ITS 4550 - Fraud Prevention and Deterrence
Chapter 6, Port Scanning
This lesson presents material from chapter 6. Objectives important
to this lesson:
- Network range
- Active machines
- Mapping open ports
- OS fingerprinting
- Mapping the network
- Analyzing results
The text introduces the chapter by comparing footprinting and port scanning.
Footprinting is passive research that does not require action on the target
network. Port scanning is several kinds of active research that takes
place on the target network.
The text recommends that you determine the range of IP addresses being
used by the target first. It mentions that you can research this with
Zone. An exercise in using the Root Zone database to find an address
range appears on pages 115 through 118 of the text. I do not find either
database useful in this regard for some targets. I would recommend, instead,
that you ping the target URL to get a DNS translation of its web server's
IP address, which may be a better start. As the text explains on page
139, this is not always possible. It can be advisable to block ping requests
with firewalls and on specific servers. It is also likely that network
intrusion detection and prevention systems will alert administrators if
there is unusual ping traffic in the network.
If you are able to determine or make a good guess about the target's
IP range, the text suggests several methods that have been used to find
active network connections:
- wardialing - An ancient technique that involved using a modem to dial
ranges of phone numbers, one after another, and to log the ones that
were answered by a computer. The hacker conducting the search would
make follow-up contacts to the live computers to try to break into their
- wardriving - A more recent technique that involves using a laptop
to find wireless access points. Typically, the hacker drives around
the periphery of the target property, searching for an access point
whose range extends beyond the target's border. The text recommends
some tools for this kind of work: AirSnort
(for attacks), AirSnare
(for defense), Kismet
(for both), and NetStumbler
- pinging - As discussed above, a ping can tell you a lot about a device,
but it can be blocked at the device or at a firewall. However, a ping
can be useful an efficient way to determine which machines in an IP
range are currently awake on the network.
The text moves on to a longer discussion that starts with port scanning.
It reminds us that there are 65,535 ports for TCP based services, and
the same number for UDP based services, on any computer. Some common services
are shown in the table on page 140, along with their usual port numbers
and their alignment with TCP or UDP. Note that DNS is the odd entry in
the table, using both TCP and UDP. It is common to learn the ports and
protocols used by some services, but the text points out that services
can be assigned to uncommon ports, and that we cannot hope to memorize
all possible assignments. This leads us to software that can scan for
active, responsive services mapped to ports on a particular IP address.
The text tells us about various flags that can be set in a TCP
packet that each make that packet a specific kind of request. Other
texts just refer to sending a packet of one of these types. The two
explanations are really the same, but our author's language is a less
common view of the subject. Regardless of how you see it, the text
offers six kinds of port scans that use these packets:
- TCP connect scan - The hacker sends a SYN packet to a specific port on a server. A server whose port is open will send a SYN-ACK packet, acknowledging the synchronize request. A server whose port is closed will respond with an RST-ACK packet, which resets (refuses) the connection. In this scan, if the hacker receives the SYN-ACK response, the hacker will send an ACK
packet, confirming the connection. The hacker will probably then send
an RST packet, closing the connection. The targeted port might also
send no response to a SYN packet, which means that the attacker must
send a SYN packet again to be sure it was not just lost.
- TCP SYN scan
- This is a shorter version of the conneect scan. In this scan, the
hacker sends an RST packet as soon as the open port sends a SYN-ACK.
That makes this scan faster, and a bit less intrusive because the
connection is never completed.
- TCP FIN scan, NULL scan, and XMAS scan
- The text presents these as three typess, but their responses are the
same, so the more illustrative site I have linked for you discusses
them together. These present good data about closed ports: they respond
with an RST packet. Open ports should not respond, which is not very
good proof. Filtered ports will not respond, either, which makes this
scan only beneficial for finding closed ports.
- TCP ACK scan
- This scan fills in a gap in the behaviior of the FIN, NULL, and XMAS
tree scans. It is expected that both open and closed ports will respond
with an RST packet, but only if they are unfiltered. A lack of response
is interpreted as a filtered port. The lack of filtering may mean that
the connections to the port are not being monitored for their
The text mentions some countermeasures on page 143. The most
useful one is the suggestion to deny all traffic unless a firewall rule
approves it. This is an example of implicit deny filtering, which is more work for the administrators but more effective in guarding against scans and attacks.
The text continues with a section on using Nmap and a few
other scanning programs. The web pages I have linked for you in the
list above all have examples of using Nmap for those scans. This link
goes to the table of contents for those pages which are part of an online guide published by the author of the Nmap program.
The text also mentions SuperScan, Scanrand, and THC-Amap. They
are each a bit different, and information about them can be found on
the Internet after a quick search.
next section is about OS fingerprinting, determining the
operating system of a device, whether you have identified open ports on
it or not. Fingerprinting in general is gathering specific information
about a target. The text tells us we should care about the operating
system on a target because that knowledge will lead us to specific
exploits to attempt and to avoid. It should not be surprising that Nmap
can do this task. The simplest version of an Nmap command that will
report on the target's operating system appears on page 149:
Nmap -O ipaddress
In the command illustrated here, the switch is a capital O, and the
address is that of the device you want to fingerprint. Notice in the
example in the text that the command also provides information about
open and closed ports on the target device. This is because Nmap sends
packets to the target by default, making it an active scanner. This produces much more information, much faster than a passive
scan, which requires that the scanning software read packets sent to
and from the target, looking for clues about what it is doing and
running. The text warns us that we must be patient when using a passive
scanner, such as p0f. The advantage to a passive scan is that it is less likely to draw the attention of an intrusion detection system.
At the end of the chapter, the text discusses making a map of
the target network. The author thinks there is a benefit to doing this
whether you create a list manually, use software to generate a report,
or create an actual graphic map of the network. It helps organize the
thoughts and plans of both attackers and defenders. When problems have
been identified, it is much easier to exploit or mitigate them.