Port Scanning Yiqian Zhang CS 265 Project
12 Slides81.50 KB
Port Scanning Yiqian Zhang CS 265 Project
What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows. determine what systems are listening & reachable from the Internet . Analyzing underlying weaknesses. Using the weakness for later use.
Port Numbers Well Known Ports: 0 –1023 Echo: 7/tcp ftp-data: 20/udp Non Standard Ports: 1023 and above Yahoo: 5010 Yahoo! Messenger
Port Scanning Techniques Vanilla: Simplest form of port scan. Tries each of the ports 65535 on the victim. sending a carefully constructed packet. with a chosen port number.
Stealth Scan Port scanning is easily logged by the services listening at the ports. Designed to go undetected by auditing tools. Scanning at a slow pace. inverse mapping: Generating "host unreachable" ICMP-messages for IPs that do not exist.
TCP Scanner TCP connect scan: Complete a three-way handshake. TCP SYN scan: Half-open scanning. A SYN packet is sent. A listening target respond with a SYN ACK. A non-listening target respond with a RST. TCP FIN scan: Scanner sends a FIN packet. Closed ports reply with a RST. Open ports ignore the packet entirely.
Bounce Scans The ability to hide tracks is important to attackers. FTP bounce scan: allows the hacker to force the FTP server to do the port scan and send back the results. This bouncing through an FTP server hides where the attacker comes from. The advantage to this approach is harder to trace. The disadvantages are that it is slow.
UDP Scanning In order to find UDP ports, the attacker generally sends empty UDP datagrams. If The port is listening, the service should send back an error message or ignore the incoming datagram. The port is closed, then most operating systems send back an "ICMP Port Unreachable" message. Thus determine which ports are open. Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners must also implement retransmission of packets that appear to be lost.
Port Scanning Tools Strobe TCP port scanning utility. One of the fastest and most reliable TCP scanners available. Only looking for those services the attacker knows how to exploit. CMD: Strobe 192.168.1.10 Output: 192.168.1.10 ssh 22/tcp secure shell
Port Scanning Tools nmap Widely known port scanner. Utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). CMD: nmap –sS 192.168.1.1 Output: Port State Protocol Service 21 open tcp ftp
Port Scanning Tools netcat The Swiss army knife in our security toolkit. Provides basic TCP and UDP port scanning capabilities. By default, netcat uses TCP ports, so for UDP scanning, we need to specify the –u option. For example, CMD: netcat –v –z –w2 192.168.1.1 1-140 Output: [192.168.1.1] 25 (smtp) open
Conclusion Has legitimate uses in managing networks. Can also be malicious in nature if someone is looking for a weakened access point to break into your computer. It is rude to scan someone else's hosts or networks without the explicit permission of the owner. Always ask if it'd be okay to scan outside of your own networks.