Examining Port Scan Methods - Analysing Audible Techniques

Examining Port Scan Methods - Analysing Audible Techniques

Abstract

I will attempt to enumerate a variety of ways to discover and map internal/external networks using signature-based packet replies and known protocol responses when scanning. Specifically, this document presents all known techniques used to determine open/closed ports on a host and ways an attacker may identify the network services running on arbitrary servers.

1.1 Introduction

This paper will provide an in-depth analysis of known port scan methods, with exhaustive information for each technique used in the wild today to map and identify open and closed ports on various network servers.

Note: This paper will not describe techniques used to fingerprint operating systems nor identify daemon versions (banner scanning).

With an epidemic of port scan instances occurring each and everyday, it should be recognized the ways an attacker could probe network hosts using a variety of techniques aimed to avoid detection whilst obscuring the sender's true source. Understanding actions to defend against these network oriented scans is first to identify and acknowledge the ways a scan can present appearing as normal inbound traffic.

Port scanning is one of the most popular techniques used in the wild to discover and map services that are listening on a specified port. Using this method an attacker can then create a list of potential weaknesses and vulnerabilities in the proposed open port leading to exploitation and compromise of a remote host.

One of the primary stages in penetrating/auditing a remote host is to firstly compose a list of open ports, using one or more of the techniques described below. Once this has been established, the results will help an attacker identify various services that are running on that port using an RFC-compliant port list, (/etc/services in UNIX, getservbyport() function automatically obtains this) allowing further compromisation of the remote host after this initial discovery.

Port scanning techniques take form in three specific and differentiated ways.

* open scanning

* half-open scanning

* stealth scanning

Each of these techniques allow an attack to locate open/closed ports on a server, but knowing to use the correct scan in a given environment depends completely on the type of network topology, IDS, logging features a remote host has in place. Although open scans log heavily and are easily detectable they produce fairly positive results on open/closed ports.

Alternatively, using a stealth scan, may avoid certain IDS and bypass firewall rulesets but the scanning mechanism, such as packet flags, used in identifying these open/closed ports maybe offset by dropped packets over a network, leading to false positives. Further discussion of this concept takes place in the FIN scan section of this document.

Focusing more directly at each of the above techniques, these methods can be further categorised into individual scan types. Let's look at a basic scan model which includes PING sweeping:

___________

| |

| scan type |

|___________|

__________________________________|___________________________________

/ | | |

/ | | |

_____|_____ _____|_____ _____|_____ ____|___ ____|____

| | | | | | | | | |

| open scan | | half-open | | stealth | | sweeps | | misc. |

|___________| |___________| |___________| |________| |_________|

| | | | |

______|______ _____|____ _____|_____ ____|_____ ____|_____

| | | | | | | | | |

| TCP connect | | SYN flag | | FIN flag | | TCP echo | | UDP/ICMP