Port Scanning A Brief Introduction

Transcription

1 Port Scanning A Brief Introduction Sven Helmer April 4, 2018 Contents 1 Background Ports Port Scanning Port Scanning for Fun and Profit First Steps with NMAP 4 1

2 1 Background This documentation has been written using a book by Gordon Lyon, the author of NMAP [2]. However, most of the information can also be found on the NMAP web site [1]. 1.1 Ports Essentially, NMAP is a tool to conduct port scanning. Before continuing, we should first answer the question what a port is. Ports are a software abstraction, identifying communication channels on a machine. While IP addresses are used to identify machines on a network, ports distinguish different applications that are running on a machine and have a connection to the outside world. For example, a web browser will usually use the TCP port 80 to connect to a web server (if you use http that is, for https, port 443 is used by default). NMAP can scan TCP and UDP ports, we are going to restrict ourselves to TCP ports in this lab session. If you want to find out more about technical details, please look at the NMAP documentation [1]. Popular services, such as http, are registered to a well-known port-number and NMAP has a file describing the most common protocols used on the internet. Root privileges are needed to start services on a Unix/Linux system on a port between 1 and 1023 (these are reserved ports). This is to give users the assurance that the service was started up by a system administrator and not any (malicious) user of the system. Nevertheless, this does not protect against a vicious system administrator. 1.2 Port Scanning Port scanning is about testing the states of ports on a (remote) machine. One of the most interesting states is open, which means that there is an application listening on that port waiting for connections (more on the different states in just a moment). The simplest way to call NMAP is to provide just an IP address as a parameter (the following IP address is one of the addresses you may use during this lab, so go ahead and try it out; this only works when inside the university network): nmap NMAP will do a quick scan of the most popular ports and return with a list of ports it found and their state. There are different techniques for implementing port scans, the documentation and book on NMAP provide more details [1, 2]. NMAP distinguishes between six different states that ports can be in. We will now give a brief overview of these states: open An application is actively accepting connections on this port. These are ports that attackers are looking for, as every open port is a potential entry point into the system. Administrators should try to keep the number of open ports to a minimum in order to decrease the risk of a successful attack. Obviously some ports will be open to provide certain services, but these ports should be protected in some way (e.g. a firewall, TCP wrappers, white lists of hosts that may connect). 2

3 closed A closed port is accessible, i.e. it receives and responds to probe packets, but there is no application listening on it. While not directly exploitable for an attack, they may still provide other useful information (e.g. that a host is online, about the operating system a host is running). Administrators may want to consider blocking such ports with a firewall, so that they appear in the filtered state (discussed next). filtered This state means that NMAP is not able to determine whether a port is open or not. This can be due to countermeasures put into place such as firewalls or router rules. Sometimes the response is an error message or no reply at all (the probe packets send by NMAP are simply dropped). The following states are returned when using certain types of scans (which we will not be using in this lab). unfiltered The port is accessible, but NMAP is not able to determine if it is open or closed. Only the ACK scan, which is used to map firewall rulesets classifies ports into this state. open filtered This is returned when NMAP is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports do not give a response. closed filtered NMAP is unable to determine whether a port is closed or filtered. It is only used for the IP ID Idle scan. Keep in mind that the results by NMAP are not always 100% accurate, as the contacted machines may try to confuse or mislead port scanners. However, for this lab session you may assume that this is not the case and NMAP delivers accurate results. 1.3 Port Scanning for Fun and Profit The main point of this lab session is not to show you how to hack your way into a system and launch an attack, but to get an impression of what actual attackers are looking for and how they work. Information like this helps administrators to make their systems more secure in the following ways: It helps in getting an overview on what services are running on the machines of a network. Using a tool like NMAP makes this easier to accomplish without having to log onto every individual machine to investigate what is running on that machine. In addition to this, there might be services started by regular users that the administrator is not aware of. As a consequence of this investigation, an administrator should shut down all the services that are not needed for any (work-related) purpose. For the services that are necessary, the latest patches and other protection measures should be installed. The main purpose of port scanners is security-related, but it can also be used for tasks such as creating an inventory of machines and services, availability testing, and network debugging. 3

4 2 First Steps with NMAP The simplest way to run NMAP is to call it without any options or parameters at all, in this case it returns a help summary listing all the available options: nmap The help list will also be printed out when calling it with the -h parameter: nmap -h Do not be intimidated by the long list of options, we will only be using a small subset. The options and parameters important for the lab session will be explained in the following. One of the most important parameters is the target of the scan. You can supply the name of the target or an IP address. For this lab, please use only the following machines: IP address host name host name and site infsec1 infsec1.unibz.it infsec2 infsec2.unibz.it infsec3 infsec3.unibz.it Table 1: Machines used for the Information Security lab So any of the following commands is fine: nmap nmap nmap NMAP first pings the host to see if it is alive. However, not all hosts may respond to this. You can override this by using the -PN option, then NMAP will try to scan the host regardless of the result of the ping probe (NMAP will also tell you this): nmap -PN Note: If you are working on this lab session from home, you might not be able to directly get a connection to the above hosts. In that case you need to log into a machine at the department (via ssh or VPN) and then do the scanning from that machine. Another interesting option is -v, which stands for verbose. If you use that option then NMAP will be more chatty about what it is doing at the moment, so the following command will provide more details about the scanning process: nmap -v -PN By default NMAP only looks at the 1000 most popular ports. However, the ports are addressed using a 16-bit integer, which means that there are theoretically of them, numbered from 0 to (of which port 0 is not used). You can supply a range of port numbers that NMAP will scan with the option -p. For example, if you want to scan all the ports from 1 to 20000, you would issue the following command: 4

5 nmap -p PN If you want to scan all the ports, then just enter nmap -p0- -PN Finally there is an option, -A, that puts NMAP into a more aggressive mode. In this mode NMAP tries to find out additional information about the services that are running, e.g. version numbers. So running the following command will provide a detailed overview: nmap -v -A -p0- -PN It might make sense to run the above command with the additional option -T5. This will enable a more aggressive timing policy, speeding up the scan. nmap -v -T5 -A -p0- -PN References [1] Gordon Lyon. Nmap documentation. [2] Gordon Lyon. NMAP Network Scanning. Insecure.Com LLC, Sunnyvale, California,