Copy Link
Add to Bookmark
Report
Remote Host Discovery with PortScanning
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
-= Remote Host Discovery with PortScanning =-
-= By Adept =-
-= mark@firstworld.net =-
-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
What PortScanning is
Querying TCP or UDP ports to see what responds. This is often done to identify listening
services on a remote host, and for many hackers, this is the first step in gathering data
about their target.
Since this is such a fundamental hacking skill, most of you are experienced with it. Feel
free to bring up your favorite methods and tools. I know I will be leaving quite a few of
my favorite tools out because... It's 2AM right now.
Common services on Internet hosts will usually be running somewhere below port 1024. It
would make sense to scan every port below 1024 if you wanted to get the most results per
attempt. However, some of the most vulnerable services and/or Trojans will be left above
that port. For this reason, many portscanners will include a list of common ports, or use
your Unix box's service listing. The practice of a known-ports list also returns a very
high result ratio; however, any practice other than scanning all 65,535 ports will remain
incomplete.
Steve Gibson from grc.com claims to have found a way to instantaneously scan all 65,535
ports on your box, and that he is going to come out with a "new FREEWARE HYPER-SPEED PORT
SCANNER". Drop an email to this crackhead if you are as interested as me in his "new
technology." The interesting thing is if that is really possible, it will take advantage
of an IP stack development put out in 1970, most likely. Is there a network or broadcast
type address for your TCP stack, maybe port 0 if queried correctly? More importantly is a
windows kiddie named Steve Gibson going to be the one to find it?
Protocols
TCP scanning is the most common protocol on the internet, and most services run on TCP.
If you want to find common webservers, ftp servers, or most other services on a box, this
is the way to go.
There are a few ways to find out if a service is listening on a port. "Connect" is the
most basic way, and the easiest for IDS's and firewalls to detect. A TCP "SYN" scan
however, does not actually create a TCP connection fully, it only checks for the
possibility of creating a connection. The advantage is speed and less chance of being
detected with SYN, but the downside is that you can't grab "banners" from the port when
it answers since it never really answers. A "Connect" scan is all 5 steps shown on next
page, where a "SYN" scan only goes to step 3. Snort (the open source flexible IDS) will
always pick up a SYN or CONNECT scan if you have the right SNORT rules in place.
TCP A TCP B
1. CLOSED LISTEN
2. SYN-SENT --> <SEQ=100><CTL=SYN> --> SYN-RECEIVED
3. ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK> <-- SYN-RECEIVED
4. ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK> --> ESTABLISHED
5. ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK><DATA> --> ESTABLISHED
Basic 3-Way Handshake for Connection Synchronization
UDP scanning is used for scanning lookup-only DNS and SNMP mainly, not too many other
services are common on UDP. With UDP a packet is sent to every port that you scan, and
if there is ANY response, it is regarded as an active port. This is simply the way UDP
works in general; it is a low-overhead protocol without error checking.
Common Tools
NMAP by fyodor@insecure.org.
This is my favorite portscanner. Available for *NIX and a port is available for NT.
Beta Versions of NMAP constantly add functionality; Betas do not get ported to NT AFAIK.
Features include high speed TCP, UDP scans, TCP syn scanning (full tcp connection is not
made, reduces detection by target). Also, try the new remote uptime feature in beta 22;
it calculates the uptime off a number in the headers from most BSD-compatible TCP stacks.
Find this at insecure.org.
Fscan and Superscan, by Foundstone Inc.
Superscan is cheap and dirty TCP scanning for Windows. Fscan is a command line scanner,
with TCP/UDP scanning, port order randomization, and port banner grabbing. Find these at
www.foundstone.com.
Name the Operating System
System1:
# nmap -sS x.x.x.x
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on (x.x.x.x):
(The 1519 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
Nmap run completed -- 1 IP address (1 host up) scanned in 83 seconds
System2:
# nmap -sS 208.23.65.90
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on jesuslovesunix.1800contacts.net (208.23.65.90):
(The 1516 ports scanned but not shown below are in state: closed)
Port State Service
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
37/tcp open time
111/tcp open sunrpc
113/tcp open auth
6969/tcp open acmsoda
Nmap run completed -- 1 IP address (1 host up) scanned in 85 seconds
Links
http://www.insecure.org/nmap - bleeding edge scanning
http://www.foundstone.com - White hat hackers interested in full disclosure and good tools.
http://grc.com - Crackhead named Steve Gibson will hax0r you from his website.
http://www.snort.org - Martin Roesch's open source flexible IDS.
http://packetstorm.securify.com/UNIX/scan_detect/ - UNIX portscanner detection.
Portscanning and Remote Host Discovery.
2600SLC(Confidential) Page 1 4/6/2001 (0day)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
� 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
