100 likes | 296 Views
Computer Security Workshops. Module 2 - Port Scanning. Port Scanning. Definition: Probing the ports on a remote machine to gain information Port – a virtual identifier on a system for a particular application/protocol Examples: ftp: port 21 ssh: port 22 telnet: port 23 http: port 80
E N D
Computer Security Workshops Module 2 - Port Scanning
Port Scanning • Definition: Probing the ports on a remote machine to gain information • Port – a virtual identifier on a system for a particular application/protocol • Examples: • ftp: port 21 • ssh: port 22 • telnet: port 23 • http: port 80 • Oracle: port 1521 • Usefulness • Attacker: which ports are open? • Defender: which ports are potential vulnerabilities?
Specific Uses • Find out if system is up • Ping scanning • Find open/vulnerable ports – what services are available? • Port scanning • Operating System identification • Certain services are only Windows, Linux, etc. • TCP/IP fingerprinting • Based on packet TTL, packet size, flags set on SYN/SYN|ACK packets in TCP handshaking
How to use this information • Identify exposed ports/services • Shut down any unneeded services • Famous last words - “I didn’t know X was running on my system” • Ensure that services that are running do not have security vulnerabilities
Issues • Possible problems with usage • Options can flood target machine with packets, potentially affecting it (denial of service) • Ethics • Is it ethical to probe an arbitrary system? • Most say “no” • Identification of probing system – may be difficult • http://www.insecure.org/nmap/idlescan.html
Port Scanning Tools • Unix/Linux • strobe • netcat (nc) – reads and writes to TCP/IP; also socat • Windows • SuperScan4 • Both (and others) • nmap (with Zenmap GUI) • List • http://www.cotse.com/tools/pscan.htm
nmap • One of many software implementations of a port scanner • Open source • Available on Windows and Unix, other OS • Supports many hardware options, including some PDAs • Now with GUI front end: zenmap • http://nmap.org
nmap features • Identifies open ports • Options for regular or stealth scanning • Regular scanning – attempt full connection with port; scanned system knows scan is occurring and can identify scanner • Stealth scanning – attempt partial connection with port; scanned system may not know scan is occurring and may not be able to identify scanner • Attempts to identify operating system • Usually correct, but can be fooled
nmap Output Example Starting nmap V. 4.62 (www.insecure.org) Initiating SYN Stealth Scan at 18:16 Scanning localhost (127.0.0.1) [1715 ports] … PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.7 22/tcp open ssh (protocol 2.0) 25/tcp open smtp? 80/tcp open http Apache httpd 2.2.9 631/tcp open ipp CUPS 1.3 3306/tcp open mysqlMySQL 5.0.67-0ubuntu6 … Running: Linux 2.6.X OS details: Linux 2.6.17 – 2.6.21
SuperScan4 • Nice Windows GUI • Many extra options • Information on ports/services in HTML report format • IMPORTANT NOTE: to find open ports, go to Host and Service Discovery tab, change Scan Type from SYN to Connect, then do scan