Data Gathering > Ping , Port and Service Scanning:
A hacker will attempt to discover which external IP addresses are currently mapped to responding machines using a ping sweep. A ping sweep sends an ICMP packet to each IP address within a range asking if there is a computer responding. If the computer responds the reply is logged, along with the remote IP address for future reference. A ping sweep will give the attacker a sense of the number of externally facing systems on a network and give the hacker more targets to attack in order to gain access to the corporate network or target system. Any publicly open port or running service has the potential to be exploited. The more ports and services that are open and running the greater the likelihood that a hacker will be able to find an exploit on the server. More services from more unique vendors means a greater amount of time needed to be spent patching the services from the latest vulnerabilities, which give the hacker a greater probability to compromise the server. Hackers love systems with a large attack surface and will use this to look for systems that are most likely to be exploited.
Once a system has been discovered, the hacker will attempt to connect to each port of the system looking for any that reply. A listening port must reply to any requests for it to be useful to legitimate clients; however all ports without a service running on them should be stealthed and firewalled. There are three ways a firewall can reply to a port scan: Open, Closed and Stealthed. Open allows the port to send and receive traffic; ports are required to be Open in order for a client to start connection with the server. If a port is Closed the firewall responds that there is no service running on this port. Stealthed ports do not reply in any way, this is the most secure because no information is sent back to the hacker at all. As the port scan completes it attempts to connect by both TCP and UDP. Some port scanners can scan only interesting ports, random ports, or all ports in order; scanning all ports out of order makes it more difficult for Intrusion Detection Systems to detect port scanning.
Intrusion Detection Systems (IDS) attempt to detect unauthorized access to the server before the hacker has compromised the server. The IDS uses a number of methods to detect an intrusion including watching port scan attempts, password cracking attempts, and once the hacker has gained access the IDS continues to watch the system for odd behavior like certain applications running from unprivileged accounts, or new applications taking up a large amount of computer resources. If a hacker spoofs the incoming port scanning request to look like it is coming from many different IPs and does not scan the ports in order it is very difficult for the IDS to determine and terminate the active port scan.
After the hacker has port scanned the remote machine the attacker will attempt to discover what service is running on each port. In this step the more information the better; the attacker will be looking for vendor, service name and version number and any other information gathered from grabbing the header or reply the service returns without authentication. The more information the hacker is able to gather the more focused the attack can become.
By analyzing the TCP/IP stack, an attacker can guess with a high degree of probability what Operating System the server is running. Once this is known the attacker can further focus their attacks to that specific OS. This technique relies upon different vendors' slightly different implementation of the TCP/IP stack.
Techniques:
Techniques |
Information Gathered |
Ping Sweep |
Discover which machines are alive within a network block |
TCP/UDP/Stealth port scanning |
Discover which ports are responding to connect requests |
OS Detection |
Discover which Operating System the server is running |
Tools:
Fping – Fping is a great networking pinging utility. Its massively parallel design allows a hacker to ping many hosts simultaneously without waiting for a response for the previous machine.
Nmap – Nmap is a very full featured application that allows a hacker to attack and scan a server in a number of ways, including pinging, port scanning and other malicious attack requests.
SuperScan – A free and fast windows TCP port scanner from Foundstone.
Queso – an easy to use operating system detection system. This tool only requires one port to be open.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next>> |
Provided by: Security Innovation, The Application Security Company