Friday, June 02, 2006

A short intro about port scanning

im back...my loong term(1 week) absence from the net was due to xtreme conditions arising(read as way over the data limit). Anyways i changed my plan to a low speed but unlimited one. Thought id write what all i know about port scanners.

Many people believe a port scanner is the ultimate "tool" in a hackers toolkit and it throws up ur friends password lists in a jiffy as soon as u give his ip. Wrong!!. A port scanner is just a tool for "checking" wether a particular system is "vulnerable". Also, port scanning is illegal in many parts of the world and it is NOT a good idea to try them on a public server(just in case)....

To understand different types of port scans a brief knowledge on how a TCP/IP connection is established is necessary. To put it in simple terms a TCP/IP connection is establishd as follows

Connect request
Sender ---------------------> Receiver

Connect Confirm
Sender <---------------------- Receiver

Connect acknowledge
Sender ---------------------> Receiver

This 3-way "handshake" establishes a TCP/IP connection between the "sender" and the "receiver". The most conventional type of port scan is the connect scan
The connect scan simply attempts a full fledged TCP/IP connection to every single port on the victims machine. If a connection is created succesfully with a port(consider a port as a "data-pipeline" which is managed by a particular program) the program marks that particular port as open. The chances of this scan working is really low these days. the most negative part is that this scan shows up prominently in the connection logs of the victims machine.

Another widely popular scan method is the SYN scan.
This is also known as a "half-open" port scan. This is because technically it opens "half a port". It sends the initial connection request, but as soon as the victim responds the scanner sends a connection terminate packet and closes the connection(it marks the port as open). This scan provides a lil bit higher element of stealth compared to the connect scan. It does show up in the logs but with lesser prominence. SYN scan provides somewhat accurate results with a certain degree of stealth.

Next is the FIN scan
This is the most "silent" of all port scans. It employs a packet known as the FIN packet(which means no more data from sender). An open port ignores a FIN packet while a closed port responds with an RST(connection reset) packet. The scanner thus marks out open ports. This method is kinda unreliable in the sense that accuracy is low. It aint "undetectable" but its pretty hard to detect.

There are other methods of scans like XMAS scan, NULL scan etc. which im not that familiar with and havent used.

This is the most basic functionality of a port scanner. Well known port scanners also pack in xtra features like ip-spoofing, banner grabbing and OS detection.

Banner grabbing is the mechanism by which the "welcome" banner of certain programs "manning" a paricular port is captured by the port scanner thus letting us know which service runs on which port.

OS detection is quite a nifty feature. As they say the first step in "breaking in" to a machine is to know which OS it runs. OS detection isnt guarenteed o work at all times. It uses a technique called TCP/IP fingerprinting. Each OS handles a TCP/IP packet in its own unique way. The port scanner compares a "fingerprint" from a packet to its own "fingerprint" database to detect the OS.

Another useful feature is the ARP ping scan which uses ARP packets to determine the MAC-ID of the victims ethernet adapter and its manufacturer. this scan is not blocked by conventional firewalls with ip-blocking.

One of the best port scanners around is undoubtledly Nmap.
Its a command line port scanner which packs in a lot of useful features. A typical Nmap scan result luks like this.....

Initiating ARP Ping Scan against 202.83.39.129 [1 port] at 23:06
The ARP Ping Scan took 0.11s to scan 1 total hosts.
Initiating SYN Stealth Scan against 202.83.39.129 [1670 ports] at 23:06
Increasing send delay for 202.83.39.129 from 0 to 5 due to 17 out of 55 dropped
probes since last increase.
Increasing send delay for 202.83.39.129 from 5 to 10 due to max_successful_tryno
increase to 4
Increasing send delay for 202.83.39.129 from 10 to 20 due to 12 out of 39 droppe
d probes since last increase.
Increasing send delay for 202.83.39.129 from 20 to 40 due to 19 out of 63 droppe
d probes since last increase.
Increasing send delay for 202.83.39.129 from 40 to 80 due to 11 out of 35 droppe
d probes since last increase.
SYN Stealth Scan Timing: About 19.72% done; ETC: 23:09 (0:02:02 remaining)
Discovered open port 5000/tcp on 202.83.39.129
Discovered open port 5101/tcp on 202.83.39.129
SYN Stealth Scan Timing: About 77.96% done; ETC: 23:10 (0:00:43 remaining)
The SYN Stealth Scan took 216.70s to scan 1670 total ports.
Initiating service scan against 2 services on 202.83.39.129 at 23:10
The service scan took 14.13s to scan 2 services on 1 host.
For OSScan assuming port 5000 is open, 1 is closed, and neither are firewalled
Host 202.83.39.129 appears to be up ... good.
Interesting ports on 202.83.39.129:
(The 1646 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
20/tcp filtered ftp-data
21/tcp filtered ftp
25/tcp filtered smtp
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
623/tcp filtered unknown
664/tcp filtered unknown
1080/tcp filtered socks
1353/tcp filtered relief
1433/tcp filtered ms-sql-s
3128/tcp filtered squid-http
4444/tcp filtered krb524
4480/tcp filtered proxy-plus
5000/tcp open upnp Microsoft Windows UPnP
5101/tcp open tcpwrapped
6588/tcp filtered analogx
9090/tcp filtered zeus-admin
12345/tcp filtered NetBus
MAC Address: 00:11:2F:04:04:C6 (Asustek Computer)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
TCP Sequence Prediction: Class=random positive increments
Difficulty=14917 (Worthy challenge)
IPID Sequence Generation: Incremental
Service Info: OS: Windows



Note that the victims MAC is revealed in the scan. Since the MAC is unique 2 a pc this can be effectively used in identifying a pc. So next time u doubt whether the girl u hv been chattin 2 for the past cpl of hrs is ur neighbour, u knw wat 2 do;-) Note that ARP ping scan works only in some ISP's and it does not work for people on dial-up.

A port scan is not an attack by itself. But it is phase 1 of an attack. So the next time ur frnd threatens that hes gonna "break in" to ur pc using his new "port scanner" ask him 2 buzz off..:D

U can c "trinity" using Nmap before breaking into the power station's server in the movie "Matrix Reloaded"(thnx to anand for the info..)

signin off--th3_d4r3d3vi1
Post a Comment