Back to Cptr427Winter2010

Hacking Exposed Chapter 2: Scanning

Scanning is a method of determining what system and services are running on a machine

Determining if the System is Alive

Network Ping Sweeps

Network ping sweeps are used to find active systems on a network. They work by using ICMP to ping every IP address on a network. If a system responds, you know it's there. Tools used to do network ping sweeps include fping on *Nix systems and nmap on Windows systems.

Detecting a ping sweep is important to maintain security. Snort can be used to detect ping sweeps, and most commercial network and desktop firewalls can detect ping sweeps. Preventing a ping sweep can be done by evaluating the ICMP traffic that you allow into your network. [Dr. A: What would you suggest blocking?]

ICMP Queries

ICMP Queries are used as a scanning technique that takes advantage of the expected default replies to different types of ICMP traffic.

To defend against ICMP queries, it is possible to block the ICMP types that give out information at your border routers.

Determining Which Services are Running or Listening

Port Scanning

After finding responsive systems, an attacker will typically attempt to determine which services are running on a machine. One technique used to do so is port scanning. Port scanning is the process of sending packets to TCP or UDP ports on a target system are running or in a listening state. This allows the attacker to determine what attacks will be effective against a system.

Scan Types

• TCP Connect Scan
• TCP SYN Scan
• TCP FIN Scan
• TCP Xmas Tree Scan
• Many more

Identifying TCP and UDP Services Running

Tools to identify running services include:

• Strobe: a TCP scanning utility for Linux
• udp_scan: a udp scanner for Linux
• netcat: A tool that can be used to do TCP and UDP scans for Linux
• nmap: A tool that can scan both TCP and UDP for UNIX

• SuperScan: TCP/UDP scanner for Windows

• WUPS: UDP Scanner for Windows
• Many more

Defending against port scans

Detecting port scans can be done with Snort and many other firewalls. Preventing a port scan is not viable, but limiting exposure is. This can be accomplished by disabling services that are not necessary on the target machine.

Detecting the Operating System

Active Operating System Detection

Active Stack Fingerprinting is a technique for active OS detections that takes advantage of the differences in implementation of the IP stack. This technique can produce results with a high degree of accuracy. It uses many different probes to determine the OS, such as FIN Probe, Bonus Flag probe, Initial sequence number sampling, TCP initial window size, and others.

Countermeasures include detecting the probe, but prevention is not really necessary or viable.

Passive OS detection

Passive Stack Fingerprinting monitors network traffic to determine the OS, using signatures such as the TTL, window size, and the DF bit.

Prevention: Same as above

Automated Discovery Tools

ADTs are bundles of software that can do many of the techniques discussed earlier. The defense agains such tools lies in the defense against each individual part, discussed earlier.