Port scan
Original: Prabhaker matti
Source:
http://www.cs.wright.edu/~pmateti/courses/499/Probing/references
Abstract: This speech describes the attackers commonly used to discover the ports of unsafe hosts on the Internet.
Scanning technology, the article also describes an experiment based on three tools based on NMAP, PortSentry and ZoneAlarm.
This work part is supported by NSF Due-9951380.
Article content
Education target port scan
Port number simple port scan technology Secret scan SOCKS port detection rebound scan UDP scan ICMP scanning fingerprint recognition operating system port scan tool port scanning reconnaissance tool experiment Acknowledgment reference book
Educational goal
Introduce port scan technology. You can effectively utilize port scan auditing tools, such as NMAP; effective use of port reconnaissance tools.
Port scan
Port Scan is an attacker to find that they can enter the server's very common reconnaissance technology. All localities or machines connected to the Internet through MODEM run a lot of listeners and very port services. Attackers discover the available ports (ports being in the listening state) through the port scan. In fact, the port scan is a process of sending a message at a time at each port. Depending on the port response to confirm whether the port is available and further reconnaissance it.
A variety of different scanning techniques are summarized as follows. To fully understand that these content must have a certain understanding of IP filtration and other firewall technology. So you can read this chapter later.
The port number
As you know, the public IP address is controlled by World-Wide Registrars and is unique worldwide. The port number is not controlled, but in the past long time has formed a recognized port number for some specific services. The port number is only in a computer system, and the port number is composed of 16 unsigned numbers. The port number is divided into three segments: common port (0..1023), reserved port (1024..49151) and dynamic / private port (49152..65535).
Common port
All operating systems follow the traditional pass only when the super user opens from 0 to 1023 ports. Common ports (also known as standard ports) are assigned to services by IANA (mutual network number assignment authorization unit, http://www.iana.org). In UNIX, text files / etc / services lists these service names and port numbers for these service names and the port numbers for the% Windir% / System32 / Drivers / etc / services under WINDOWS 2000. The following is a few lines extracted from this article.
Echo 7 / TCP ECHO
FTP-DATA 20 / UDP File Transfer [Default Data]
FTP 21 / TCP File Transfer [Control]
SSH 22 / TCP SSH Remote Login Protocol
Telnet 23 / TCP Telnet
Domain 53 / UDP Domain Name Server
WWW-HTTP 80 / TCP World Wide Web HTTP
Attempting to open a port within 0..1023 in the range of the unauthorized user program is unsuccessful, the user program can open any one of the unallocated 1023 or more.
Very port
Through a non-standard port, we often simplify the port of 1023 or more. In fact, in the port number within this range, there are also some "standard" ports, such as:
WINS 1512 / TCP Microsoft Windows Internet Name Service
Radius 1812 / UDP RADIUS Authentication Protocol
Yahoo 5010 Yahoo! Messenger
X11 6000-6063 / TCP X WINDOW System Some malicious programs are often spread widely, they search everywhere, collected these common port numbers.
Simple port scan technology
The simplest port scan (for example, sending some carefully selected packets to the selected target port) is an attempt to open the 3 to 65535 port of the scanner to see some open.
TCP Connect (): The connection system can be used to open all of the programs that can be used to open all interested ports. If the port is listening, the connection will succeed, otherwise it cannot be connected.
Strobe: Gate Scan is a relatively narrow scan, just a server that is looking for those who have generally known how to attack. The name of the gate is derived from an original TCP scanner, and it has now become a common feature of all scanning tools.
The Ident Protocol allows those processes that are connected to the computer via TCP to peep the computer's username, even that the process is not initialized. Therefore, for example: can determine if the HTTP service runs under root by connecting the 80-port port and then use IDENT.
Secret scan
One problem with the port scan from an attacker is that it is easily recorded in the access log in this port listener. They will observe the continuous procedures and then they register a mistake. There are a lot of secret scanning technology to cross this problem. Secret Scanning Tool is a scanning method that is not discovered by the review tool. Obviously, this is a game - maybe the secret scan will not be so intimate after a month.
The port scanner scans a host by releasing packets to different ports. Therefore, slow scanning (time or longer) has also become a secret technology. Another secret scanning technology is "reverse mapping", when you try to search all hosts on the network, then determine which IP does not exist by generating "host unreachable" ICMP information.
IP package Split: The scanner clears the TCP header from the IP fragment. This allows for a pack filtering and firewall because it does not see a complete TCP header so it cannot correspond to the corresponding filtering rules. Many packages and firewalls require all IP fragments (such as Config _ip _always _Defrag in the Linux kernel, but many networks do not provide loss of information in the queue.
SYN Scan: This technology is called a semi-open connection scan because the TCP connection is not completed. A SYN package is sent (just like we are ready to open a connection), the target machine returns SYN and ACK on the target machine, which means that the port is in the listening state, and returns RST means no listening. The TCP layer does not notify the service process because the connection is not completed.
FIN Scan: Typical TCP scans are trying to establish a connection (with a minimum step). Another technology is to send an error package to a port and expect a port that sends a different error message instead of the closing port. The scanner sends a FIN package that will turn the open port. A RST FIN package will be restored when the port is turned off. Instead, the open port will ignore the package of all queries. This is required in TCP. If there is no service in the listening target port, the operating system will also generate an error message. If the service is in the listening state, the operating system will discard this sending package. Therefore, no information returns to indicate that there is a service in this port. However, some packets may accidentally lose or filter firewalls on the line, so this is not an efficient scanning technology.
Some other technologies are used in Xmas scans, which is set to all flags in the TCP package. Or all tags are not set by empty scan. However, different operating systems respond to these scans is different, so it is important to know that different operating systems and even the version and patch levels of the operating system are important.
SOCKS port detection
SOCKS is a system that allows multiple computers to share public Internet connection. The reason why an attacker scans SOCKS because most users' SOCKS configuration has an error.
Many products support SOCKS, a typical user product is Wingate, Wingate is a software installed on individual machines to connect to the Internet. All other machines connected to the Internet Internet access to Wingate running on this machine. The SOCKS error configuration will allow any source address and destination address. Just like allowing internal machines to access Internet, the outside machine can also access the internal machines. More importantly, this may allow an attacker to access the machine on other Internet through your system, so that the attacker hides his own real address.
The IRC chat server often scans the client to check if the SOCKS service is open. They will put them out of the people who don't know how to solve this problem. If you receive such a message, you can check if the client is a check executable in WINGATE. A wrong positioning may result in if an application is temporarily invalid. In this case, this looks like an internal machine in the attack SOCKS server.
Rebound scan
It is important to hide them for attackers. Therefore, the attacker quickly searches the Internet to find their attack systems.
FTP rebound scan uses the weakness of the FTP protocol itself. It requires a proxy FTP connection support. This kind of rebound hides where the attacker is hidden through the FTP service, the technology and IP hide the deception of the attacker address. For example: Evil.com has established an FTPSerVer-Pi control connection with target.com, requiring Server-Pi to initialize an active Server-DTP (data transfer process) sends a file to the Internet anywhere.
One port scan technology is to use this method from the FTP proxy server to scan the TCP port. So you can establish a connection with the FTP service after the firewall, then scan those ports that are likely to be blocked (eg 139). If the FTP service allows read or write data to enter a directory (such as: / incoming), you can send any data to this discovered port. Our technology is to use port (ftp) commands to discover and record some port USER-DTP users who are passive but in listening target machine specific ports. Then we tried to list the current address directory and the result was sent to the Server-DTP. If our target host is listening to the specified port, the transfer will succeed (generating a 250 and a 226 response). Otherwise, "425 message: cannot establish a data connection: Connection is rejected", then we send another port command to the next port of the target host. It is obvious that the advantage of this method is obvious (it is difficult to track, can be wrapped around the firewall); the main disadvantages are relatively slow, and many FTP services perform the characteristics of the final shielding agent.
Finder: Most of the lookup servers allow commands to transfer recursive queries through the lookup. For example: "ROB @ foo @ bar" query will ask "Rob @ foo" to "Bar", causing "Foo" to "Bar". This technique can be used to hide the original source of the query.
E-mail: People send spam try to forward their spam through the SMTP server. Therefore, the method of SMTP test is often used online.
SOCKS: SOCKS allows almost all protocols to pass through the intermediary machine. Therefore, an attacker's detection scan for SOCKS is common online.
HTTP Proxy: Most of the website services provide a proxy, which makes it possible to manage well with individuals with individuals with individuals to improve performance. However, there are many such services to configure errors to allow any requests on the Internet, allowing attackers to forward attacks through third parties. Trial to HTTP agents is very common today.
IRC BNC: An attacker likes to hide your IRC logo by winding their connections with other machines. A very special procedure called "BNC" is to use this way to endanger the safety of the machine.
UDP scan
Port scans typically refer to scans for TCP ports, which are targeted, thus providing attackers with good feedback information. UDP's response has different ways, in order to find UDP ports, attackers usually send empty UDP packets, if the port is in the listening state, send back an error message or ignore the influent packet; if the port is Close, most operating systems will send back "ICMP ports that are not reachable", so that you can find that a port is open, and through the exclusion method to determine which ports are open. ICMP and UDP packages are not reliable communication, so this UDP scanner must perform a package capability when the packet is lost (or if you get a bunch of errors). Similarly, this scanning technique is also slow because of the implementation of RFC1812 and restricts the transmission rate of ICMP messages. For example: Linux kernel limits the speed of those that cannot be reachable destinations, 80 times every 4 seconds, and when the error is generated, it will be punished with 1/4 seconds of delay when the error is generated. Some people think that UFP scan is imperfect and meaningless, not this! Let's take a look at the rpcbind found by Solaris Rpcbind (Sun Microsystems Security Bulletin Bulletin Number: # 00167, April 8, 1998), RPCBind can find UDP ports hidden in 32770 or more. Therefore, port 111 is blocked by the firewall without affecting. But can you find a port higher than 30,000 or more? With the UDP scanner, you can do it!
UDP RECVFROM () and Write () scan: Non-root users cannot directly read the ICMP Port UnReach message, and Linux provides a way to indirectly notify the user. For example: the second time to call Write () will always fail on an off UDP port. Many scanners, such as: Netcat and Pscan.c, are like this. Use Recvfrom () to access unpacked UDP sockets, usually returns "retry" messages. If you don't receive an ICMP error report, you will return ECONNREFUSED (Connection Reject).
ICMP scan
ICMP scans are not true port scans because ICMP does not have a exact port. But it can often be used to Ping the machine to determine which machine is connected. ICMP scans can also be performed in parallel, so the speed is very fast.
Fingerprint recognition operating system
Fingerprint recognition is a resolution system response to determine how the problem is there. Re-combining data is sent to the system to cause a system response. The data is correct, the system has the same response, but generally does not respond to the wrong data.
Port Scanning Tool
Here are three security auditors: Saint, NMAP, and NESSUS. In these three, NMAP is a significant and main port scan tool; so discussed here. Saint and Nessus will be discussed in the Security Audit chapter.
NMAP is developed by Foydor's famous port scanner. According to FOYDOR, "NMAP is useful for large network port scans, although it works well on a host. Let me generate the idea of developing NMAP is TMTOWTDI (There's More Than One Way to Do IT Battal Road Rome). This is the slogan of Perl, but it can also be applied to the scanner. Sometimes you need a speed, and sometimes you need hidden, in many cases, bypassing the firewall is necessary. Don't say scanning Different protocols (UDP, TCP, ICMP, etc.), you can't do all things in the same scanning method, and you don't want to use 10 different scanning methods, each method has its own interface. And performance to complete this matter. So I integrate all the scanning technology I know to develop NMAP. "
Some experiments are based on NMAP.
Port Scanning Reconnaissance Tool
Under UNIX, write a non-hidden scanning reconpruder is simple, you can open Sock_RAW so that the protocol is an IPPROTO_IP protocol, then call RECVFROM () to capture the packet and analyze them. The reconnaissance hidden scan is carried out in the kernel layer. A obvious feature of a probed port is "Several packages from the same address from the same address" in a short time ", another signal is" A SYN (Connection request) "without listening. Obviously, there are many other methods to reconnaissance port scanning.
Remember: An attacker often uses IP address spoof, so the reconierator will tell us that we are scanned by the port, but do not tell us where. However, port scans sometimes leaked other information, through which, some deceived address scans can be obtained. For example, if the package received by our terminal has IP TTL 255 tag, in fact, we know what they sent from our local network without going to manage what information they are, for example, we can only say that the attacker is within 5 jumps. , We can't say how far he is from us. Open TTL and source port numbers can give us some revelations, such as port scan types (only on hidden scan) or an attacker's operating system (only the full TCP connection is scanned), of course, this is not fully determined. For example, NMAP sets TTL to 255, and the source port number is 49724, and the Linux kernel sets TTL to 64.
experiment
During this experiment, some paragraphs from the Saint manual:
To be a unfriendly neighbor: I have been licensed by others. The host or network of scan others is often considered a very rude and anti-social behavior; it is best to ask when scanning the machines other than this network.
Please pay attention to considering thoughtfulness and cleverness, unauthorized scan your online neighbors, even if you think this is good, it will be considered serious violations, not only cause malicious or bad feelings, or there may be legal issues.
Attack, detective, scanning what is attack, what is detective and what is scanning? These have not been very clear, especially if the system administrator has more understandings and realms that many information are transmitted on the Internet. For example, is a look at the far site? This is not concluded if you don't know any motivation of the attack. "Finding War", or two sites use the same TCP packaging or similar software, they will automatically find distant sites and are not in mind.
It is important to pay attention to a lot of detectors will generate a message on the console or a warning will be issued to the distant goals. Despite this, you should pay attention to the potential of false warnings, the goal is pointing to you.
Target: Intent to configure the wrong service in a machine. Run a port scanner on another machine to first discover its fragile points.
All work will be completed in the operating system and Internet Security (OSIS) laboratory, 429 RUSS. Used 19 to 30 PC. More than other WSU tools are allowed.
This experiment requires you to read the operating manual, including experimental purposes and an indispensable design data in experimental organizations. You will get the experiment process:
A port post: http://www.psionic.com/abacus/portsentry/
B Area Alert (Individual Use can be scanned from http://www.zonelabs.com/ free download).
C nmap
Whether it is a GUI to call NAMAPFE, or NMAP is installed on all machines installed in the lab, copy local port posts and regional alerts are located on cocke. OSIS. CS. Wright. EDU. Download these to your compressed hard drive. There is a Windows NT / 2000 automatically installed and run files in these area alert files, and others are Linux files.
Select three machines: P0, P1, P2, access these three machines into the Ethernet switch. You will log in to these three machines with root users. On the machine P0, generate and install the port whistle, save the executable on your hard drive, you will use these files on the P1 machine.
In the P1 machine, deliberately weaken some of your choice, add some service to this device, start the port post on P1.
Start machine P2 for Windows NT. If the area alert is not installed, then install, and run.
Start NMAPFE on the machine P0 to detect all ports on the machines P1 and P2.
Restore machine P1 to initial settings.
Get the details of this experiment, as well as log files on all machines. Also give you something about things discovered through NMAP.
Thank you
This article is made from http://advice.networkice.com/advice/underground/hacking/methods/technical/port_scan/, and the NMAP document is combined.
bibliography
1. Ron Gula, How to Handle and Identify Network Probes, April 1999, http://www.securitywizards.com/ [local copy] Required Reading.
Hobbit, The FTP Bounce Attack, The original paper on the subject http://www.insecure.org/nmap/ hobbit.ftpbounce.txt Reference Fyodor, Remote OS detection via TCP / IP Stack Finger Printing Written:... October 18 , 1998 Last Modified:. April 10, 1999. http://www.insecure.org/nmap/nmap-fingerprinting-article.html Required Reading solar designer, Designing and Attacking Port Scan Detection Tools, Phrack Magazine, Volume 8, Issue 53 July 8, 1998, Article 13 of 15, http://www.phrack.com/ or http://phrack.infonexus.com/search.phtml?view&article =p53-13 Recommended Reading. List of ports used by Trojans , http://www.simovits.com/nyheter9902.html reference.
Attachment: I am poor in my English, if I don't understand, please refer to the original text.
