210 likes | 476 Views
Port Scanning. Yiqian Zhang CS 265 Project . What is Port Scanning?. port scanning is equivalent to knocking on the walls to find all the doors and windows. determine what systems are listening & reachable from the Internet . Analyzing underlying weaknesses.
E N D
Port Scanning Yiqian Zhang CS 265 Project
What is Port Scanning? • port scanning is equivalent to knocking on the walls to find all the doors and windows. • determine what systems are listening & reachable from the Internet . • Analyzing underlying weaknesses. • Using the weakness for later use.
Port Numbers • Well Known Ports: • 0 –1023 • Echo: 7/tcp ftp-data: 20/udp • Non Standard Ports: • 1023 and above • Yahoo: 5010 Yahoo! Messenger
Port Scanning Techniques • Vanilla: • Simplest form of port scan. • Tries each of the ports 65535 on the victim. • sending a carefully constructed packet. • with a chosen port number.
Stealth Scan • Port scanning is easily logged by the services listening at the ports. • Designed to go undetected by auditing tools. • Scanning at a slow pace. • inverse mapping: • Generating "host unreachable" ICMP-messages for IPs that do not exist.
TCP Scanner • TCP connect scan: • Complete a three-way handshake. • TCP SYN scan: • Half-openscanning. • A SYN packet is sent. • A listening target respond with a SYN+ACK. • A non-listening target respond with a RST. • TCP FIN scan: • Scanner sends a FIN packet. • Closed ports reply with a RST. • Open ports ignore the packet entirely.
Bounce Scans • The ability to hide tracks is important to attackers. • FTP bounce scan: • allows the hacker to force the FTP server to do the port scan and send back the results. This bouncing through an FTP server hides where the attacker comes from. • The advantage to this approach is harder to trace. The disadvantages are that it is slow.
UDP Scanning • In order to find UDP ports, the attacker generally sends empty UDP datagrams. If • The port is listening, the service should send back an error message or ignore the incoming datagram. • The port is closed, then most operating systems send back an "ICMP Port Unreachable" message. Thus determine which ports are open. • Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners must also implement retransmission of packets that appear to be lost.
Port Scanning Tools • Strobe • TCP port scanning utility. • One of the fastest and most reliable TCP scanners available. • Only looking for those services the attacker knows how to exploit. • CMD: Strobe 192.168.1.10 • Output: 192.168.1.10ssh 22/tcp secure shell
Port Scanning Tools • nmap • Widely known port scanner. • Utility for port scanning large networks, although it works fine for single hosts. • The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). • CMD: nmap –sS 192.168.1.1 • Output: Port State Protocol Service • 21 open tcp ftp
Port Scanning Tools • netcat • The Swiss army knife in our security toolkit. • Provides basic TCP and UDP port scanning capabilities. By default, netcat uses TCP ports, so for UDP scanning, we need to specify the –u option. For example, • CMD: netcat –v –z –w2 192.168.1.1 1-140 • Output: [192.168.1.1] 25 (smtp) open
Conclusion • Has legitimate uses in managing networks. • Can also be malicious in nature if someone is looking for a weakened access point to break into your computer. • It is rude to scan someone else's hosts or networks without the explicit permission of the owner. • Always ask if it'd be okay to scan outside of your own networks.