totse.com | Network Scanning Techniques: Understanding How It Is Done

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

A military target is to be attacked. What's the first step considered? Gathering Intelligence, naturally. To do so, a satellite will photo the target zone and a special recon unit will patrol the area with maximum caution to eliminate the possibility of detection. After enough information has been gathered, a wing of stealth bombers will bomb the target. Mission accomplished.

Gathering intelligence is extremely important. If the amount of data collected is not sufficient, or alternatively, if the target is tightly defended, no attack will be launched.

An intelligent hacker will conduct a lot of research before attempting to gain privileged access to your systems.

If the intelligence gathered shows a poorly defended computer system, an attack will be launched, and unauthorized access will be gained. However, if the target is highly protected, the hacker will think twice before attempting to break in. It will be dependent upon the tools and systems that protect the target. Again, the key here is the amount of information he has gathered beforehand. In the computer hacking world, intelligence gathering can be roughly divided into three major steps:

Foot Printing -The information collected by the hacker makes a unique footprint or a profile of an organization security posture.

1. Administrative, technical, and billing contacts, which include employee names, email addresses, and phone & fax numbers.

And we can also identify some of the systems that are directly connected to the Internet. Most of the information here can be freely accessed on the Internet.

Scanning -The art of detecting which systems are alive and reachable via the Internet, and what services they offer, using techniques such as ping sweeps, port scans, and operating system identification, is called scanning.

Scanning can be compared with a thief checking all the doors and windows of a house he wants to break into.

Enumeration -Enumeration is the process of extracting valid accounts or exported resource names from systems. The information is gathered using active connections to systems and queries, which is more intrusive in nature than foot printing and scanning.

The techniques are mostly operating system specific, and can gather information such as:

This article will focus on scanning, normally the second phase of computer intelligence gathering technique.

Today the number of automated scanners is constantly increasing, and as a result, more and more attacks are successfully initiated.

In order to be better prepared, we need to fully understand the scanning tools and the methods that these tools are using against us.

We need to identify the intruder's behavior and understand the scanning techniques. If we have an intrusion detection system, or planning on implementing one in the future, finding scanning patterns in our log (manually, or automatically by the IDs) will give us an indication of a probable upcoming attempt to gain unprivileged access to our systems.

Only after we understand scanning techniques we can try to protect ourselves against them.

We can use ICMP packets to determine whether a target IP address is alive or not, by simply sending an ICMP ECHO request (ICMP type 8) packets to the targeted system and waiting to see if an ICMP ECHO reply (ICMP type 0) is received. If an ICMP ECHO reply is received, it means that the target is alive; No response means the target is down.

Querying multiple hosts using this method is referred to as Ping Sweep. Ping Sweeps is the most basic step in mapping out a network.

Pinger is one of the fastest ICMP sweep scanners. Its advantage lies in its ability to send multiple ICMP ECHO packets concurrently and wait for the response.

Blocking ICMP sweeps is rather easy, simply by not allowing ICMP ECHO requests into your network from the void.

If you are still not convinced that you should block ICMP ECHO requests, bear in mind that you can also perform Broadcast ICMP's.

Sending ICMP ECHO request to the network or/ and broadcast addresses will produce all the information you need for mapping a targeted network in even a simpler way.

The request will be broadcast to all alive hosts on the target network, and they will send ICMP ECHO reply to the attacker source IP after only one or two packets have been sent by him.

Here we can first distinguish between Unix and Windows machines. While Unix machines often still answers to requests directed to the network address (the answer will be the fully qualified network address), Windows machines will ignore it.

Blocking incoming ICMP ECHO requests is not enough. We can use non-ECHO ICMP protocols for gathering various information about a system.

Good examples are ICMP type 13 messages (TIMESTAMP), and ICMP type 17 messages (ADDRESS MASK REQUEST).

ICMP timestamp request and reply allow a system to query another for the current time.

The ICMP address mask request (and reply) is intended for diskless systems to obtain its subnet mask at bootstrap time. We can use it to request the netmask of a particular device.

We can use the icmpush & icmpquery tools to perform this kind of scanning. Many firewalls are configured to block only ICMP ECHO traffic, and in this case it makes the non-ECHO requests a valid form of host identification.

Even if ICMP traffic is blocked on the border router or firewall, there are additional techniques that can be used to determine which systems are actually alive, although these techniques are not as accurate as a normal ICMP Sweep.

The TCP connection establishment process is called "the three way handshake", and is combined of three segments.

1. A client sends a SYN segment specifying the port number of a server that the client wants to connect to, and the client initial sequence number.

2. If the server's service (or port) is active the server will respond with its own SYN segment containing the server's initial sequence number. The server will also acknowledge the client's SYN by ACKing the client's SYN+ 1. If the port is not active, the server will send a RESET segment, which will reset the connection.

3. The client will acknowledge the server's SYN by ACKing the servers ISN+ 1. When will a RESET be sent? – Whenever an arriving segment does not appear correct to the referenced connection. Referenced connection means the connection specified by the destination IP address and port number, and the source IP address and the port number 5 .

With the TCP Sweep technique, instead of sending ICMP ECHO request packets we send TCP ACK or TCK SYN packets (depending if we have root access or not) to the target network. The port number can be selected to meet our needs. Usually a good pick would be one of the following ports – 21 / 22 / 23 / 25 / 80 (especially if a firewall is protecting the targeted network). Receiving a response is a good indication that something is up there. The response depends on the target's operating system, the nature of the packet sent and any firewalls, routers or packet-filtering devices used.

Bear in mind that firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.

Nmap and Hping 6 are tools that support TCP Sweep, both for the Unix platform. Hping even adds an additional option to fragment packets, which allows the TCP packet to pass through certain access control devices.

This method relies on the ICMP PORT UNREACHABLE message, initiated by a closed UDP port. If no ICMP PORT UNREACHABLE message is received after sending a UDP data gram to a UDP port that we wish to examine on a targeted system, we may assume the port is opened.

UDP scanning is unreliable because of a number of reasons 7 : Routers can drop UDP packets as they cross the Internet. Many UDP services do not respond when correctly probed.

Firewalls are usually configured to drop UDP packets (except for DNS). UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message.

Ping Sweeps help us identify which systems are alive. The next step is trying to determine what services (if any) are running or in a LISTENING state on the targeted system, by connecting to the TCP and UDP ports of that system. This is called Port Scanning.

For the hacker it is critical to identify listening ports, because it helps him identify the operating system and application in use.

The services detected as listening may suffer from vulnerabilities which may result from two reasons:

The version of the software is known to have security flaws If identified, these vulnerabilities can lead to unprivileged access gained by the attacker.

7 Ron Gula, How to Handle and Identify Network Probes, Network Defense Consultng. 6

With this type of scan we use the basic TCP connection establishment mechanism. To open a connection to an interesting port on the targeted machine:

2. Now we wait to see what type of packet is sent back from the target. If a SYN/ ACK packet is received it usually means the port is in a LISTENING state.

If a RST/ ACK packet is received, it usually means the port is not LISTENING and the connection will RESET.

3. We finish the three-way handshake (if SYN/ ACK packet was received) by sending an ACK.

4. A connection is terminated after the full connection establishment process has been completed.

This kind of scan is easily detected. Inspecting the target system log will show a number of connections and error messages immediately after each one of them was initiated.

This type of scan differs from TCP connect() scan because we do not open a full TCP connection. You send a SYN packet to initiate the three-way handshake and wait for a response. If we receive an SYN/ ACK it indicates the port is LISTENING. If we receive an RST/ ACK it indicates a non-LISTENING port. If we do receive a SYN/ ACK packet we immediately tear down the connection by sending a RESET.

Because the TCP three-way handshake was not completed some of the sites will probably not log these scanning attempts.

Chris Klaus was one of the first people to write a paper about stealth scans. In a paper called "stealth scanning Bypassing Firewalls/ SATAN Detectors" 9 , he describes a technique which intentionally violates the TCP three-way handshake. This technique is what people refer to today as "half-open" scanning.

Today, some people use the "stealth" term to mean NULL flags (no flags or code bits set). "Stealth" can also be defined as a scanning technique family, doing one of the following:

Pass through filtering rules. Not to be logged by the targeted system logging mechanisms.

8 Stephen Northcutt, Network Intrusion Detection an Analyst's Handbook, New Riders, 1999. 9 http:// www. netsys. com/ firewalls /firewalls-9512/ 0085. html 7 3.1.3.1 Explicit Stealth Mapping Techniques

According to RFC 793 10 closed ports are required to reply with a RESET packet to our probe packets, while open ports must ignore any packet in question. This applies to all scanning methods described here.

This scan intentionally disregards the TCP three-way handshake. We send a SYN/ ACK packet, which is step two in the TCP three-way handshake, while there is no SYN packet sent for step one.

Because TCP is stateful, it knows no SYN has been sent, which is the first step in the three-way TCP handshake. TCP figures this packet must be a mistake and sends a RESET to tear down the connection. This is what we wished for – any kind of response to give away the existence of the system and the fact that the probed port is closed.

The FIN scan uses the FIN packet as the probe. The hacker sends a FIN packet to a targeted port on a probed system and waits for a response 11 .

XMAS is a scanning type, which sends a TCP packet with the URG, ACK, PST, RST, SYN and FIN flags set. All the TCP flags are set.

Null scan is a scanning type, which sends a TCP packet that turns off all flags. The probed system should send back a RESET to all closed ports.

According to RFC 793 this should work against every implementation of TCP regardless of the operating system it runs on. Life is not always simple. Windows, CISCO, BSDI, HP/ UX, MVS & IRIX have a broken TCP implementation; they send RESETs to open ports as well.

One method suggested by Fyodor 12 (nmap tool programmer) is – if you scan using FIN, XMAS or NULL and the results show all ports are closed, and then you SYN scan and find out open ports it probably means the probed system belong to the "weird" group of operating systems.

11 Uriel Maimon, Port Scanning without the SYN flag, Phrack 49, Volume Seven, Issue Forty Nine.

A group of techniques, which gathers information about hosts or networks that are unreachable. By having a clue about what is not there we make assumptions about where things are.

Routers will give away internal architecture information of a network, even if the question they were asked does not make any sense.

A router looks at the IP address and makes decisions based on that. The RESET, which is out of place, is not taken into any consideration. The router will report addresses that do not exist with host (or net) unreachable or time exceeded message.

We can probe the router for a list of IPs. The answers we receive from the router will help us map the infrastructure of the targeted network IPs -because if we don't receive the HOST UNREACHABLE or TIME EXCEEDED replies about a certain IP, we can assume the IP exists.

In the past, RESET scans used a fixed ACK number in the ACK field which was easily detected. Recent RESET scans use random acknowledgment numbers, and if you generate decoys with the RESET scan it makes it even harder to detect.

The probing computer sends answers to domain questions that were never asked. The goal here is to get ICMP unreachable messages for a host or a subnet that do not exist.

Attacker. com connects to an FTP server, which has a world writable directory, and establishes a control communication connection. The attacker can then ask the FTP server to initiate an active server data transfer process and send a file anywhere on the Internet, presumably to a user data transfer process.

Hobbit wrote a post to Bugtrack on July 12 1995 where he described this kind of attack 14 . Under the "other possibilities" section, he wrote that this protocol flaw "can be used to post virtually untraceable mail and news, hammer on services of various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time".

13 Analysis Techniques for Detecting Coordinated Attacks and Probes, John Green, David Merchette, Stephen Northcutt and Bill Ralph, Proceedings of the USENIX Workshop on Intrusion detection and Network Monitoring.

An example can be scanning behind a firewall; connect to an FTP server behind a firewall, and then try to scan ports that the firewall blocks. If a directory is writable for the account you are using on the FTP server, you can also send data to the ports you find open Nmap supports this kind of scan and uses the PORT FTP command to declare that our passive user data transfer process is listening on the target box at a certain port number. We then use the LIST FTP command to try to list the current directory. The result is sent over the server data transfer process channel.

If the transfer is successful (150 and 226 response), the target host is listening on the specified port scanned. Otherwise, a "425 Can't build data connection: Connection refused" message will be received.

By using this method we can scan all the target's ports simply by issuing PORT commands one after another.

This scan is rather slow. Some FTP servers disable the "Proxy" feature, but there are still many who do not, making this kind of scanning still available.

The ident protocol (RFC 1413 16 ) is used to determine the owner username of a particular TCP connection by communicating with port 113.

This involves opening a full TCP connection to the target machine port. The scanning method gives the attacker information that helps determine which server to attack.

If a certain server is running as "root", and one of its services was compromised, attackers can gain instant root access. So it is more common that in a group of services that can be attacked, the services which are at the highest privilege will be attacked first.

Many commercial intrusion detection systems and firewalls are looking for sequential connection attempts. When the pattern is matched a port scan is reported.

Intrusion detection systems can determine if a specific IP tries to port scan the network they are defending. It is done by analyzing the network traffic over a certain amount of time.

The amount of time is called the site detection threshold. Some hackers are very patient and can use network scanners that spread out the scan over a long period of time.

If the attacker can guess the detection threshold of its target, he can reduce the chances of detection to a minimum or even to no detection at all, as long as he doesn't include a signature with his packet that alerts the intrusion detection system in other way.

If we need to send information using TCP and to fragment our data, normally the destination port and source port along with the flags field will be "traveling" at the first packet sent.

In the case of TCP the 8 octets of data (minimum fragment size) are enough to contain the source and destination port numbers. This will force the TCP flags field into the second fragment 18 .

Some filtering devices and intrusion detection systems may incorrectly reassemble or completely miss portions of the scan. They may assume that this was just another segment of traffic that has already passed through their access list.

Filtering devices that queue all IP fragments can handle this method. Linux is a good example with the CONFIG_ IP_ ALWAYS_ DEFRAG kernel option. Some networks cannot afford the performance hit this causes and disable this feature 19 .

Some network scanners include options for Decoys or spoofed addresses in their attacks.

It would appear to the attacked network / host that the host( s) you specified as decoys are scanning them as well. This will drive intrusion detection systems into thinking that the target network is being port scanned by all the hosts, and determining who the real attacker is, will be nearly impossible.

One way that helped intrusion detection systems detect the decoy hosts in the past was the TTL (Time to Live) field values in the scanned packets. If all the incoming packets TTL values have the same value, it is likely that they were generated in the same "factory".

If the attacker is using nmap intrusion detection systems cannot use this method since nmap generates random TTL fields between 51-65.

Another way of detecting the real scan among the decoys is to try to traceroute the source IP. If the attacker used non-routable IPs or the IPs belongs to a host that is not up something is suspicious. This can also result in a denial of service. Attackers solved this by using spoofed IPs of hosts that were up. Another aspect of detection is using IPs rather than names, which is a really smart move, because the decoys network will not see the attackers IP in their name server's log 20 .

19 nmap network security scanner man page, http:// insecure. org/ nmap/ nmap_ manpage. html

20 Ron Gula, How to Handle and Identify Network Probes, Netowrk Defense Consultng.

Probing a few target systems from a single IP within a certain amount of time will usually turn on the alarm of the intrusion detection systems.

We have already discussed a way to try to bypass this using slow scans. But even a slow scan can sometimes be detected.

When a group of attackers are working together to achieve a common goal, trying to get unauthorized access on a targeted network for example, we call this coordinated attacks.

Coordinated attacks can be used to target a single host or even an entire network.

If multiple IPs probe a target network, each one of them probes for a certain service on a certain machine in a different time period, and therefore it would be nearly impossible to detect these scans.

When coordinated attack efforts are aimed at a certain host, the detection (if any at all) is dependent on the time period these probes take place 21 .

Coordinated attacks, when intelligently launched, are the most discrete way of probing a target. Most of them are still undetected.

Because many security holes are operating system dependent, identifying which operating system runs on the target host / machine is of major importance.

An attacker can scan a range of IPs for opened TCP and UDP ports and the operating system type. Then he can put the list aside for a while. When a security hole that is operating system dependent is discovered, all the attacker has to do is pull the list and look for a matching information.

Some services can be used to identify an operating system. The TELNET service is the most notable example. If a system provides the TELNET service, just by telneting to the box and looking at the welcome banner we can, in most cases, identify the operating system:

Other services have banners that give the same information, for example the mail server:

220 target. domain. com ESMTP Sendmail 8.9.3/ 8.9.3/ Debian/ GNU; Thu, 28 Oct 1999 09: 56: 32 +0200

21 Analysis Techniques for Detecting Coordinated Attacks and Probes, John Green, David Merchette, Stephen Northcutt and Bill Ralph, Proceedings of the USENIX Workshop on Intrusion detection and Network Monitoring.

Today, an increasing number of systems keep their banners turned off or make their banners display forged information.

Some applications leak information. A good example is the SYST command on FTP servers and IIS server:

[root@ pooh] # telnet 192.168.1.17
get HTTP/ 1. 1 400 Bad Request
Server: Microsoft-IIS/ 4.0 Date: Thu, 28 Oct 1999 08: 29: 46 GMT
Content-Type: text/ html Content-Length: 87

The Host information record is a pair of strings identifying the host's hardware type and the operating system 22 .

This is an old technique that is rarely effective today because administrators avoid using this record.

Stack fingerprinting is a technique that uses distinct variations in TCP stack implementation to determine the type of a remote operating system.

The idea is to send "specific" TCP packets to the target IP and observe the response. The response will be unique to a certain group or individual operating system( s). The response varies because one vendor's IP stack implementation is not the same as another. This comes from different interpretation of specific RFC guidelines when vendors wrote their TCP/ IP stack.

The tools often used for stack fingerprinting are Queso 23 written by Savage, and Nmap. Nmap has a larger database of responses of operating systems than any other tool. In order to get maximum reliability, Nmap needs at least one port opened at the target host. The definite information source of the subject is Fyodor's article "Remote OS Detection via TCP/ IP Stack Fingerprinting". 24

A FIN packet is sent to an open port. RFC 793 states that the correct behavior is not to respond to the FIN packet.

Many stack implementations will respond with a RESET. This group includes: Windows, BSDI, CISCO, HP-UX, MVS, and IRIX with a RESET.

24 www. insecure. org/ nmap/ nmap-fingerprintng-article. html 13 2. The Bogus Flag Probe

Here, a SYN packet with an undefined flag set is sent to the targeted host. Machines running the Linux operating system with kernel prior to 2.0.35 will keep the flag set in their response.

Some operating systems will RESET the connection when getting this kind of probe.

Finding patterns of the initial sequence numbers chosen by the TCP implementations when responding to a connection request.

Traditional 64k (older UNIXs) Random increment (FreeBSD, DG-UX, IRIX, new versions of Solaris) True "random" (Linux) Time dependent modules (MS Windows)

To enhance performance some operating systems set the "Don't fragment bit". Monitoring this behavior can give the attacker more information about the target operating system.

Some stack implementations have a unique initial window size on their returned packets.

AIX for example is the only operating system using the 0x3F25 value. OpenBSD and FreeBSD use 0x402E.

In some cases IP stacks even differ in the value they use for the ACK field. For example, sending a FIN| PSH| URG to a closed port. Most implementations will set the acknowledgement number in the returned packet to be the same as the sequence number received. Windows responds with an ACK field that is the sequence number+ 1.

RFC 1812 25 suggests limiting the rate at which various error messages are sent. Only a few operating systems are known to follow this RFC.

An attacker can use this to send UDP packets to a random, high UDP port and count the number of unreachable messages received within a given amount of time.

ICMP error messages should quote a small amount of information from the ICMP message that caused the error.

The information is quoted when the PORT UNREACHABLE message is received in the IP header + 8 bytes, with almost all the implementations. Solaris sends more information than is needed and Linux even more.

When sending back an ICMP error message, some stack implementations may alter the IP header.

If an attacker examines the types of alternation that have been made to the headers, he may be able to make certain assumptions about the target operating system.

When an ICMP PORT UNREACHABLE message is sent, an attacker can examine the type of service field.

Different stack implementations handle overlapping fragments differently. This was pointed out by Thomas Ptacek and Tim Newsham in their paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection". Some implementations will either overwrite the old data portions with the new data or vice versa, when the fragments are reassembled.

RFC 793 defines the TCP options. RFC 1323 26 defines the more advanced TCP options.

Not all hosts implement TCP options When sending a query with an option set to a targeted host, the target host will set the option in the reply only if it supports it. We can test all the options at the same time if we send one packet that includes all the options. When you examine the response packet, you look at the Options field for Options that were set. These are the supported options.

Some operating systems support all the advanced options while others support very few.

Firewalking 27 is a technique used to gather information about a remote network protected by a firewall.

Determining the rule set or ACL of a firewall or other packet-filtering device (mapping open ports on a firewall).

Mapping a network behind a firewall. When a firewall's policy is to drop ICMP ECHO Request/ reply this technique is very effective.

It is using a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device.

Since traceroute is dependent on the IP layer (TTL field), any transport protocol can be used the same way (TCP, UDP, and ICMP). For Firewalking we need two pieces of information in advance: The IP address of the last known gateway before the firewalling takes place The IP address of a host located behind the firewall.

The first IP address serves as our waypoint. The second IP address is used as a destination to direct the packet flow. If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, we can only determine what the last gateway which responded was probably the firewall. The firewall then becomes a waypoint for further investigations. We try again to traceroute the same machine, this time we use a different traceroute-like probe using a different transport protocol. If we get a response we can conclude the following: That particular traffic is allowed by the firewall We know a host behind the firewall

If we are continuously kept blocked by the ACL filters at out waypoint, we know that this kind of traffic is blocked. Trying to pass packets on all ports and protocols through the firewall and monitor the response, will produce the ACL. Sending packets to every host behind the packet-filtering device can generate an accurate map of a network's topology.

27 Firewalking -A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists, http:// www. packetfactory. net/ firewalk/ firewalk-final. html

We have reviewed some scanning types combined with hard-to-detect or even non-detectable scanning techniques.

Understanding the importance of detecting these scans can prevent, in some cases, an intrusion to the systems that were scanned. The detection can be partly achieved by implementing an Intrusion Detection system 28 . Tuning it right is another issue of major importance. The second part is maintenance of the system, getting information on new and wicked scanning types and techniques, understanding their signatures, and implementing new filters to detect them.

The number of simple automated scans is constantly on the rise, and consequently the number of attempts to get intelligence and eventually trying to hack into sites. Tightening your security to the maximum can drive some attackers away. Some attackers will take the challenge. Identifying these probing attempts will give you an indication that an upcoming attack might be on its way.

Network Scanning Techniques: Understanding How It Is Done

by Ofir Arkin