Network Mapping_ Network Mapping Issue - Beta version of Publication

There is another great publication about network scanning types along with practical overview of some known scanning tools, such as NMAP and Unicornscan.

Acknowledge with the authors practicies and advices and share with us your thoughts. More relevant publications you will find in the Network Mapping issue shortly.

Introduction: why scanning is necessary and that it gives

One of the most popular tools for pentesters, hackers and system administrators are utilities for network scanning. It’s difficult to find the system administrator, who never used the command ping, which is a part of any operating system in the practice. It is possible to consider the program ping as the simple network scanner, as it enables us to understand whether if the network host with the specified ip address. Network scanning is a powerful tool, which is regularly used for network configuration and network equipment, and also by search of troubleshooting nodes. Almost any tool can be used for constructive and destructive purposes, so scanners also are a favorite tool of any hacker. Moreover, all most known utilities were developed for network scanning by hackers. Because by means of these utilities allows to information gathering about the network computers connected to the Internet, network architecture, type used equipment network, open ports on a remote computers, that is all that primary information which is necessary for successful breaking into a network. Also, these tools are applied to identify network security vulnerabilities (the open ports, the service protocol, the application name, the version number, hostname, device type, the OS family etc.).

A port scanner is a software application designed to probe a server or host for open ports. A port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication. The purpose of ports is to uniquely identify different applications or processes running on a single computer and thereby enable them to share a single physical connection to a packet-switched network like the Internet. Scanning of ports is usually used by hackers for breaking into a network, and system administrators, in turn, for its protection. Consider in more details the use of the network scanner result.

As already told above, pentesters often used a port scanner for detection of vulnerabilities in network. The program reports that port is open or close, defines a services and version number. Based on this information, the scanner is able to detect even the operating system of a target host. The resulting information is very useful to attackers. As a result, port scan they get the information they need, which can then be used to gain unauthorized access to critical data of the organization or a violation of the server, which means the entire segment or the whole system.

System administrators use this software tool to search for vulnerabilities, but in the opposite order - to improve the protection under their jurisdiction LAN. Port scanners in turn help you to find unused services (and if no one uses them, so no one and does not set up, and therefore, they are poorly protected), which are potential security holes organization. Such services may want to disable, and protection services are already used to pay special attention by constantly monitoring them. In addition, continuous monitoring of the TCP connection to port on time helps to detect malicious software. If you configure multiple inspections on certain ports , port scanner program should be time to notify the system administrator when opening a port (the list of ports that are often used by malicious programs can be found on the Internet).

Another advantage of using a system of port scanning is the ability to time to learn about network trouble and failure in the network equipment. Periodically polls all the same TCP port, you can immediately find out about the work stoppage of a host without leaving the workplace. This allows the system administrator to quickly react to the arisen problems and fix them in time, reducing downtime to a minimum.

Another function is a port scanner can scan the network to identify all available to her hosts (computers, servers and other network equipment), which is very important for system administrators working in an organization with a very complex and distributed by its network architecture.

Thus, port scanner performs a triple function in the network : to identify hosts on the network, monitors those hosts for early detection of malfunctions and can detect potential vulnerabilities in the system and thereby improve its security and stability.

Scan Result

The design and operation of the Internet is based on the Internet Protocol Suite, commonly also called TCP/IP. In this system, hosts and host services are referenced using two components: an address and a port number. There are 65536 distinct and usable port numbers. Most services use a limited range of numbers.

Some port scanners scan only the most common port numbers, or ports most commonly associated with vulnerable services, on a given host. See: List of TCP and UDP port numbers.

The result of a scan on a port is usually generalized into one of three categories:

1. Open or Accepted: The host sent a reply indicating that a service is listening on the port.

2. Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.

3. Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

1. Security and stability concerns associated with the program responsible for delivering the service - Open ports.

2. Security and stability concerns associated with the operating system that is running on the host - Open or Closed ports.

Filtered ports do not tend to present vulnerabilities.

Port Scanning Types

SYN scanning

SYN scan is another form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection. However, the RST during the handshake can cause problems for some network stacks, in particular simple devices like printers.

TCP scanning

The simplest port scanners use the operating system's network functions and is generally the next option to go to when SYN is not a feasible option (described next). Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a kind of Denial-of-service attack. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is "noisy", particularly if it is a "portsweep": the services can log the sender IP address and Intrusion detection systems can raise an alarm

UDP scanning

UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g., nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g., nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

To cope with the different limitations of each approach, some scanners offer a hybrid method. For example, using nmap with the -sUV option will start by using the ICMP port unreachable method, marking all ports as either "closed" or "open|filtered". The open|filtered ports are then probed for application responses and marked as "open" if one is received.

ACK scanning

ACK scanning is one of the more unique scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.

Window scanning

Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1's before it returns to the sender. Using this scanning technique with systems that no longer support this implementation returns 0's for the window field, labeling open ports as closed.

FIN scanning

Since SYN scans are not surreptitious enough, firewalls are, in general, scanning for and blocking packets in the form of SYN packets. FIN packets are able to pass by firewalls with no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall.

Other scan types

Some more unusual scan types exist. These have various limitations and are not widely used.

- X-mas and Null Scan: are similar to FIN scanning, but X-mas sends packets with FIN, URG and PUSH flags turned on like a Christmas tree; Null sends a packet with no TCP flags set.

- Protocol scan: determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled.

- Proxy scan: a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers.

- Idle scan: another method of scanning without revealing one's IP address, taking advantage of the predictable IP ID flaw.

- CatSCAN: checks ports for erroneous packets.

- ICMP scan: determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

 

Network scanners

Previously covered various scanning methods. But IT-specialists are trying to automate. Therefore have developed special programs for the automated scanning - network scanners. Consider some examples of them. It should be noted that some programs require administrative privileges. These programs are included in the penetration testing distribution - Kali Linux (http://www.kali.org/).

Nmap

(http://nmap.org/)

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. This scanner is supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. One of Nmap's most powerful and flexible features is the Nmap Scripting Engine (NSE). It allows users to write (and share) simple scripts (using the Lua programming language, ) to automate a wide variety of networking tasks including network discovery, more sophisticated version detection, vulnerability detection. NSE can even be used for vulnerability exploitation.

This scanner "from the category must have" for pentesters and system administrators. Available options summary is printed when Nmap is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. So consider this scanner specific examples network mapping.

The basic command line syntax to invoke Nmap is as follows:

nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }

This network scanner a lot of command-line parameters, they can be divided as follows:

  • Target Specification
  • Host Discovery
  • Port Scanning Techniques
  • Port Specification and Scan Order
  • Service and Version Detection
  • Script Scan
  • OS Detection
  • Timing and Performance
  • Firewall/IDS Evasion and Spoofing
  • Output

Examples:

[email protected]:~# nmap -sL 192.168.168.0/24 - The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. (all hosts active in a subnet). By default, Nmap still does reverse-DNS resolution on the hosts to learn their names, and host name can contain useful information for pentester.

[email protected]:~# nmap -p80,443 192.168.168.10-20 - scans the IP address range looking for open ports 80 and 443.

[email protected]:~# nmap –p T:80,8080,3128 172.16.0.1/22 - scans all hosts between 172.16.0.1 and 172.16.3.254, looking for open TCP ports 80, 8080, 6588 and 800 (the default listening ports for various proxy servers).

[email protected]:~# nmap –sn 192.168.168.10,20 - ping scans two hosts in a fast scan.

[email protected]:~# nmap -Pn 192.168.168.0/29 - scans all the hosts in the 192.168.168.1 to 192.168.168.6 range. Sometimes, host-based firewalls deny ping requests, and it is difficult to scan such hosts. The -PN scan is useful in such cases; it scans the hosts assuming them to be online.

[email protected]:~# nmap -A -F 192.168.168.1 - detects target OS and services running on it, in fast-scan mode.

The option –A enables aggressive options and provides more information:

[email protected]:~# nmap -A 192.168.168.50

Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-17 19:54 MSK

Nmap scan report for dell.local (192.168.168.50)

Host is up (0.00032s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)

| ssh-hostkey: 1024 8f:ff:fe:e7:e6:fa:3a:d1:ea:b8:2b:67:74:e5:42:da (DSA)

|_2048 c9:39:c7:c7:f5:05:82:3d:ff:c7:8b:0b:97:39:e8:8e (RSA)

111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 33123/tcp status

|_ 100024 1 60789/udp status

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: OFFICE)

MAC Address: EE:E4:4C:87:35:9F (Unknown)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.32

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

Host script results:

|_nbstat: NetBIOS name: DELL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing disabled (dangerous, but default)

|_smbv2-enabled: Server doesn't support SMBv2 protocol

 

TRACEROUTE

HOP RTT ADDRESS

1 0.32 ms dell.local (192.168.168.50)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds

These basic commands are useful for standard scans in any network, and serve a variety of purposes including checking open ports; whether unintended services (like terminal services, VNC, FTP, etc) are running on important hosts; obtaining a list of IP addresses to be scanned, and so on.

However, these simple and straightforward scans may not fulfil all requirements. Sometimes, for example, special scans are required in order to test intrusion detection/prevention systems. There might also be the need to conceal the identity of the scanner from the target host.

Nmap does indeed provide various ways to conceal your IP address (you can also conceal your MAC address by spoofing) though you have to be careful while using these commands. They require an in-depth knowledge of TCP/IP protocols, and may disrupt the systems/network or cause damage if not run properly. Let’s look at some stealth techniques to conceal the identity of the scanning system.

Idlescan

nmap -v -sI 192.168.168.100 192.168.168.50

This scan will probe 192.168.10.50 while pretending that the scan packets come from another host; the target’s logs will show that the scan originated from 192.168.10.100. This is called a zombie host.

 

Decoy host

nmap -sS - Pn -D 192.168.168.101,192.168.168.102,192.168.168.103 192.168.168.50

This command is especially useful while testing IDS/IPS. The -sS option will perform a SYN scan on the target host. While doing so, it will spoof the packet contents to make the target host see them as coming from the specified (-D) decoy hosts.

Here are some methods and techniques supported by Nmap that would draw your attention to the fact to this powerful tool. For more information, see the official documentation.

Unicornscan

(http://www.unicornscan.org/ )

Robert E. Lee (Dyad Security) was first announced utility Unicornscan in San Diego at the conference Toorcon 2004 of hackers and computer security professionals.

Unicornscan is an asynchronous TCP and UDP port scanner developed by the late Jack C. Louis. It is an attempt at a User-land Distributed TCP/IP stack, intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.

According to Lee, Unicornscan may issue 30,000 packets per second on a conventional network card. In the near future, he hopes to reach millions of packets per second. It is rumored that during testing Unicornscan network card laptop victims burned because they could not cope with such a large number of packets. In this regard, an interesting feature unicornscan be that with the ‘-r’ option, you can adjust the speed of scanning. For example, -r100 determines the rate of 100 packets per second.

Run the «unicornscan -h» command to view the available commands.

Consider the examples of the use of this scanner. For basic scanning with the default options you specify ip address or dns name of the target:

[email protected]:~# unicornscan 192.168.168.50

TCP open ssh[ 22] from 192.168.168.50 ttl 64

TCP open sunrpc[ 111] from 192.168.168.50 ttl 64

TCP open netbios-ssn[ 139] from 192.168.168.50 ttl 64

With this scanning option values ​​are used by default. These values ​​can be set in the configuration file, which is located in /etc/unicornscan/unicorn.conf.

Let's put a specific task and to examine her more options. For example, in networks windows sometimes found mssql, running as an administrator, and often with a simple password. And it allows you to execute any command as administrator. This is what you need for pentester. Find such hosts with the following command:

[email protected]:~# unicornscan -r100 -mU -I 192.168.168.0/24:1434

UDP open 192.168.168.239:1434 ttl 64

UDP open 192.168.168.237:1434 ttl 64

UDP open ms-sql-m[ 1434] from 192.168.168.237 ttl 64

UDP open ms-sql-m[ 1434] from 192.168.168.239 ttl 64

Used Options:

Options Description
-r100 100 Packets Per Second
-mU Scan Mode UDP
-I Immediately display results to the screen as received
:1434 Port 1434 (MSSQL)

 

All other options and table of correspondences between nmap and unicornscan can be found in the official documentation.

hping3

(http://www.hping.org/hping3.html )

hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique.

Consider the various scanning options using utility hping3.

Classic SYN scan when sent TCP-packets with the flag SYN:

[email protected]:~# hping3 -S 192.168.10.10 -p 80 -c 2

- s syntex is used for SYN request, – p is indicating Protocol and 80 is used for HTTP. – c2 is used for sending request only 2 times.

Play with the Ports involved in the process:

[email protected]:~# hping3 -S 192.168.10.10 -p ++50 -c 5

We added the increment before the port number that will scan a series of ports sequentially, starting at the specified, and acts as a limit of the number of outgoing packets.

Scan entire subnet for live host:

[email protected]:~# hping3 -1 192.168.10.x --rand-dest -I eth0

-1 syntax is used to ask hping to use icmp insted of TCP (by default hping is using TCP), -I -interface, –rand-dest - random destination

ICMP time-stamp:

[email protected]:~# hping3 -1 192.168.10.10 --icmp-ts -c 2

Finding Firewall:

[email protected]:~# hping3 -1 192.168.10.10 --icmp-addr -c 2

if this command is not giving the reply means this particular ip-address belongs to firewall.

UDP Scan on Port 80::

[email protected]:~# hping3 -2 192.168.10.10 -p 80 -c 1

-2 syntax is used to ask hping to use UDP.

ACK scan on Port 80:

[email protected]:~# hping3 -A -c 1 -s 5000 -p 80 192.168.10.10

This type of scan does not show the port is closed or open, and designed only to determine the detection firewall

Collecting ISN (Initial Sequence Number):

[email protected]:~# hping3 192.168.10.10 -Q -p 139 -S

Getting sequence numbers, if initial seq number is predictable then there must be some vulnerability in OS. Generally shown in older operating system.

SYN scan on port 100-200

[email protected]:~# hping3 -8 100-200 -S 192.168.10.10

Summing up, we met with the utility hping and convinced that it is quite a powerful tool, and as a good alternative for the scanner.

References

Wikipedia. Port scanner. https://en.wikipedia.org/wiki/Port_scanner

Why You Need a Port Scanner. http://www.sooperarticles.com/technology-articles/hardware-articles/why-you-need-port-scanner-1289182.html

Nmap. http://nmap.org/

Learning Nmap: The Basics. http://www.linuxforu.com/2010/08/nmap-basics/

Unicornscan. http://www.unicornscan.org/

Syed Balal Rumy. Getting started with Hping3. http://rumyittips.com/getting-started-with-hping3/

September 2, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013