Scribd
Upload
17 views

Week6 2023 Lec

This document discusses network scanning and different types of port scans. It begins by explaining what network scanning is and its objectives. It then differentiates between various types of port scans, including SYN scans, full open scans, NULL scans, ICMP scans, FIN scans, ACK scans, and XMAS scans. The document also introduces some common tools used for port scanning like Nmap, Fping, and tcpdump. It provides warnings about conducting unauthorized scans and the potential legal issues.

Uploaded by

Sajith Ihsan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views

Week6 2023 Lec

This document discusses network scanning and different types of port scans. It begins by explaining what network scanning is and its objectives. It then differentiates between various types of port scans, including SYN scans, full open scans, NULL scans, ICMP scans, FIN scans, ACK scans, and XMAS scans. The document also introduces some common tools used for port scanning like Nmap, Fping, and tcpdump. It provides warnings about conducting unauthorized scans and the potential legal issues.

Uploaded by

Sajith Ihsan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

CritiX

Security Operations and Assurance

Alireza Esfahani, Lecturer in Cyber Security

BSc, MSc, PhD, PG Cert, FHEA, MIEEE, MECSO

University of West London

1
Week 6

SCANNING NETWORKS

CP70044E @2023 2
Today’s agenda

• Explain the concept of network scanning.


• Differentiate between various types of port scans.
• Introduce different tools used for port scanning.

CP70044E @2023 3
Network Scanning
• Step after footprinting
• Network scanning refers to a set of procedures for identifying
hosts, ports, and services in a network
• Referred to as port scanning, service scanning, or network
scanning
• Process of scanning a range of IP addresses in order to
determine what services/programs are running on networked
computers
• Typically performed using scanning tools like (e.g., Command
line utilities like Fping, Hping, nmap, tcpdump, etc

CP70044E @2023 4
Network Scanning- Objectives
• To discover live hosts, IP address, and open ports on live
hosts
• To discover operating systems and system architecture
• To discover services running on hosts
• To discover vulnerabilities in live hosts

CP70044E @2023 5
WARNING
• Most of these activities involve directly interacting with the target
systems/network
• As you normally want to get a response, you are potentially
identifiable during these activities
• Conducting these activities against a remote host could be
considered malicious by the recipient and the carrier networks
• Check target IP before scanning
• DO NOT SCAN
✓ Any network/IP without permission
✓ Think about networks you pass through
✓ Be wary of military; government; ISP; and even large
corporate networks!

CP70044E @2023 6
Introduction to Port Scanning
• Port Scanning
• Finds out which services are offered by a host
• Identifies vulnerabilities A commercial tool to identify vulnerabilities

• Open services can be used on attacks


• Identify a vulnerable port
• Launch an exploit
• Scan all ports when testing
• Not just well-known ports

CP70044E @2023 7
Port scanning programs report
• Open ports
• Closed ports
• Filtered ports

8
Normal TCP Handshake
Client SYN → Server
Client  SYN/ACK Server
Client ACK → Server

https://www.guru99.com/tcp-3-way-handshake.html

After this, you are ready to send data


9
SYN Port Scan (half-open scanning)

Client SYN → Server


Client  SYN/ACK Server
Client RST → Server

https://nmap.org/book/synscan.html

The server is ready, but the client decided not to


complete the handshake

10
Flag Description
TCP and TCP Flags SYN
ACK
Synchronise: Initiates a connection between hosts
Acknowledgment: Acknowledges the reception of a packet
URG Urgent: Data contained in the packet should be processed
immediately
PSH Push: Sends all buffered data immediately
FIN Finish: There will be no more transmissions
RST Reset: Resets a connection

CP70044E @2023 11
TCP/IP Communication

CP70044E @2023 12
Types of Port scanning- SYN scan
• In normal TCP session, first the client sends the server a TCP packet with
the SYN flag set.
• The server responds to this with a packet having both SYN and ACK flags
set, acknowledging the SYN.
• The client then replies with an ACK of its own, completing the
connection. With SYN scan the 3-way handshaking is not completed;
which means the target never log the “transaction”.
• After all you don’t want the log to show your IP address.

https://www.oreilly.com/library/view/python-penetration-testing/9781784399771/f89573f2-deeb-464e-9aaa-1260c6d3ecf3.xhtml
CP70044E @2023 13
Half-open/Stealth Scan
• Try to hide scan attempts from
firewall/logging by not completing the
handshake
• If port open:
• SYN; SYN+ACK; RST (this terminates the 3-way
process before completion)
• If port closed or denied:
• SYN; RST (or may not receive a response at all)

CP70044E @2023 14
Types of Port scanning- TCP Connect scan
• The “three-way handshake” process described
under TCP SYN.
• When one system sends a packet with the SYN
flag set, the target device responds with SYN
and ACK flags set, and the initiator completes
the connection with a packet containing a set Example:

ACK flag. 192.168.1.100 80 open


192.168.1.100 135 closed
• Unlike in a SYN scan, the “transaction” is 192.168.1.100 443 open
logged. 192.168.1.100
192.168.1.100
445 closed
3389 filtered

my host is not listening on TCP 135 and 445, it responds with a TCP RST,
and thus it is "closed"

Since my firewall is not permitting TCP 3389, it is technically filtered

CP70044E @2023 15
Full Open Scan
• Try to negotiate full 3way handshake
• If service is alive and listening connection will
be established or reset:
Scan result when a port is open
• If port open:
SYN Packet + Port (n
• SYN; SYN+ACK; ACK+RST (this completes and then SYN + ACK Packet
closes the 3-way process) AC K

• If port closed or denied: Attacker


RST
Target

• RST
Scan result when a port is closed

SYN Packet + Port n

RST

Attacker Target

CP70044E @2023 16
Types of Port scanning- NULL scan
• In a NULL scan, all the packet flags are turned off, that means none
of the RST (reset), FIN, SYN, or ACK flags is set.
• If the ports of the target are closed, the target responds with a TCP
RST packet.
• If the ports are open, the target sends no reply, effectively noting
that port number as an open port to the user.

https://www.oreilly.com/library/view/python-penetration-testing/9781784399771/f89573f2-deeb-464e-9aaa-1260c6d3ecf3.xhtml
CP70044E @2023 17
ICMP Scanning
• Based on simple ICMP (ping) ECHO requests
• Will identify live hosts (that respond to ping)
• Can be done at the command prompt or using tools (e.g.
Zenmap/Nmap)

https://www.oreilly.com/library/view/python-penetration-testing/9781784399771/f89573f2-deeb-464e-9aaa-1260c6d3ecf3.xhtml

18
Sweeping
• Can automate pings by sweeping an
entire subnet or range.

CP70044E @2023 19
Types of Port scanning- FIN scan
In this scan, a TCP packet with the FIN flag set is sent to the target
computer to “see” how it react. Normally, a TCP packet with the FIN
flag set is sent to a client when the server is ready to terminate the
connection. The client responds with an ACK which acknowledges the
disconnect.

CP70044E @2023 20
Types of Port scanning- ACK scan
A TCP packet with the ACK flag set. Scans of the TCP ACK type are used
to identify Web sites that are active, which are normally set not to
respond to ICMP pings. Active Web sites respond to the TCP ACK with a
TCP RST, giving the user confirmation of the status of a site.

CP70044E @2023 21
Types of Port scanning- XMAS scan
• In this kind of scan, the FIN, PSH, and URG flags are set.
• Closed ports respond with a RST packet.
• Can be used to determine which ports are open.
• Not getting the RST packet doesn’t mean that the port is open
because firewalls or other packet filtering devices may be configured
to drop the UDP scan packet.

CP70044E @2023 22
Types of Port scanning- UDP scan
In this scan, a UDP packet is sent to the target computer.
If the computer sends back an ICMP “Port unreachable” message, the port
is closed.

Are you open on UDP Port 29?

No response if port is Open >


If Port is Closed, an ICMP Port unreachable message is received
Attacker Server

CP70044E @2023 23
ACK Flag Probe Scan
• Attackers send TCP probe packets with ACK flag set to a remote device
and then analyses the header information (TTL and WINDOW field) of
received RST packets to find whether the port is open or closed

If the TTL value of RST packet on If the WINDOW value of RST packet
particular port is less than the boundary on particular port has non zero value,
value of 64, then the port is open then that port is open

CP70044E @2023 24
Using Port-Scanning Tools

CP70044E @2023 25
Port-Scanning Tools
• Nmap
• Unicornscan
• NetScanTools Pro 2004
• Nessus

CP70044E @2023 26
NMAP
• Originally written for Phrack magazine
• One of the most popular tools
• GUI versions
• Xnmap and Ubuntu's NmapFE
• Open source tool
• Standard tool for security professionals

CP70044E @2023 27
Unicornscan
• Developed in 2004 for Linux & UNIX only
• Ideal for large networks
• Scans 65,535 ports in three to seven seconds
• Optimizes UDP scanning

CP70044E @2023 28
NetScanTools Pro
• Robust easy-to-use commercial tool
• Runs on Windows
• Types of tests
• Database vulnerabilities
• DHCP server discovery
• IP packets viewer
• Name server lookup
• OS fingerprinting

CP70044E @2023 29
Nessus
• First released in 1998
• Free, open source tool
• Uses a client/server technology
• Can conduct tests from different locations
• Can use different OSs for client and network

CP70044E @2023 30
Conducting Ping Sweeps
• Ping sweeps
• Identify which IP addresses belong to active
hosts
• Ping a range of IP addresses
• Problems
• Computers that are shut down cannot respond
• Networks may be configured to block ICMP Echo
Requests
• Firewalls may filter out ICMP traffic

CP70044E @2023 31
FPing
• Ping multiple IP addresses simultaneously
• www.fping.com/download
• Command-line tool
• Input: multiple IP addresses
• To enter a range of addresses
• -g option
• Input file with addresses
• -f option

CP70044E @2023 32
Hping2 / Hping3
• Command line network scanning and packet crafting tool for the
TCP/IP protocol.
• www.hping.org/download
• It can be used for network security auditing, firewall testing,
manual path MTU discovery, advanced traceroute, remote OS
fingerprinting, remote uptime guessing, TCP/IP stacks auditing,
etc.

CP70044E @2023 33
Port Scanning Countermeasures
• Firewalls
• IDS/IPS
• Custom rules (block unwanted ports/IPs)
• Block ICMP
• Update firmware/OS/patches
• Test your own network

CP70044E @2023 34
PEN TESTING- SCANNING

CP70044E @2023 35
Scanning Pen Testing
• Pen testing a network for scanning vulnerabilities determines the
network's security posture by identifying live systems, discovering
open ports, associating services and grabbing system banners to
simulate a network hacking attempt.

• The penetration testing report will help system administrators to:


Troubleshoot
Hide or
Disab e service Calibrate
customize
Close unnecessary configuration firewall
unused banners rules
services errors
ports

CP70044E @2023 36
Summary
• The objective of scanning is to discover live systems, active/running ports, the
operating systems, and the services running on the network.

• Attacker determines the live hosts from a range of IP addresses by sending ICMP ECHO
requests to multiple hosts.

• Attackers use various scanning techniques to bypass firewall rules and logging
mechanism, and hide themselves as usual network traffic.

CP70044E @2023 37
Thank you very much!

CP70044E @2023 38

You might also like