Scanning

1
Scanning

• TSM 352

2
What is Scanning?

• Footprinting casing the joint
• Scanning knocking on the walls to find doors
  and windows

3
Determining if the System is Alive

• Typically known as a ping sweep
• Traditionally uses ICMP ECHO (type 8) packets to
  invoke ICMP ECHO_REPLY (Type 0)
• This technique is acceptable for a small number
  of systems, but is quite inefficient for larger
  enterprises.
• Number of tools available, with differing
  capabilities
• Wait for response before moving to next IP
• Resolving Hostnames (uses reverse DNS)
• Resolve hostnames (NetBIOS names)
• Provides probing techniques other than ICMP UDP
  or TCP for example. This is actually getting into
  port scanning. Any UDP or TCP packet must
  specify a port. However, the port does not need
  to be one that is open. In fact, for identifying
  live systems, the port chosen in such a probe
  is one that is assumed to not be open.
• The whole idea behind a port probe used to
  identify a machine that is alive, is that the
  machine will return an ICMP Port Unreachable
  message. This will indicate that it is up and
  running.

4
When ICMP is Blocked

• More and more organizations are blocking incoming
  ICMP traffic (at least echo requests).
• When this is the case, UDP/TCP sweeping is the
  next choice. The idea is that the firewall will
  have to allow some packets from the outside to
  come through. TCP packets are normally only
  allowed if they are part of an ongoing connection
  established from the inside (ie they will have
  the ACK flag set). However, UDP packets are not
  part of a session and often represent an answer
  to a single query that originated from inside the
  network. An example of this is a packet from a
  DNS server usually returning to a high-order port
  number.
• Another technique used to slip packets through is
  fragmentation. In many cases, simple access
  control devices are not sophisticated enough (or
  the administrator is not) to handle fragmented
  packets correctly.
• There are other ICMP messages that invoke a
  response other than ICMP Echo requests. ICMP
  Timestamp request and ICMP Info request are two
  examples. There are utilities (notably
  icmpenum), that allow the user to fashion such
  packets. Often the firewall/router admin will
  specifically disallow ICMP Echo requests, but may
  not even know about these two other
  possibilities.

5
Ping Sweep Countermeasures

• Important to detect this activity when it happens
  use IDS programs, such as Snort
• Linux OSs can be set up to detect such activity
• Windows host-based ping detection tools are
  difficult to come by.
• Prevention
• Carefully evaluate the type of ICMP traffic you
  allow into your networks or specific systems
• Some must be allowed such as host unreachable,
  time-exceeded, etc.
• Watch for outgoing ping sweeps as well have a
  policy that discourages such activity

6
Other ICMP Queries

• ICMP Timestamp request to determine time zone
  of host
• ICMP Address Mask Request to get subnet mask
• Tool icmpquery

7
Determining which Services are Running/Listening

• Typically accomplished with port scanning
• Identifying listening ports is critical to
  determining the type of OS and apps in use
• Process of connecting to TCP and/or UDP ports
• Numerous tools and techniques that have evolved
  over the last few years.
• Objectives
• ID both the TCP and UDP services running
• ID the type of OS
• ID specific applications or versions

8
Scan Types

• TCP Connect
• TCP SYN
• TCP FIN
• TCP Xmas Tree
• TCP Null
• TCP ACK
• UDP Scan

9
TCP Connect

• Goes through the full connect (3-way handshake)
  process
• Then closes the connection with a standard FIN
  process
• May close with a RST
• Least likely to set off an alarm, but most likely
  to be logged

10
TCP SYN

• Also called half-open scanning
• Full TCP connection is not completed
• If SYN/ACK is received, machine is assumed to
  have that port open
• If RST/ACK is received, usually indicates the
  port is not listening, but the machine is alive
• An RST/ACK will be sent to close the connection
• Least likely to be logged, but often sets off an
  alarm on IDSs

11
TCP FIN Scan

• Sends a FIN packet
• Based on RFC 793 the target should send back an
  RST for all closed ports.
• Windows does not follow this they simply ignore
  the packet
• UNIX/Linux follows the RFC

12
TCP Xmas Tree Scan

• Sends a FIN, URG, and PUSH packet
• RFC 793 says the target should send back RST for
  all closed ports

13
TCP Null Scan

• Turns off all flags.
• RFC 793 says an RST should be returned

14
TCP ACK Scan

• Sends only an ACK packet
• Typically used to map out firewall rulesets.
• It can determine if the firewall is a simple
  packet filter allowing only established
  connections, or a stateful firewall, performing
  advanced packet filtering.

15
UDP Scan

• Sends a UDP packet
• If target responds with ICMP port unreachable,
  the port is closed
• If no ICMP Port Unreachable is received, we can
  deduce that the port is open
• Accuracy of this technique is highly dependent on
  many factors, however
• UDP scanning is very slow.
• In general, UDP scanning provides unreliable
  results

16
Identifying Services Running

• Most of your port scanners will report a service
  running depending solely on the port that was
  found open. This is pure conjecture, but true in
  most cases.
• A program like telnet or netcat can be used to
  probe further, once the open ports are found.

17
Some Scanners Compared