Operating system port scan analysis
Source: Self-Green Corps
Port scan analysis (a) common network-related commands Source / Author: Oliver is a port of a potential communication channel is a channel invasion. Port scans for target computers can get many useful information. There are many ways to scan, and can be manually scanned or in port scanning software. Be familiar with various commands when scanning is scanned manually. Analyze the output after the command is executed. Many scanner software have the function of analyzing data when scanning with scanning software. Through the port scan, many useful information can be obtained to discover security vulnerabilities in the system. Let's first introduce several common network commands to introduce port scanning principles, and then provide a simple scanner. Several common network related commands ping commands are often used to diagnose TCP / IP networks. Send a packet through the target computer, let it reverse this packet back, if the returned packet and the transmitted packet, that is, your ping command is successful. By analyzing the returned data, it is possible to determine whether the computer is open, or how much time this packet is sent from the transmission to the return. One. Several common network related commands 1. The basic format of the command: ping hostname where Hostname is the address of the target computer. Ping has many advanced uses, below is an example. C:> ping -f hostname This command sends a large amount of data to the target machine, so that the target computer is busy responding. On Windows 95's computer, use the following method: c: / windows / ping -l 65500 saddam_hussein's.computer.mil, the target computer may hang up or start from new. Since the -L 65510 produces a huge packet. Since the same packet is required to return, the target computer does not react. On the Linux computer, a program can be written to implement the above method.
#include
0; / * kernel Fills in * / dst.sin_addr = ip-> ip_dst; dst.sin_family = AF_INET; ICMP-> ICMP_TYPE = ICMP_ECHO; ICMP-> ICMP_CODE = 0; ICMP-> ICMP_CKSUM = HTONS (~ (iCMP_echo << 8)); / * The checksum of all 0's is easy to compute * / for (offset = 0; offset <65536; offset = (Sizeof BUF - SIZEOF * IP) {ip-> ip_off = fixed (Offset >> 3); if (Offset <65120) ip-> ip_off | = FIX (IP_MF); ELSE IP-> ip_len = FIX (418); / * Make Total 65538 * / IF (SENDTO (S, BUF, SIZEOF BUF, 0 Struct SockAddr *) & DST, SIZEOF DST <0) {fprintf (stderr, "offset% D:", offset); PERROR ("sendto");} if (offset == 0) {ICMP-> ICMP_TYPE = 0; ICMP-> ICMP_CODE = 0; ICMP-> ICMP_CKSUM = 0;}}} 2.Tracert command is used to track the path walking from a computer to another computer, saying that from your computer Zhejiang information supermarket. Under the DOS window, the command is as follows: C: / windows> Tracert 202.96.102.4tracing route to 202.96.102.4 over a maximum of 30 hops 1 84 ms 82 MS 95 MS 202.96.101.57 2 100 ms 100 ms 95 ms 0fa1.1- RTR1-a-hz1.zj.cn.net [202.96.101.33] 3 95 ms 90 ms 100 ms 202.101.165.1 4 90 ms 90 ms 90 ms 202.107.197.98 5 95 ms 90 ms 99 ms 202.96.102.4 6 90 ms 95 What do these outputs do? MS 100 ms 202.96.102.4trace completion. The number on the left is the number of computers passed by the route. "150 ms" is a round trip time to the computer sent message, and the unit is microseconds. Since each message is different, Tracert will display three times in turn. "*" Said that it is too long, and Tracert will "forget" this time. After the time information arrives, the name information of the computer is here. Starting is a format that is easy to read, followed by a digital format.
C: / Windows> Tracert 152.163.199.56tracing route to dns-aol.ans.NET [198.83.210.28] OVER A MAXIMUM OF 30 HOPS: 1 124 ms 106 ms 105 ms 202.96.101.57 2 95 ms 95 ms 90 ms 0fa1. 1-RTR1-A-HZ1.ZJ.CN.NET [202.96.101.33] 3 100 ms 90 ms 100 ms 202.101.165.1 4 90 ms 95 ms 95 ms 202.97.18.241 5 105 ms 105 ms 100 ms 202.97.18.93 6 100 MS 99 MS 100 MS 202.97.30.37 7 135 MS 98 MS 100 MS 202.97.9.78 8 760 MS 725 MS 768 MS GIP-FTWORTH-4-SERIAL8-3.GIP.NET [204.59.178.53] 9 730 MS 750 MS 715 ms GIP-FTWORTH-4-SERIAL8-3.GIP.NET [204.59.178.53] 10 750 MS 785 MS 772 MS 144.232.11.911 740 MS 800 MS 735 MS SL-BB11-PEN-2-0.SPrintLink.net [144.232. 8.158] 12 790 MS 800 MS 735 MS SL-NAP2-PEN-4-0.SPrintlink.Net [144.232.5.66] 13 770 MS 800 MS 800 MS P219.T3.NS.NET [192.157.69.13] 14 775 MS 820 MS 780 MS H14-1.T60-6.Reston.t3.ns.net [140.223.17.18] 15 780 MS 800 MS 800 MS H11-1.t60-2.Reston.t3.ns.net [140.223. 25.34] 16 790 MS 795 MS 800 MS H14-1.t104-0.atlanta.t3.ans.net [ 140.223.65.18] 17 * H14-1.t104-0.atlanta.t3.ns.net [140.223.65.18] Reports: Destination host unreachable.trace completion.3.rusers and finger These two are unix commands. With these two commands, you can collect messages about users on the target computer.
Using the rusers command, the result is as follows: Gajake Snark.wizard.com :ttyp1 Nov 13 15:42 7:30 (remote) root snark.wizard.com: TTYP2 NOV 13 14:57 7:21 (REMOTE) ROBO SNARK .wizard.com: TTYP3 NOV 15 01:04 01 (transote) Angel111 Snark.wizard.com: TTYP4 NOV14 23:09 (remote) Pippen Snark.wizard.com :ttyp6 Nov 14 15:05 (remote) root Snark.Wizard .com: TTYP5 NOV 13 16:03 7:52 (Remote) Gajake Snark.wizard.com: Ttyp7 Nov 14 20:20 2:59 (REMOTE) DAFR SNARK.WIZARD.com: TTYP15NOV 3 20:09 4:55 ( Remote) DAFR SNARK.WIZARD.COM: TTYP1 NOV 14 06:12 19:12 (remote) DAFR SNARK.WIZARD.COM: TTYP19NOV 14 06:12 19:02 (remote) The leftmost username is remotely logged in. Also included, the last login time, the Shell type used, and the like. Using Finger can produce similar results: User S00 PPP PPP-122-PM1.Wiza THU NOV 14 21:29:30 - STILL Logged Inuser S15 PPP PPP-119-PM1.Wiza Thu Nov 14 22:16:35 - Still Logged Inuser S04 PPP PPP-121-PM1.Wiza Fri NOV 15 00:03:22 - STILL Logged Inuser S03 PPP PPP-112-PM1.Wiza THU NOV 14 22:20:23 - STILL Logged Inuser S26 PPP PPP-124- PM1.Wiza Fri Nov 15 01:26:49 - Still Logged Inuser S25 PPP PPP-102-PM1.Wiza Thu Nov 14 23:18:00 - STILL LOGGED InUser S17 PPP PPP-115-PM1.Wiza Thu NOV 14 07: 45:00 - Still Logged Inuser S-1 0.0.0.0 Sat Aug 10 15:50:03 - STILL Logged Inuser S23 PPP PPP-103-PM1.Wiza Fri Nov 15 00:13:53 - STILL Logged Inuser S12 PPP PPP- 111-PM1.Wiza WED NOV 13 16:58:12 - Still Logged in this command displays the status of the user. This command is based on the customer / service model. The user requests information to the server through the client software, then explains this information, and is provided to the user. On the server, you typically run a program called Fingerd, and can provide some information to customers according to the configuration of the server. If you take into account these personal information, it is possible that many servers do not provide this service or only provide some unrelated information. 4.Host Command Host is a UNIX command, which is the same as the standard NSLookup query. The only difference is that the Host command is easier to understand. The hazard of the host command is quite large, and the following example will be used to demonstrate a host query for bu.edu.
Host -l -v -t Any bu.edu's execution result of this command is more information, including many data for operating systems, machines, and networks. Look at the basic information: Found 1 addresses for BU.EDUFound 1 addresses for RS0.INTERNIC.NETFound 1 addresses for SOFTWARE.BU.EDUFound 5 addresses for RS.INTERNIC.NETFound 1 addresses for NSEGC.BU.EDUTrying 128.197.27.7bu. edu 86400 IN SOA bU.EDU HOSTMASTER.BU.EDU (961112121; serial (version) 900; refresh period 900; retry refresh this often 604800; expiration period 86400; minimum TTL) bu.edu 86400 IN NS SOFTWARE.BU.EDUbu. EDU 86400 in ns rs.Internic.Netbu.edu 86400 in nS NSEGC.BU.EDUBU.EDU 86400 in A 128.197.27.7 These itself is not dangerous, just some machines and their DNS servers. This information can be retrieved in WHOIS or in a registered domain name. But look at the following line information: bu.edu 86400 in Hinfo Sun-SparcStation-10/41 Unixpp-77-25.bu.edu 86400 in A 128.197.7.237pp-77-25.bu.edu 86400 in Hinfo PPP- Host PPP-SWPPP-77-26.BU.EDU 86400 in A 128.197.7.238pp-77-26.bu.edu 86400 in Hinfo PPP-Host PPP-SWODIE.BU.EDU 86400 in A 128.197.10.52Odie.bu. EDU 86400 in MX 10 cs.bu.eduodie.bu.edu 86400 in Hinfo Dec-alpha-3000 / 300LX OSF1 From here, we immediately found an EDC Alpha running an OSF1 operating system.
Taking a look: strauss.bu.edu 86400 in Hinfo Pc-Pentium Dos / WindowsBurullus.bu.edu 86400 in Hinfo Sun-3/50 Unix (OUCH) Georgetown.bu.edu 86400 in Hinfo Macintosh Mac-oscheezwiz.bu.edu 86400 in Hinfo Sgi-Indigo-2 Unixpollux.bu.edu 86400 in Hinfo Sun-4/20-SparcStation-SLC UNIXSFA109-PC201.BU.EDU 86400 in Hinfo PC MS-DOS / WINDUH-PC002-CT.BU.EDU 86400 In hinfo pc-clone ms-dossoftware.bu.edu 86400 in Hinfo Sun-SparcStation-10/30 Unixcabmac.bu.edu 86400 in Hinfo Macintosh Mac-osVidual.bu.edu 86400 in Hinfo SGI-IRIXKIOSK-GB.BU. EDU 86400 in Hinfo Gatorbox GatorwareClarinet.bu.edu 86400 in Hinfo Visual-X-19-Turbo XServerDuncan.bu.edu 86400 in Hinfo Dec-Alpha-3000/400 OSF1MILHOUSE.BU.EDU 86400 in Hinfo VaxStation-II / GPX Unixpsy81-pc150.bu.edu 86400 in Hinfo PC Windows-95buphyc.bu.edu 86400 in Hinfo VAX-4000/300 OpenVMS can be seen by typing a command in the command line, can be collected in a domain Important information for all computers. And only 3 seconds. We use the above useful network commands to collect many useful information, more than the address of the name server in one domain, user name on a computer, what services are running on a server, which software is provided by this service What operating system is running on a computer. If you know the operating system and service application running on the target computer, you can use their vulnerabilities that have been discovered to attack. If the network administrator of the target computer does not patch these vulnerabilities, intruders can easily break into the system, get administrator privileges, and leave the back door. If the intruder gets the username on the target computer, you can use the password crack software, and try to log in to the target computer multiple times. After trying, it is possible to enter the target computer. Get the username, it is equal to getting half of the entry permissions, and the rest is just using the software to attack. (B) the port scan port scan analysis approach Source / Author: Oliver II. Port Scanning Ways What is a scanner scanner that automatically detects remote or local host security weaknesses, by using the scanner you can discover all of the TCP ports of the remote server, and provide services and services. Their software version! This allows us to indirectly or intuitively understand the security issues that the remote host exists.
Working principle scanner By selecting a remote TCP / IP different port, and record the answer to the target, through this method, you can collect a lot of useful information about the target host (such as: whether you can log in with anonymous! Is there a writable FTP directory, if you can use telnet, httpd is ROOT or NOBADY running!) What can I do? The scanner is not a direct attack of the network vulnerability, which only helps us find some intrinsic weaknesses of the target machine. A good scanner can analyze the data it get to help us find the vulnerability of the target host. But it does not provide a detailed steps to enter a system. The scanner should have three functions: discover a host or network ability; once a host is found, there is a server that is found to run on this host; through testing these services, discover the ability of the vulnerability. Writing scanners must have many TCP / IP programs to write and c, perl, and or shell language knowledge. There is a need for some socket programming, a method of developing a client / service application. Developing a scanner is an ambitious project, usually make programmers feel very satisfied. The following is an introduction to the commonly used port scan technology. TCP Connect () Scan This is the most basic TCP scan. The Connect () system call provided by the operating system is used to connect with the port of each of interest target. If the port is listening, connect () can succeed. Otherwise, this port cannot be used, that is, no service is available. One of the biggest advantages of this technology is that you don't need any permissions. Any user in the system has the right to use this call. Another benefit is the speed. If you use a separate connect () call to each target port, you will take a long time, you can accelerate the scan by opening multiple sockets at the same time. Using Non-Block I / O allows you to set up a low time to use, while observing multiple sockets. But the disadvantage of this method is to be very easy to find and is filtered out. The logs file of the target computer displays a series of connection and connection is an error-friendly service message and can quickly turn it off. TCP SYN Scan This technology is often considered "Semi-open" scan because the scanner does not have to open a complete TCP connection. The scanner sent is a SYN packet, as if you are ready to open an actual connection and wait for the reaction (refer to the three handshake of TCP to establish a TCP connection process). An SYN | ACK return message indicates that the port is in a listening state. An RST returns, indicating that the port is not in the listening state. If you receive a SYN | ACK, the scanner must send another RST signal to close this connection process. The advantage of this scanning technology is generally not left on the target computer. But a disadvantage of this method is that there must be root privileges to build your own SYN packet. TCP FIN Scan Sometimes it is possible that SYN scan is not secret. Some firewalls and package filters are monitored for some specified ports, and some programs can detect these scans. Conversely, the FIN packet may not have any trouble. This idea of this scanning method is to close the port to reply to the FIN packet with the appropriate RST. On the other hand, the open port will ignore the reply to the FIN packet. This method and system implementation have a certain relationship. Some systems reply to RST regardless of whether the port is opened, so that this scanning method is not applicable. And this method is very useful when distinguishing UNIX and NT. The IP segment scanning this cannot be considered a new method, but only other technologies change. It is not directly transmitting TCP probing packets, which is divided into two smaller IP segments. This divides a TCP head into several packets, so that the filter is hard to detect. But you must be careful. Some programs will have some troubles in handling these small data packages.
TCP Reverse Ident Scan Ident Protocol Allow (RFC1413) See the username of any process connected to the TCP connection, even if this connection begins with this process. So you can, give an example, connect to the HTTP port, and then use Identd to discover if the server is running with root privileges. This approach can only be seen after a complete TCP connection is established with the target port. FTP Returns an interesting feature of the FTP protocol is that it supports the proxy (Proxy) FTP connection. That is, the intruder can establish a control communication connection from the FTP Server-Pi (Protocol Interpreter) connection from its computer A.com and target host target.com. Then, request this Server-Pi to activate a valid Server-DTP (data transfer process) to send files to any place on the Internet. For a USER-DTP, this is a speculation, although RFC clearly defines requesting a server to send files to another. But now this method is not good. The disadvantage of this agreement is that "can be used to send mail and news that cannot be tracked, causing strikes to many servers, using the disk, attempting to cross the firewall." We use this purpose to scan the TCP port from an agent's FTP server. This way, you can connect to an FTP server behind a firewall, then scan the port (these are likely to be blocked). If the FTP server allows you to read and write data from a directory, you can send any data to the open port that is discovered. For port scans, this technology is to use the port command to represent a passive user DTP to listen to some port on the target computer. The intruder is then tried to list the current directory with the list command, and the result is sent through the Server-DTP. If the target host is listening to a port, the transmission will succeed (generating a 150 or 226 response). Otherwise, "425 CAN't Build Data Connection: Connection Refuse is appeared." Then, use another port command to try the next port on the target computer. The advantages of this method are obvious, difficult to track, can pass through the firewall. The main disadvantage is that the speed is very slow, and some FTP servers will eventually get some clues and turn off the agent.
This method can succeed: 220 xxxxxxx.com FTP Server (Version Wu-2.4 (3) WED DEC 14 ...) Ready.220 xxx.xxx.xxx.edu ftp server ready.220 xx.telcom.xxxx. EDU FTP Server (Version WU-2.4 (3) Tue Jun 11 ...) Ready.220 LEM FTP Server (Sunos 4.1) Ready.220 xxx.xxx.es FTP Server (Version WU-2.4 (11) SAT APR 27. .) Ready.220 Elios FTP Server (SunOS 4.1) Ready This method cannot be successful: 220 wcarch.cdrom.com FTP Server (Version DG-2.0.39 Sun May 4 ...) Ready.220 xxx.xx .xxxx.edu version wu-2.4.2-academ [beta-12] (1) FRI Feb 7220 FTP Microsoft FTP Service (Version 3.0) .220 xxx ftp server (version wu-2.4.2-academ [beta-11] (1) Tue Sep 3 ...) Ready.220 xxx.unc.edu FTP Server (Version Wu-2.4.2-Academ [Beta-13] (6) ...) Ready.UDP ICMP port Can not arrive in scanning this The method is different from the above methods in that the UDP protocol is used. Since this agreement is simple, scanning is relatively difficult. This is because the open port does not send a confirmation of the scan detection, and the closed port does not need to send an error packet. Fortunately, many hosts returned to an ICMP_Port_unreach error when you send a packet to an unmopked UDP port. This way you can find which port is closed. UDP and ICMP errors are not guaranteed to arrive, so this scanner must also be re-transfer when a package is lost. This scanning method is very slow because RFC has made a regular rate of ICMP error messages. Similarly, this scanning method requires root privileges. UDP RECVFROM () and WRITE () Scan When non-root users cannot read directly to the port cannot be reached, Linux can notify the user when they arrive. For example, the second WRITE () call to a close port will fail. When you call Recvfrom () on a non-blocking UDP socket, if the ICMP error has not arrived back to Eagain- retry. Returns the ECONNREFUSED-connection is rejected if the ICMP arrives. This is the technology used to view the port to open. ICMP ECHO scan is not a real scan. But sometimes it is useful to judge whether the host is turned on on a network. Port scan analysis (c) a simple scanner Source / Author: Oliver Here is a port scanner source, quite simply, a typical TCP connect () scan. There is no analysis of the returned data.
#include
Extern char * OPTARG; classb = classc = single = hex = 0; while ((c = getopt (argc, argv, "bcsx"))! = EOF) {switch (c) {Case 'b': Classb ; Break; Case 'C': Classc ; Break; Case 'S': Single ; Break; Case 'x': HEX ; Break;}} f (classb == 0 && classc == 0 && single == 0) {FPRINTF (stderr "Usage:% s [-b || -c || -x] xxx.xxx [.xxx [.xxx] / n", argv [0]); exit (1);} if (Classb) {fmt = "% x.% x"; SSCANF (Argv [3], FMT, & A0, & A1);} else {fmt = "% d.% d"; SSCANF (Argv [2 ], FMT, & A0, & A1);} else if (classc) {fmt = "% x.% x.% x"; SSCANF (Argv [3], FMT, & A0, & A1, & A2); ELSE {FMT = "% D.% d.% d"; SSCANF (Argv [2], FMT, & A0, & A1, & A2);} else if (Single) {fmt = "% x.% x .% x.% x "; SSCANF (Argv [3], FMT, & A0, & A1, & A2, & A3);} else {fmt = "% d.% d.% d.% d"; SSCANF (Argv [2], FMT, & A0, & A1, & a2, & a3);} SSCANF (Argv [1], FMT, & A0, & A1, & A2); Addr [0] = (unsigned char) A0; addr [1] = (unsigned char) A1; if (A0> 255 | | A0 <0) Bad_addr (A0); IF (A1> 255 || A1 <0) Bad_addr (A1); if (Classb) {if (HEX) Printf ("
