- Scanning and Enumeration
Port Scanning and System Enumeration
Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are open on the target device. Once open, applications or services can be discovered. At this point, further information is typically gathered to determine how best to target any vulnerabilities and weaknesses in the system.
Port Scanning Steps
Port scanning is one of the key steps of ethical hacking. Before a system can be attacked the hacker must determine what systems are up, what applications are running, and what what versions the applications are.
1. Determining If The System Is Alive
2. Port Scanning
- Nmap - As you might guess, the name “nmap” implies that the program was ostensibly developed as a network mapping tool. Well, as you can imagine, such a capability is attractive to the folks that attack networks, not just network and system administrators and the network support staff. Of all the tools available it is nmap that people just seem to keep coming back to. The familiar command line interface, the availability of documentation, and the generally competent way in which the tool has been developed and maintained, are all attractive to us. Nmap performs a variety of network tricks. To learn more check out the NMAP tutorial.
- Nmap - Interesting options
- -f fragments packets
- -D Launches decoy scans for concealment
- -I IDENT Scan finds owners of processes (on Unix systems)
- -b FTP Bounce
- Port Scan Types
- TCP Connect scan
- TCP SYN scan
- TCP FIN scan
- TCP Xmas Tree scan (FIN, URG, and PUSH)
- TCP Null scan
- TCP ACK scan
- UDP scan
Many services announce what they are in response to requests.
Banner grabbers just collect those banners the easiest way to banner grab:
telnet <ipaddress> 80
4. Operating System Fingerprinting
- Active Stack Fingerprinting
- Passive fingerprinting
The process of enumeration, finding find what services are running, versions, open shares, account details, or possible points of entry. One such target is SMB. While SMB makes it possible for users to share files and folders, SMB offers access on Windows computers via the IPC$ share. This share, the IPC$, is used to support named pipes that programs used for interprocess (or process-to-process) communications. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration.
1. Attacking Null Sessions
The Windows Server Message Block (SMB) protocol hands out a wealth of information freely. Null Sessions are turned off by default in Win XP, Server 2003, Vista, and Windows 7 but open in Win 2000 and NT.
Null Session Tools
- NBTenun 3.3
2. Enumerating Windows Active Directory via LDAP, TCP/UDP 389 and 3268. Active Directory contains user accounts and additional information about accounts on Windows DC's. If the domain is made compatible with earlier versions of Windows, such as Win NT Server, any domain member can enumerate Active Directory
3. Targeting Border Gateway Protocol (BGP). The de facto routing protocol on the Internet. BGP is used by routers to help them guide packets to their destinations. It can be used to find all the networks associated with a particular corporation
Defense with Port Knocking
Port knocking is a rather esoteric method of preventing session creation with a particular port. Port knocking is not currently implemented by default in any stack, but we may soon see patches to permit the use of knocking protocols. The basis of port knocking is the digital analog of the secret handshake. Through the use of timing, data sent with SYN packets, number of SYN packets sent, sequence of ports hit, and other options, a client authorizes itself to access a port. While useful for obscuring the existence of a port, port knocking is simply another layer of authentication. Links can still be saturated through DoS attacks, RST attacks can still kill connections, and sessions can still be hijacked and sniffed. A paranoid system administrator may care to use a port knocking daemon to add an extra layer of security to connections, but securing the connection through a PKI certificate exchange is much more likely to yield tangible security benefits.
Scanning and Enumeration Links
Some links to learn more about scanning and enumeration include:
Port scans legal, judge says (12/18/2000)
Port Scanning and its Legal Implications (2004)
A Simple Guide to Nmap Usage
YouTube - Trinity Nmap Hack - Matrix Reloaded
Nessus Vulnerability Scanner
Nessus Technical Guide
Very simple Nessus installation [Archive] - Ubuntu Forums
How to install the vulnerability scanner Nessus | Ubuntu Linux
fping - a program to ping hosts in parallel
Hping - Wikipedia, the free encyclopedia
Tutorial: Hping2 Basics
Smurf attack - Wikipedia, the free encyclopedia
Preventing Smurf Attacks
Advanced Bash-Scripting Guide
NetBIOS NULL Sessions: The Good, The Bad, and The Ugly
Null session attacks: Who's still vulnerable?
NULL sessions restrictions of server and workstation RPC operations
Null session in Windows XP
Listing usernames via a null session on Windows XP
Download Winfo -- NetBIOS Null Session Enumeration Tool
NetBIOS Suffixes (16th Character of the NetBIOS Name)
SystemTools.com - DumpSec and Hyena
Description of the Windows File Protection feature