that’s not being used by the system and assigns that to the recipient, and the recipient then makes a communication back to the sender with that particular port to which services actually use which ports. That’s the responsibility of an organization called the Internet Assigned Numbers Authority or Iana.

The Internet sites at least port numbers and associated ones. In there it says IP address. Now, oftentimes using an assigned port is not just for common programs and services. Malware can also sometimes be recognized for the port it uses. Unfortunately, these often clash with more common services. For example, port 25, which is used by SMTP, and a large range of malware which spreads by email, meaning that a defense against them is not as simple as simply monitoring or closing these various ports. I want you to also notice that our well known ports are usually referred to as from zero to 1024. The registered port numbers are from 1024 to 49,152. Anything above that are known as dynamic port. Dynamic ports are usually used when we return a packet. It basically takes a pack. It basically takes a port that’s not being used by the system and assigns that to the recipient. And the recipient then makes a communication back to the sender with that particular port. Lastly, this discuss the TCP three way handshake. When a server and a client communicate with TCP, a packet is sent by one of them, then acknowledged by the other. Both sides keep note of which packets have been sent and received via sequence numbers in the headers of each packet.

But in order to start a conversation, they must first synchronize their sequence numbers with each other, which leads to the three way handshake. The client will first send a send packet to synchronize the client sequence number. The server will respond with a Sin act packet, synchronizing its sequence number with the client, and then acknowledging the sequence number of the client. Lastly, the client will respond with an Acknowledgment of the server sequence number.

Now, most people get confused where they think there’s just one number. There’s actually two numbers, a client number and a server number. They’re two separate numbers. Both sides of the conversation have each other’s sequence numbers. Now that both sides of the conversation have the other sequence numbers, a TCP conversation commence and lost packets will be spotted this is a very stripped down explanation and ignores many aspects.

4. TCP 3-Way HandShake

Let’s finish our discussion on the TCP flags. The sin and act flag we talked about was just used in a three way handshake is very similar to a telephone conversation. When I’m teaching a class, I would pick out one of the people in the class, let’s call him Tony. And I would say, Tony, if I called you on the phone, I’d pick up my phone and I dialed your number, more than likely when your phone rang, what would you say? And of course, he responds with hello. And I’d say, well, in reality, what hello means is I’ve acknowledged this communication protocol. Please proceed with your communication. Now, if he told me that, I think use some kind of a nut, but that’s really what hello means. Sometimes the protocols are so strong, we don’t even know that they’re there. When we were kneehigh to a grasshopper, we were taught to answer the phone by saying hello.

But in reality, what hello means is what I said earlier. The same thing happens when we do a telephone conversation using syntax. Let’s say I called Tony and Tony answers the phone. I would say something like, Hello, Tony. Hi, Tim, how are you doing? So we do a sin synac act, and then we start our conversation. Once we both know that the conversation has taken place between us. Going further in that a fin flag is usually used when we tear down a conversation. I’m on the phone with Tony. Hey, Tony, I got to go. Okay, I’ll see you later. Bye. There’s four steps to the tear down sequence, which means we’re flushing our buffers and getting ready for something else. Now, using that same analogy, let’s say we’re using some of those old analog telephones.

We just simply what? What would you say? I can’t hear you. And we just end up either losing or we push the reset button button or off button. Okay. And try again. That would be very similar to sending a reset pack. The reset packet is used to close the connection without going through that four step tear down sequence. The push flag is used after we’ve set up a sync act and we push data to one person and they push data back to us. It typically signifies that the data is in the package, should be put at the beginning of the queue to be processed. The urgent flag is a little bit interesting. Let’s say I was printing a 500 page document. I hit the page to print, and the first page comes out on the printer. Oh, no, I didn’t mean to send that. If I had to wait for all 500 pages to print, then tells it I don’t need to stop. Well, yeah, after all 500 pages print. The urgent flag is used to signify there’s an urgent control character in the packet that needs to be processed immediately, and it goes to the front of the queue.

We need to understand that our different port scans that we’re doing are going to consist of different mechanisms. The one that we talked about probably the most and the one we say is absolutely for sure we know that port is open is when we do a TCP full connect scan. It’s also called a vanilla scan, also called it now with the vanilla port scan. The TCP connect port scan is essentially a full three way handshake followed by a reset package to close the conversation.

If the port is open and a surface is listening, then this will proceed as normal. If the port is closed, then a reset packet will be returned to the attacking machines. The main disadvantage is that the full TCP connection is being established and then reset the target machine. And possibly any IDs that may be listening to it will usually write an error to its logs. When this happens across a range of ports, it’s fairly obvious to the assistance administrator that they have been going through a port scan. So we may be a want, so we may want to be a little bit more stealthy. This is when we would use something like the half open scan. And I’m going to do a demonstration in a couple of minutes and show you these, and we’re going to come up with the same values.

Now, a half open scan does a sin to the individual. Then it comes back with a syntax. But rather than doing an Acknowledgment, we basically send a reset. It would be like calling somebody on the phone and as soon as Tony picked up the phone, I would say something like, tony, what’s the IP address of that server? He gives me the IP address and I just hang up the phone. Well, I got the information I wanted. I’d be kind of rude, but that’s kind of what’s happening with a half open scan. Keep in mind the half open scan is used by a lot of pieces of software these days to see if the target is actually alive or not, because we can’t use ping any longer. So we do a sin, we receive a sync. Okay, I didn’t really want to open that, so I just reset it. But I know that that particular machine is alive. Likewise, on a closed port, if I do a sin, I’m automatically going to get a reset act. The advantage to doing the half open scan is since most IDs are going to be tuned not to pick those up because all types of software use them as well, we can fly under the radar a little bit easier.

The last thing we want to talk about is a firewall port. A vanilla or a half open scan should receive either a syntax or a reset act packet. However, there is a third possibility that exists. The third possibility is no response at all. This can be due to a firewall port or possibly because the packet is lost due to network congestion. Now if you’re getting a response on other ports but you’re not getting a response on this particular port then you can easily assume it’s firewalled. Then finally we have something called a UDP port scan. Now remember UDP is like dropping a letter in the mail. Although UDP services are less common and more time consuming to probe, they should not be ignored. Services such as DACP DNS SNMP communicate via UDP and can be useful sources of information. Remember that UDP is the only one that can be spooked. So I can change the port number before I send it out and it will simply respond back to somebody else. It doesn’t know any different.

A big challenge with UDP scanning is doing it quickly. Open and filter ports rarely send a response leaving in map to time out and then conduct retransmissions in case of probe or response or loss. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable. But unlike the reset ports sent by closed TCP ports to Ascend or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this so it’s really difficult to tell. You’re going to see that you’re going to need to understand that port scanning is not an exact science.

5. NMap ServiceVersion Detection And Demo

There’s one last thing I need to talk about on Nmap, and that’s the Nmap service version detection. And what it tries to do is it tries to determine what’s running at the various ports. So you could type in Nmap lowercase s, uppercase V, and in this case in the diagram here, it’s showing P 80. So it’s wanting you to just check that one particular port. And the IP address came back here with Microsoft I S 60 server. Now I went ahead and pulled up the online Labs version of Kali Linux and I went ahead and scanned the XP attacker with it. And of course I did in Map SV, I didn’t tell it a port by default. In Map is going to do its well known ports, the ones that are in its configuration file.

So I did 135 and it says it’s a Windows RPC. 139 says it’s comparable to Windows 98, 445 says there’s an XP, which it got right, and 1025 a Microsoft Windows RPC. But I want you to notice this one right here. It’s thinking it may be a UPnP port, but it says if you know the service version, please submit the following fingerprint to nmap and tell us what this is. Oftentimes Nmap can’t determine exactly what it is, but it gives you a particular fingerprint to tell them so that in the future they’ll be able to know what this particular one is. It also says that it’s a service information operating system, it’s Windows, Windows 98, XP, or something else here. As I talked about before, this is not an exact science.

6. Instructor Demonstration-Engage, NmapScans

Now I’m going to go ahead and demonstrate the online Labs tool. You have two options. You can download the various software and put together your own lab as I have shown you, or I have the optional online lab at an extra cost. And it also comes with a tremendous amount of test questions and a guarantee that you’ll pass your test. But anyway, what we’ve got right here is the, the online lab console viewer. And so I’m going to go ahead and log in to my VM with this password that should be given to you. And you can see that I now have a number of VMs that I can open up.

So I’m going to open up this one called XP Attacker and it may take a moment or two to start up. And I’m also going to go ahead and open up the Kali Linux one. There it is right there. Open that one up as well. Now the online labs, all of your labs will be shown to you in the various sections of what we want you to do. And you just simply have to go down through here and here’s all of the things we want you to do and just come out over here and do it. So I’m going to go ahead and just minimize this for right now and I’m going to show you a couple of things. All of the path.

7. Hping3, NMap -O

Oftentimes because scanning is not an exact science. We’ll use multiple tools and they will take the word for the one that has the most accurate guesses. In this section we want to talk about H ping three. And H ping Three is a very robust tool. This is the newest version of the one from hping Two. H ping Three can be used for a number of different things and I’m going to take just a moment and show you those if you will take a look in our online lab.

These are all of the things that hping Three will actually do. It can craft a packet and show you various ports, different types of modes, all kinds of stuff that it can do. Now you’re going to be doing a lab on this, so I’m not going to demonstrate HP Three, but I do want to demonstrate something else. The next thing I want to talk about is in map capital O and I’m going to put it in an IP address and I’m just going to go ahead and use the IP address of our Windows XP machine since I have it up already. And Inmap is going to go out and attempt to discover the operating system that’s behind this. So Inmap is basically back and said that this is a Microsoft Windows, either a 2000 or an XP version. OS detection was performed. Please correct or report any incorrect results right here. Again, not a complete exact science.

8. Fuzzy Logic

Now, the next thing I want to talk to you guys about is something called fuzzy logic. And the best way that I can explain it is by telling you a story of my six year old nephew. My sister and her husband had gone out of town for a couple of weeks and asked us to watch their son. And naturally, he was all excited to come and stay with Uncle Tim. And unfortunately, I found out what a kind of a naughty little boy he was. One day, the neighbor lady brought him up by the collar to my front door and said, I almost hit this little boy. He was riding his bike right out in the street and ran right out in front of me. I apologized to her and everything and explained what his name is. Brian. Brian, you can’t ride your bike the whole time you’re here. I’m sorry.

Let’s just put it up in the garage. I came home the next day. His bike is out in the middle of the yard. There’s mud on the tires of his bike. His tennis shoes are sitting right next to them. There’s mud on his tennis shoes. So I call him in here, Brian, come here. I want to talk to you. Did you ride your bike today? And he sticks his hands in his pockets and looks down at his shoes and tell me, no, Tea, I didn’t ride my bike. TIO is uncle in Spanish. I didn’t ride my bike today. I knew he was lying to me because there’s a bike in the front yard, there’s mud on the tires, there’s mud on his tennis shoes, and the way he always acts when he’s lying to me, folks, that’s fuzzy logic. I basically take in all of the input that I can. Sit back, try to make a determination. That’s fuzzy logic.

9. Countermeasures: Scanning

Now let’s go ahead and wrap up this section by talking about the countermeasures to scanning. A couple of things that we could do. We could disable ICMP both inbound and outbound at the firewall that’s going to stop the ICMP port unreachable and some of those kinds of things configure the firewall to drop all packet anomalies like the wrong TCP flag set. This is how the inmate app capital O works. I’m able to determine how it works by simply setting all of the TCP flags. Let me give you an example. I pulled up the engage packet builder and if I set the urgent flag, the ax flag, the push flag, the reset flag, the syn flag, and the fin flag, now folks, there’s never going to be a time during normal data communications that every one of those flags is set.

So how does the operating system respond to that? Well, more than likely it’s going to respond to it. If it’s an if then statement or a case statement, it’s going to respond. But the otherwise do this and whatever that do this is, is probably different for each different kind of operating system. So it gives me clues into what kind of operating system it actually is.

So back at our slide, it basically doesn’t mean that if I set all of the flags, that’s how the Nmap dash capital O works. But that’s one of its mechanisms. We could enable application layer monitoring of data at the firewall or using an IDs, use an intrusion detection system to detect port scans and then terminate that particular connection. I could use an advanced firewall that obfuscates all port scans by indicating all ports open. I’ve seen this a lot of times in hotels where if you do an inmap scan with one of the other people in the hotel, it will say, oh, well, all the portrait.

Well, you know for a fact that all the ports aren’t open, it wouldn’t have the resources to them the way that’s around there is. You could do an inmap window scan. We didn’t really cover that, but it’s one that you’ll do in your lab. The inmap window scan allocates a window or a set of resources to it. And the ones that have the resources are actually the ones that are open. And we can also use XP service pack two or greater since it limits the number of simultaneous open sockets and then drastically slows down a port scan.