Port Scanning

Port Scanning is one of the most popular among the reconnaissance techniques attackers use. All machines connected to a LAN or connected to Internet via a modem run many services that listen at certain ports. A service is a program that waits inside a loop for a request message from a client, and acts on the request. By port scanning the attacker finds which ports are available (i.e., being listened to by a service). Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can then be probed further for weakness.

The various techniques in scanning are summarized in the paper by Foydor (NMap author). A full understanding of these depends on understanding IP filtering and other firewall techniques. So re-read this chapter afterwards.

Port Scanning Terms

Port scanning usually, but not always, means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker.

Port Numbers
Both UDP and TCP use source and destination port numbers in their packets, the source and destination IP addresses are provided by the underlying IP. Port numbers are an abstraction manufactured by the network layer of the operating system in accordance with the TCP/IP standards. These are 16-bit unsigned numbers. The port numbers are divided into three ranges: the Well Known Ports (from 0 through 1023), the Registered Ports (from 1024 through 49151), and the Dynamic and/or Private Ports (from 49152 through 65535). The authoritative list ports typically stored as /etc/services is a subset of these. A list of port numbers used by Trojan programs is here.

Sockets
A socket is an abstraction, similar to a file descriptor, constructed by socket(). A socket so constructed is bound to an IP address and port number via the bind() call. A server program then waits for a connection via the listen(), and accept() a connection. A socket can be said to be active after the server has accepted a connection. It is connected to a remote active socket via an open data connection. Closing the connection destroys the active sockets at each endpoint. A passive socket is not connected, but rather awaits an incoming connection in the listen(), which will spawn a new active socket. A socket is not a port, though there is a close relationship between them. Each port can have a single passive socket, awaiting incoming connections, and multiple active sockets, each corresponding to an open connection on the port. Servers use bind(), listen(), and accept(). A client uses connect(). The read(), write() are used by both clients and servers.

Strobe
A strobe is a narrow scan, only looking for those services the attacker knows how to exploit. The name comes from one of the original TCP scanning programs, though now virtually all scanning tools include this feature.

Fragmented packets This stealth approach fragments the IP datagrams within the TCP header. This bypasses some packet filter firewalls acting as "packet filters" because they cannot see a complete TCP header that can match their filter rules.

UDP scan
Finds open UDP ports. The source port of UDP is an optional field. When meaningful, it indicates the port of the sending process. If it is not meaningful, a value of zero is used. UDP responds in a different manner from a TCP scan. In order to find UDP ports, the attacker generally sends empty UDP datagrams at the port. If the port is listening, the service will send back an error message or ignore the incoming datagram. If the port is closed, then the operating system sends back an "ICMP Port Unreachable" message.

Sweep
Connects to one port on a lot of machines.

Bounce scan

The ability to hide their tracks is important to attackers. Therefore, attackers scour the Internet looking for systems they can bounce their attacks through.

FTP bounce scanning takes advantage of a vulnerability in FTP servers, which honors a request that the FTP server open a connection to a third party on a particular port. This makes the FTP server to scan and send back the results. This bouncing through an FTP server hides the attacker's address. This technique is similar to IP spoofing. Here are some examples.

finger: Most finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as "rob@foo@bar" will ask "bar" to resolve "rob@foo", causing "bar" to query "foo".
e-mail: Spammers try to relay their spam through SMTP servers.
FTP: When a file is requested from an FTP server, the client specifies the IP address and port number of the recipient of that file. This should be the address of the client, and the port that the client has prepared to receive the file. But, the IP address can be any system on the Internet. It may appear to be a file requested from the perspective of the FTP server, the receiver may believe that these are commands of some other protocol. For example, a spammer can upload a file to the FTP server containing e-mail messages, then cause the FTP server to download them to an SMTP server that then forwards them out to the recipients.
SOCKS: Allows almost any protocol to be tunneled through the intermediate machine.
HTTP proxy: Most web servers support proxies, or relaying requests to other servers. This allows a company to channel all their web traffic through a single server for filtering as well as caching to improve performance. A lot of these servers are mis-configured to allow proxying of any request from the Internet, allowing attackers to relay attacks against web-sites through a third party.
IRC BNC: Attackers hide their IRC (Internet Relay Chat) identities by bouncing their connections through other machines. A particular program called "BNC" is used for this purpose on compromised machines.

Stealth scan

One problem, from the perspective of the attacker, with port scanning is that it is easily logged by services listening at the ports. They see an incoming connection, but no data, so they log an error. Stealth scan techniques avoid this.

The half-open scan only partially opens a connection, but stops halfway through. This is also known as a SYN scan because it only sends the SYN packet. This stops the service from ever being notified of the incoming connection.

Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The most common of these scans is the FIN scan, which attempts to close a connection that is not open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this is not a very effective scan.

Other techniques consist of XMAS scans where all flags in the TCP packet are "lit up" (set), or NULL scans where none of the bits are set. Different operating systems respond differently to these scans, and hence the attacker needs to know what OS the target host is running.

SOCKS port probe

SOCKS is a system targeted at the home PC user that allows multiple machines to share a common Internet connection. The reason that attackers scan for this is because a large percentage of users misconfigure SOCKS.

WinGate is a commercial product that can be installed on a single machine that has the actual Internet connection. All the other machines within the home connect to the Internet through the machine running WinGate. The problem with SOCKS and products like WinGate is that the source and destination addresses are not carefully checked. A misconfigured host will allow external machines to access the internal home network, and also it may allow an attacker access to other Internet machines. This allows the attacker to hide his/her true location.

Many IRC chat servers often scan clients for open SOCKS servers. They will kick off such people with a message indicating how to fix the problem.

Fingerprinting an OS

Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. To make this more effective, unexpected but well-chosen combinations of data are sent to the system in order to trigger unique-enough responses. This is because while most systems respond alike with correct data, they rarely respond the same way when sent unusual data.