ITS 4550 - Fraud Prevention and Deterrence

Chapter 6, Port Scanning

This lesson presents material from chapter 6. Objectives important to this lesson:

  1. Network range
  2. Active machines
  3. Mapping open ports
  4. OS fingerprinting
  5. Mapping the network
  6. Analyzing results
Chapter 6

The text introduces the chapter by comparing footprinting and port scanning. Footprinting is passive research that does not require action on the target network. Port scanning is several kinds of active research that takes place on the target network.

The text recommends that you determine the range of IP addresses being used by the target first. It mentions that you can research this with Whois or Root Zone. An exercise in using the Root Zone database to find an address range appears on pages 115 through 118 of the text. I do not find either database useful in this regard for some targets. I would recommend, instead, that you ping the target URL to get a DNS translation of its web server's IP address, which may be a better start. As the text explains on page 139, this is not always possible. It can be advisable to block ping requests with firewalls and on specific servers. It is also likely that network intrusion detection and prevention systems will alert administrators if there is unusual ping traffic in the network.

If you are able to determine or make a good guess about the target's IP range, the text suggests several methods that have been used to find active network connections:

  • wardialing - An ancient technique that involved using a modem to dial ranges of phone numbers, one after another, and to log the ones that were answered by a computer. The hacker conducting the search would make follow-up contacts to the live computers to try to break into their systems.
  • wardriving - A more recent technique that involves using a laptop to find wireless access points. Typically, the hacker drives around the periphery of the target property, searching for an access point whose range extends beyond the target's border. The text recommends some tools for this kind of work: AirSnort (for attacks), AirSnare (for defense), Kismet (for both), and NetStumbler (for attacks).
  • pinging - As discussed above, a ping can tell you a lot about a device, but it can be blocked at the device or at a firewall. However, a ping can be useful an efficient way to determine which machines in an IP range are currently awake on the network.

The text moves on to a longer discussion that starts with port scanning. It reminds us that there are 65,535 ports for TCP based services, and the same number for UDP based services, on any computer. Some common services are shown in the table on page 140, along with their usual port numbers and their alignment with TCP or UDP. Note that DNS is the odd entry in the table, using both TCP and UDP. It is common to learn the ports and protocols used by some services, but the text points out that services can be assigned to uncommon ports, and that we cannot hope to memorize all possible assignments. This leads us to software that can scan for active, responsive services mapped to ports on a particular IP address.

The text tells us about various flags that can be set in a TCP packet that each make that packet a specific kind of request. Other texts just refer to sending a packet of one of these types. The two explanations are really the same, but our author's language is a less common view of the subject. Regardless of how you see it, the text offers six kinds of port scans that use these packets:

  • TCP connect scan - The hacker sends a SYN packet to a specific port on a server. A server whose port is open will send a SYN-ACK packet, acknowledging the synchronize request. A server whose port is closed will respond with an RST-ACK packet, which resets (refuses) the connection. In this scan, if the hacker receives the SYN-ACK response, the hacker will send an ACK packet, confirming the connection. The hacker will probably then send an RST packet, closing the connection. The targeted port might also send no response to a SYN packet, which means that the attacker must send a SYN packet again to be sure it was not just lost.
  • TCP SYN scan - This is a shorter version of the conneect scan. In this scan, the hacker sends an RST packet as soon as the open port sends a SYN-ACK. That makes this scan faster, and a bit less intrusive because the connection is never completed.
  • TCP FIN scan, NULL scan, and XMAS scan - The text presents these as three typess, but their responses are the same, so the more illustrative site I have linked for you discusses them together. These present good data about closed ports: they respond with an RST packet. Open ports should not respond, which is not very good proof. Filtered ports will not respond, either, which makes this scan only beneficial for finding closed ports.
  • TCP ACK scan - This scan fills in a gap in the behaviior of the FIN, NULL, and XMAS tree scans. It is expected that both open and closed ports will respond with an RST packet, but only if they are unfiltered. A lack of response is interpreted as a filtered port. The lack of filtering may mean that the connections to the port are not being monitored for their connection state.

The text mentions some countermeasures on page 143. The most useful one is the suggestion to deny all traffic unless a firewall rule approves it. This is an example of implicit deny filtering, which is more work for the administrators but more effective in guarding against scans and attacks.

The text continues with a section on using Nmap and a few other scanning programs. The web pages I have linked for you in the list above all have examples of using Nmap for those scans. This link goes to the table of contents for those pages which are part of an online guide published by the author of the Nmap program.

The text also mentions SuperScan, Scanrand, and THC-Amap. They are each a bit different, and information about them can be found on the Internet after a quick search.

The next section is about OS fingerprinting, determining the operating system of a device, whether you have identified open ports on it or not. Fingerprinting in general is gathering specific information about a target. The text tells us we should care about the operating system on a target because that knowledge will lead us to specific exploits to attempt and to avoid. It should not be surprising that Nmap can do this task. The simplest version of an Nmap command that will report on the target's operating system appears on page 149:

Nmap -O ipaddress

In the command illustrated here, the switch is a capital O, and the address is that of the device you want to fingerprint. Notice in the example in the text that the command also provides information about open and closed ports on the target device. This is because Nmap sends packets to the target by default, making it an active scanner. This produces much more information, much faster than a passive scan, which requires that the scanning software read packets sent to and from the target, looking for clues about what it is doing and running. The text warns us that we must be patient when using a passive scanner, such as p0f. The advantage to a passive scan is that it is less likely to draw the attention of an intrusion detection system.

At the end of the chapter, the text discusses making a map of the target network. The author thinks there is a benefit to doing this whether you create a list manually, use software to generate a report, or create an actual graphic map of the network. It helps organize the thoughts and plans of both attackers and defenders. When problems have been identified, it is much easier to exploit or mitigate them.



This week you need to submit Lab 3. Lab 4 is assigned and due next week. Assignment 3 and Part 3 of the ongoing course project are due next week.