Port scanning can uncover a number of holes that a hacker could use against you, we cover how to scan ports and more below.
TIP: To Scan your ports online (fast and free), take our free Firewall Test
Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports. A port scan helps the attacker find which ports are available (i.e., what service might be listing to a port). Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness.
Can I take legal action against port scanning?
A Port scan is like ringing the doorbell to see whether someone’s at home. The police usually can’t do anything about it. They have to wait until a crime is committed. The police might give it more consideration if the doorbell is repeatedly rung causing the homeowner to complain of harassment. Sometimes, if a computer system is affected too much by a port scan, one can argue that the port scan was, in fact, a denial-of-service (DoS) attack, which is usually an offense.
The various techniques used in a port scan are summarized below.
Port Scan – Port Numbers
As you know, public IP addresses are controlled by worldwide registrars, and are unique globally. Port numbers are not so controlled, but over the decades certain ports have become standard for certain services. The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers.The port numbers are divided into three ranges:
* Well Known Ports (0 – 1023)
* Registered Ports (1024 – 49151)
* Dynamic and/or Private Ports (49152 – 65535)
Well-Known Ports
Ports numbered 0 to 1023 are considered well known (also called standard ports) and are assigned to services by the IANA (Internet Assigned Numbers Authority). Here are a few samples:
* echo – 7/tcp – Echo
* ftp-data – 20/udp – File Transfer [Default Data]
* ftp – 21/tcp – File Transfer [Control]
* ssh – 22/tcp – SSH Remote Login Protocol
* telnet – 23/tcp – Telnet
* domain – 53/udp – Domain Name Server
* www-http – 80/tcp – World Wide Web HTTP
Non-Standard Ports
By a non-standard port, we simply mean a port whose number is higher than 1023. In this range also, several services are “standard.” For example:
* wins – 1512/tcp # Microsoft Windows Internet Name Service
* radius 1812/udp # RADIUS authentication protocol
Some malicious programs such as Trojans and Viruses have spread so wide that there are a number of ports that if found open, usually indicate that a system may have a virus.
Port Scanning Basic Techniques
The simplest port scan tries (i.e., sends a carefully constructed packet with a chosen destination port number) each of the ports from 0 to 65535 on the victim to see which ones are open.
TCP connect():- The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn’t reachable.
Strobe -A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. The name comes from one of the original TCP scanning programs, though now virtually all scanning tools include this feature.
The ident protocol allows for the disclosure of the username of the owner of any process connected via TCP, even if that process didn’t initiate the connection. So, e.g., one can connect to port 80 and then use identd to find out whether the HTTP server is running as root.
Port Scanning Advanced Techniques
One problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan techniques to avoid this. A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Obviously, this is a race between the hacker and firewall vendors – what are considered stealth scans now may not be so in a few months once the firewall vendor becomes aware of such techniques.
Port scanners scan a host rapidly by firing off packets at different ports. So, scanning very slowly (taking a day or more) becomes a stealth technique. Another stealth scanning technique is “inverse mapping”, where you try to find out all hosts on a network by generating “host unreachable” ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets (e.g. RST packets sent without any previous packet).
Fragmented packet Port Scan
The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments, but many networks cannot afford the performance loss caused by the queuing.
SYN scan
This technique is also called half-open scanning, because a TCP connection is not completed. A SYN packet is sent (as if we are going to open a connection), and the target host responds with a SYN+ACK, this indicates the port is listening, and an RST indicates a non- listener. The server process is never informed by the TCP layer because the connection did not complete.
FIN scan
The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. This is required TCP behavior.
If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn’t a very effective scan.
Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.
Bounce Scan
The ability to hide their tracks is important to attackers. Therefore, attackers scour the Internet looking for systems they can bounce their attacks through.
FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. It requires support for proxy ftp connections. This bouncing through an FTP server hides where the attacker comes from. This technique is similar to IP spoofing in that it hides where the attacker comes from. For example, badwebsitexyz.com establishes a control connection to the FTP server-PI (protocol interpreter) of say, badspiderbites.com, then requests that the server-PI initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet.
A port scanner can exploit this to scan TCP ports from a proxy ftp server. Thus you could connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked (e.g., port 139). If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.
The advantages to this approach are obvious (harder to trace, potential to bypass firewalls). The main disadvantages are that it is slow, and that many FTP server implementations have finally disabled the proxy “feature”.
Finger
Most finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as “rob@foo@bar” will ask “bar” to resolve “rob@foo”, causing “bar” to query “foo”. This technique can be used to hide the original source of the request.
E-mail: Spammers try to relay their spam through SMTP servers. As a result, probes for SMTP are commonly seen by machines on the Internet.
SOCKS Allows almost any protocol to be tunneled through the intermediate machine. As a result, attackers probing for SOCKS is common scan seen on the Internet.
HTTP proxy: Most web servers support proxying so that all web traffic can be directed to a single server for filtering as well as caching to improve performance. A lot of these servers are misconfigured to allow proxying of any request from the Internet, allowing attackers to relay attacks against web sites through a third party. Probes for HTTP proxies are one of the more common scans seen today.
IRC BNC: Attackers love to hide their IRC identities by bouncing their connections through other machines. A particular program called “BNC” is used for this purpose on compromised machines.
UDP Scanning
Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an “ICMP Port Unreachable” message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).
Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.
Some people think UDP scanning is pointless – not so. Sometimes for example, Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn’t matter that port 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can.
ICMP Scan
This isn’t really port scanning, since ICMP does not have a port abstraction. But it is sometimes useful to determine what hosts in a network are up by pinging them all. ICMP scanning can be done in parallel, so it can be quite fast.
Fingerprinting an OS:
The last scanning method is called Fingerprinting. Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. Unusual combination’s of data are sent to the system in order to trigger these responses. Systems respond the same with correct data, but they rarely respond the same way for wrong data.
Friday, November 19, 2010
Thursday, November 18, 2010
Firewall, Intrusion Detection System (IDS), Intrusion Protection System (IPS)
Firewall/VPN is a perimeter-defense device, typically deployed where the enterprise’s internal network meets the open Internet. The main purpose of the firewall is to stop unwanted traffic from entering or leaving the internal enterprise network. The purpose of the IPSec VPN is to provide secure communication between two sites through the open Internet.
The Intrusion System (IDS) is traditionally deployed to monitor traffic in vital segments in the network, generating alerts when an intrusion is detected. The importance of the IDS has grown significantly as the industry recognizes that 90 percent of attacks in recent years have exploited application vulnerabilities. The traditional stateful inspection firewall, based largely on matching packet header information against Access Control Lists (ACLs), is ineffective to fend off such attacks. A good IDS, on the other hand, can expose these application layer attacks.
But detection alone is insufficient—it is also important to terminate the attack upon detection. Hence, the trend is to evolve the IDS into an Intrusion Prevention System (IPS), which takes detection to the next level and stops the detected attacks, including application attacks.
In addition to the IDS/IPS, application content security arsenal in an enterprise may also include antivirus, anti-spam and content filtering devices.
Sunday, November 14, 2010
SSH (a prolonged SSL)
SSH Connection Methods
Several things can happen when using SSH to
connect from your machine (client) to another
machine (server):
Server's public host key is passed back to the client
and verified against known_hosts
Password prompt is used if public key is accepted,
or already on client, or
RSA/DSA key exchange takes place and you must
enter in your private key passphrase to
authenticate (assuming you have one).
SSH Quick Tips
You have a choice of authentication keys - RSA
is the default (dsa is fine as well).
The files you care about are:
/etc/ssh/ssh_config
/etc/ssh/sshd_config
~/.ssh/identity and identity.pub (deprecated)
~/.ssh/id_dsa and id_dsa.pub
~/.ssh/id_rsa and id_rsa.pub
~/.ssh/known_hosts
~/.ssh/authorized_keys
And, note the rsa/dsa host-wide key files in /etc/ssh
Be sure that you do “man ssh” and “man sshd”
and read the entire descriptions for both the
ssh client and ssh server (sshd).
SSH Authentication
Private key can be protected by a passphrase
So you have to give it each time you log in
Or use "ssh-agent" which holds a copy of your
passphrase in RAM
No need to change passwords across dozens of
machines
Disable passwords entirely!
/etc/ssh/sshd_config
Annoyingly, for historical reasons there are
*three* different types of SSH keys
SSH1 RSA, SSH2 DSA, SSH2 RSA
Man in the Middle Attacks
The first time you connect to a remote host,
remember its public key
Stored in ~/.ssh/known_hosts
The next time you connect, if the remote key is
different, then maybe an attacker is
intercepting the connection!
Or maybe the remote host has just got a new
key, e.g. after a reinstall. But it's up to you to
resolve the problem
You will be warned if the key changes.
Exchanging Host Keys
First time connecting with ssh:
ssh t1@pc1.t1.ws.sanog.org
The authenticity of host 'pc1.t1.ws.sanog.org (84.201.31.11)' can't be
established.
DSA key fingerprint is 91:ba:bf:e4:36:cd:e3:9e:8e:92:26:e4:57:c4:cb:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pc1.t1.ws.sanog.org,84.201.31.11' (DSA) to
the list of known hosts.
t1@pc1.t1.ws.sanog.org's password:
At this point the client has in the file ~/.ssh/known_hosts the contents
of pc1.t1.ws.sanog.org's /etc/ssh/ssh_host_dsa_key.pub.
Next connection:
[hallen@hallen-lt .ssh]$ ssh t1@pc1.t1.ws.sanog.org
t1@pc1.t1.ws.sanog.org's password:
Now trusted - Not necessarily a good thing...
Exchanging Host Keys Cont.
Command Key Type Generated Public File
ssh-keygen -t rsa RSA (SSH protocol 2) id_rsa.pub
ssh-keygen -t dsa DSA (SSH protocol 2) id_dsa.pub
- Default key size is 1024 bits
- Public files are text
- Private files are encrypted if you use a
passphrase (still text)
Corresponding file on the host for host key
exchange is known_hosts
How does SSH decide what files to compare?
Look in /etc/ssh/sshd_config. For OpenSSH
version 2 and 3 the server defaults to protocol 2
then 1. Recommend turning of version 1.
By default OpenSSH version 2 client connects
in this order:
RSA version 2 key
DSA version 2 key
Password based authentication (even if RSA
version 1 key is present)
Pay attention to the “HostKeyAlgorithms” setting in /etc/ssh/ssh_config to
help determine this order - or use ssh command line switches to override
these settings.
Several things can happen when using SSH to
connect from your machine (client) to another
machine (server):
Server's public host key is passed back to the client
and verified against known_hosts
Password prompt is used if public key is accepted,
or already on client, or
RSA/DSA key exchange takes place and you must
enter in your private key passphrase to
authenticate (assuming you have one).
SSH Quick Tips
You have a choice of authentication keys - RSA
is the default (dsa is fine as well).
The files you care about are:
/etc/ssh/ssh_config
/etc/ssh/sshd_config
~/.ssh/identity and identity.pub (deprecated)
~/.ssh/id_dsa and id_dsa.pub
~/.ssh/id_rsa and id_rsa.pub
~/.ssh/known_hosts
~/.ssh/authorized_keys
And, note the rsa/dsa host-wide key files in /etc/ssh
Be sure that you do “man ssh” and “man sshd”
and read the entire descriptions for both the
ssh client and ssh server (sshd).
SSH Authentication
Private key can be protected by a passphrase
So you have to give it each time you log in
Or use "ssh-agent" which holds a copy of your
passphrase in RAM
No need to change passwords across dozens of
machines
Disable passwords entirely!
/etc/ssh/sshd_config
Annoyingly, for historical reasons there are
*three* different types of SSH keys
SSH1 RSA, SSH2 DSA, SSH2 RSA
Man in the Middle Attacks
The first time you connect to a remote host,
remember its public key
Stored in ~/.ssh/known_hosts
The next time you connect, if the remote key is
different, then maybe an attacker is
intercepting the connection!
Or maybe the remote host has just got a new
key, e.g. after a reinstall. But it's up to you to
resolve the problem
You will be warned if the key changes.
Exchanging Host Keys
First time connecting with ssh:
ssh t1@pc1.t1.ws.sanog.org
The authenticity of host 'pc1.t1.ws.sanog.org (84.201.31.11)' can't be
established.
DSA key fingerprint is 91:ba:bf:e4:36:cd:e3:9e:8e:92:26:e4:57:c4:cb:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pc1.t1.ws.sanog.org,84.201.31.11' (DSA) to
the list of known hosts.
t1@pc1.t1.ws.sanog.org's password:
At this point the client has in the file ~/.ssh/known_hosts the contents
of pc1.t1.ws.sanog.org's /etc/ssh/ssh_host_dsa_key.pub.
Next connection:
[hallen@hallen-lt .ssh]$ ssh t1@pc1.t1.ws.sanog.org
t1@pc1.t1.ws.sanog.org's password:
Now trusted - Not necessarily a good thing...
Exchanging Host Keys Cont.
Command Key Type Generated Public File
ssh-keygen -t rsa RSA (SSH protocol 2) id_rsa.pub
ssh-keygen -t dsa DSA (SSH protocol 2) id_dsa.pub
- Default key size is 1024 bits
- Public files are text
- Private files are encrypted if you use a
passphrase (still text)
Corresponding file on the host for host key
exchange is known_hosts
How does SSH decide what files to compare?
Look in /etc/ssh/sshd_config. For OpenSSH
version 2 and 3 the server defaults to protocol 2
then 1. Recommend turning of version 1.
By default OpenSSH version 2 client connects
in this order:
RSA version 2 key
DSA version 2 key
Password based authentication (even if RSA
version 1 key is present)
Pay attention to the “HostKeyAlgorithms” setting in /etc/ssh/ssh_config to
help determine this order - or use ssh command line switches to override
these settings.
Subscribe to:
Posts (Atom)