Detect Live Hosts and Ports

2.2. Detect Live Hosts and Ports

We will see how to detect open ports, identify services, operating systems, and much more.

It is important to know that with the advent of protocol security in both firewalls and routers, this process has become quite a bit more difficult than it used to be. We must also keep in mind that, based upon the type of discovery launched against the target, the level of noise produced varies therefore, making it essential that we are aware of the various scanning and enumeration techniques we decide to use. For example, running a straight ping sweep of a network is surely going to announce that we are there and we have started identifying their systems. On the other hand, a very random RCP connect scan may appear to administrators as normal connect requests to hosts, but this takes longer time.

There are several tools that are essential to network enumeration:

  • Nmap Nmap is network enumeration and auditing tool. This tool is used to identify alive hosts, open ports, and so on. Nmap need to be run in root or administrator privilleges in order to operate.

    Basic command line format of nmap:

    nmap <scan_type> <options> <target>

    Host discovery techniques:

    • -sL : List Scan - Simply list targets to scan

    • -sn : Ping Scan - disable port scan

    • -Pn : Treat all hosts as online -- skip host discovery

    • -PS/PA/PU/PY[portlist] : TCP SYN/ACK, UDP or SCTP discovery

    • -PE/PP/PM : ICMP echo, timestamp, netmask request discovery

    • -PO[protocol list] : IP Protocol Ping

    • -n/-R : Never do DNS resolution/Always resolve

    • --dns-servers <serv1[,serv2],...> : Specify custom DNS servers

    • --system-dns : Use OS's DNS resolver

    • --traceroute : Trace hop path to each host

    Scanning techniques (Get information about open/closed/filtered ports):

    • -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

    • -sU: UDP Scan

    • -sN/sF/sX: CP Null, FIN, and Xmas scans

    • --scanflags <flags>: Customize TCP scan flags

    • -sI <zombie host[:probeport]>: Idle scan

    • -sY/sZ: SCTP INIT/COOKIE-ECHO scans

    • -sO: IP protocol scan

    • -b <FTP relay host>: FTP bounce scan

    Scanning Techniques

    • TCP SYN Scan -sS SYN scans are the most popular type of scans as they can both be performed quickly and, are not as obtrusive as other types of scan. A SYN scan is also one of the more accurate scans for determining if a discovered port is in an open, closed, or in a filtered state.

      Since the SYN scan does not open a full TCP connection, it is often referred to as half-opening scanning. This is how it works:

      • Nmap sends the SYN packet to open the communications and then awaits the response to determine the port states

      • If a SYN/ACK message is received, nmap knows the port is open. If a RST (reset) flag is received, nmap will report the port as closed or not after actively listening

      • After receiving the response, our machine closes the connection sending a RST packet

      In the event that no response is received after several attempts, nmap will report the port as filtered. A port will also marked as filtered in the event that an ICMP unreachable error is returned as a response

    • TCP Connect Scan -sT TCP connect scan is the default type of TCP scan when SYN scan is not an option. This type of scan is also used in the case of a network utilizing the IPv6 protocol.

      With TCP connect scan, nmap relies on the underlying operating system to establish a TCP connection to the target host, and therefore it does not utilize raw packets as with most other scans.

      Since nmap is relying on the OS to perform the connection, it naturally has less reliable results compared to raw packets, therefore, is less efficient.

      This is how it works:

      • Nmap sends the SYN packet to open the communications

      • Once the target machine responds with the SYN-ACK, out host completes the communication by sending an RST-ACK. Establishing a full TCP communication, subsequently, is less efficient than the previous SYN scan.

    • UDP Scan -sU nmap is able to use UDP scan to discover services (as well as identify/enumerate) that runs on UDP (i.e.: DNS,SNMP,DHCP) commonly used to exploit systems.

      In many instances, auditors will overlook the existence of UDP services. To make matters worse, network administrators often times leave them accessible.

      It is important to know that, given the design of the protocol, UDP scans are much slower and more difficult to conduct. (But it should always be done!)

      This is how it works:

      • nmap start the UDP connection by sending a packet to the remote host

      • Since the port is open, the host responds to our request. Right after, the remote host closes the connection by sending an ICMP packet Destination Unreachable

      • In contrast, when the port is closed, an ICMP packet Destination Unreachable will be sent right away (without the first response)

    • Idle Scan -sI (More) Idle scan is a stealth technique that involves the presence of a zombie in the target network. A zombie is a host that is not sending or receiving any packets thus, the reason its called an idle scan.

      In order to understand this technique, you need to know that the IP protocol implements a Fragmentation ID header and that many OS increase its value by 1 (for each packet)

      Fragmentation If a message (package) is too large, a message must be split into smaller messages. In essence, this is the process of fragmentation.

      When a device sends fragments of a message, the host on the other side must be able to identify these fragments in order to reassemble them.

      This is achieved by assigning an unique identifier to each fragment of the message called Fragmentation ID. This way the receiver knows the correct sequence of the fragments and can assemble them back into the original message.

      By probing the fragmentation ID's on the zombie, we can infer if a port is either open or closed on our target. But, there are 2 prerequisites that must be met:

      1. Find a zombie that assigns IP ID both incrementally and globally

      2. Find an idle zombie, meaning that there should be no other traffic on the zombie that will disturb the IP ID

      How do we determine a good candidate zombie? We can use nmap to perform OS fingerprinting on potential candidate zombies. If we run this scan with the verbose mode enabled, nmap will determine if the IP ID sequence generation is incremental (the one we need).

      The command is as follows:

      nmap -O -v [IP_ADDRESS]

      If the IP ID Sequence is incremental, it will output IP ID Sequence Generation: Incremental

      Before seeing the attack in detail, let's take a look at the steps required to mount it:

      1. Probe the zombie's IP ID and record its value

      2. Forge a SYN packet with the source address of the zombie and send it to the port of our target host Depending on how the target reacts, it may or may not cause the zombie IP ID to be incremented

      3. Probe the zombie's IP ID again and, pending upon the ID we can infer if the target port is opened or closed

      Lets now take a look at all the tasks that we (the attackers) have to perform once we discover a zombie:

      1. Probe the zombie's IP IS by sending a SYN/ACK to it

      2. Since the communication is not expected, the zombie will send back a RST with its IP ID

      3. Forge a SYN packets (IP spoofing) with the zombie source IP address and send it to the target we wish to scan

      The results depends on whether the port is opened or closed

      • If the port is open 4. The target send back a SYN/ACK to the zombie 5. The zombie does not expect it, therefore it sends an RST back to the target and increments its IP ID 6. The attacker probes again the zombie's IP ID 7. The zombie sends back a RST. The attacker sees that the IP ID is incremented by 2 (from initial probe)

      • If the port is closed 4. The target send back to the zombie a RST and the zombie simply ignores the packet leaving its IP ID intact 5. The attacker probes again the zombie's IP ID 6. The zombie sends back a RST and the attacker sees that the IP ID is incremented only by 1

      Now that we know how this technique work, we will see how to run it using nmap -sI option. We need to use an open port on the zombie, which in our case, is port 135: nmap -Pn -sI 10.50.97.10:135 10.50.96.110 -v or nmap -Pn -sI 10.50.97.10:135 10.50.96.110 -p23 -v or nmap -Pn -sI 10.50.97.10:135 10.50.96.110 -p- -v Description: - 10.50.97.10:135 is the zombie IP and port - 10.50.96.110 is the target we wish to scan - -Pn prevents pings from the original (our) IP - -v sets the nmap verbosity - -p port to scan (-p- means all port, not specified means the default port)

      If we inspect the traffic with Wireshark, we will not see any communication between the target host and out original IP addresses!

      You can see a detailed list of every packet sent and received with nmap by using the --packet-trace option

    • Never do DNS resolution -n This is an additional flag we can add to our nmap scans to increase our scan times, and also help us stay a bit more "under the radar", as reverse DNS lookups can generate more noise than necessary.

    • FTP Bounce Scan -b This is another stealthy scan option we can use. Also known as FTP Bounce Attack, this type of scan exploits an FTP servers' PORT command and if an FTP server is vulnerable, allows us to launch port scans from the FTP server to other machines on the internet, or to even conduct scans against machines we don't have direct access to on an internal network.

      All scans using this method will appear to have originated from the FTP server, and is another great way to hide our true source.

    • TCP NULL -sN, FIN -sF, Xmas scans -sX These scans exploits a loophole in the TCP RFC in order to differentiate between open and closed ports.

      We must keep in mind that a TCP packet can be tagged with six different flags (Synchronize (SYN), Finish (FIN), Acknowledgement (ACK), Push (PSH), Reset (RST), and Urgent (URG)).

      Basically, the TCP RFC states that if a destination port is closed, an incoming packet segment not containing a Reset (RST), causes a Reset to be sent (as the response).

      The RFC goes on and states that packets sent to open ports without the SYN, RST, or ACK bits set, should be dropped and the packet should be returned.

      As a result, if a system compliant with the TCP RFC receives a packet that does not contain the required bits (SYN, RST, ACK), it will return:

      • an RST if the port is closed

      • no response if the port is open

      Moreover, as long as none of those three required bits are included (SYN, RST, ACK), any combination of other bits (FIN, PSH, URG) are acceptable.

      nmap implements different scans to take advantage of this loophole:

      • Null scan -sN : Does not send any bits (TCP flag header is 0)

      • FIN scan -sF : Only sets the TCP FIN bit

      • Xmas scan -sX : Sets the FIN, PSH, and URG flags, lighting up the package like a christmas tree

      At one time, we could have considered these type of scans as a means to bypass firewall and packet filtering rules however, with both the proliferation of stateful firewalls, and the fact that IDS sensors are set to look for this behavior, the stealth in these techniques have been eliminated.

      Keep in mind hat many of the major OS (Microsoft Windows, Cisco IOS, IBM OS/400, Unix based) send a Reset response to the probes, regardless of whether or not the port is actually open.

      In addition, you should be aware that these scans cannot always determine if a port is open or filtered. So nmap will return a open/filtered result and you will have to test further to determine the actual state.

    • TCP ACK scan -sA This type of scan differs from the scans seen this far due to the fact that it is not used tot determine open ports. Instead, it is used to map out the rulesets of firewalls and determine if the devices are both stateful and which ports are filtered.

      In this particular scan, the ACK bit is the only one set. When scanning unfiltered systems, both open and closed ports will return a RST packet and nmap will remark them as unfiltered.

      Ports that do not respond, will then be labeled as filtered.

    • IP protocol scan -sO This scan cannot be considered a port scanning technique, as it actually just enumerated the types of IP protocols that a target system supports.

      It is similar to UDP scan however, instead of walking through port number field of a UDP packet, it walks through the 8-bit IP protocol field.

      Rather than watching for ICMP port unreachable messages, protocols scans are on the lookout for ICMP protocol unreachable messages.

      If nmap receives any response in any protocol from the target host, nmap marks that protocol as open.

    Output options:

    • Normal output -oN : the normal output will be stored into a file

    • XML output -oX : creates an XML output that can be easily parsed by various tools

    • Grepable output -oG (Deprecated but still popular) : lists each host on one line and can be easily used to search and parse with grep

    GUI alternative to nmap : Zenmap

    Other features : NSE (Nmap Scripting Engine)

  • Hping We will discuss on how to use hping to conduct idle scan.

    Step:

    1. Determine an open port on the host

      hping -S --scan known 10.50.97.10

    2. Find a good zombie host In order to estimate the host (zombie) traffic with hping, we use the following command:

      hping3 -Ss -r -p [port] [IPaddress]

      Description:

      • -r tells the tool to display ID increments instead of the actual ID

      • -p sets the destination port The -r option allows us to see the relative IP field, therefore, if the IP ID increases by 1, it can be considered a viable candidate. We can never be 100% sure because:

      • We have to validate if it is a global or local increase

      • Some hosts increase IP ID on a per host basis

    3. Use hping to craft packets that will be sent to target host we want to scan Note that these packets must have the source IP address of our zombie. Moreover, while we send out these packets ,we will also have to monitor if the zombie ID increments.

      The first command tells hping to craft a packet with the following configurations:

      hping3 -a [ZombieIP] -S -p [TargetPort] [TargetIPaddress]

      Description:

      • -a : source IP address (spoof with the zombie's)

      • -S : the packet will have the SYN flag enabled

      • -p : destination port

      To monitor zombie ID, we need to continue running the previous command in order to detect if it is a good zombie:

      hping3 -S -r -p 135 10.50.97.10

      If in the output the ID increment is +2, we can deduce that the [TargetPort] on [TargetIPaddress] is open.

  • Other tools

PreviousScanningNextService and OS detection

Last updated