Attackers use the most popular techniques to enter into a LAN or Internet via modem and can access the attached systems to the LAN and Internet. The port scanning facilitates the attackers to send the message to each port at one time. They check whether these ports are in use or not. The targeted systems are probed for different purposes. Port scan is applied to your system to get the information. The object is to limit the maximum use of open ports to authorized users instead of the attackers or un-authorized persons. These techniques also deny access to closed ports.
As the number of the scanners are increasing the more attacks are possible. NMap is the advance technology that provides the many advance scanning technologies and functions. Scanner is a program that examines the security of local or long-distant host computers.
Description
In order to understand the scanning tools and methods which are used need answers of following questions.
What can scanner do for us?
How they look like (signature)?
What steps they take to complete their tasks.
What kind of information is collected?
How is this threat so serious?
We have to identify the scanning techniques and intruder's behavior. In the presence of the intrusion detection system, finding the patterns of the scanning techniques it will give us a probable attempt to unprivileged access to the systems. It needs to understand the port scan techniques. Various port scanning techniques are available. These are automated by the popular port scanning tools such as NMap. Following scans are available for the NMap standards.
The NMap TCP XMAS Scan
The NMap TCP ACK Scan
There are many port scanning techniques available but our concern is to illustrate these above two port scanning techniques. NMap enables the administrator to examine that which host is there on a large network and which kind of services are running on it. NMap supports several kinds of protocols such as TCP connect (), TCP SYN, ACK sweep, Xmas Tree etc.
NMap also provides many advanced features such as detecting the kind of the Operating System through TCP/IP scanning, resend the parallel scanning, and dynamically delay, detecting the underlying the host through parallel ping and port filtering detecting. When NMap is run we get a list of ports of scanned host computer. The NMap displays the following information.
Port numbers
Server Name
State and protocols
Port numbers and server name come into sense but states require the clarity of our understanding. States in port scanning can be open, filtered and unfiltered. Open state means that targeted machine will accept your connecting request at this port; filtered state finds firewall setting that obstructs to find that whether port is opened or not and unfiltered state appears when most scanning ports are at the filtered state.
Port scanning seems the simple but the responding system makes it very difficult as a port is closed and a message is received "this port is unavailable " message in the form of RST packet and from the firewall ports you are not able to receive any data.
TCP Xmas scan is used by the hacker to determine whether ports are closed on the targeted machine or not. In this type of scan all flags FIN, URG, and PUSH TCP are sent in packet header with the sending TCP segments generating the packet based on the illegal RFC 973. RFC 973 behavior shows that any TCP segment with an out of state flag will be discarded on the open ports whereas the segments which are sent out of state to a closed port should be handled with a RST type response. This provides the chance to attackers to break into the system by sending rule breaking packets and detect the closed ports in this way via RST packets. This kind of port scanning has advantage as it is not detected by the security applied by the administrator on that particular network and packets of the Xmas are passed undetected through the network devices. It scans the stateless firewall and ACL filters. The speed and stealth of Xmas made it very useful for the attackers but it was stealth for one time and now it is easily detected by the IDS/IPS systems. The issue with the Xmas may be that it is limited by the range of the operating systems on which they work. When a system is protected by a firewall all ports are shown open. This issue of the scanning port requires solution.
To illustrate the SYN scanning, initially client sends a SYN packet to the server if it makes a real connection to indicate the port status whether it is open or closed.
Server
Client SYN/ACK
RST
Figure 1: SYN/ACK Scanning (Closed Port)
This technique is applied to determine the status of port when the port is closed. In this technique a SYN packet is sent to the target system to make a connection and this jump to the second step with SYN/ACK flag bits in an effort to elicit a response from the target system.
Server
ClientSYN/ACK
No Response
Figure 2: Show a client server connection when ports are open
ServerTo illustrate further the XMAS Scan technique look into the following figures. As we know that TCP XMAS Scan tells us about the flags in a TCP packet. When nothing is received by the attacker the port is open and if a RST bit is received we assume that port is closed.
Fin
Attacker
RST/ACK
Server
AttackerFire 3: Port open
Fin
Figure 4: Port Closed
The use of TCP ACK segments gets the information of the firewall and ACL configuration. It gets the information about the filter configuration rather than port state.
The use of the TCP ACK does not give better results until it is not combined with SYN scanning and complete picture of the firewall is not presented. When a TCP ACK segment is sent to the listening port or closed port the RFC 793 gives behavior of the device to respond with a RST. When respond is get back ACK scan guides the attacker to get useful information. The attacker infers the type of the firewall present. The state-full firewalls discard the out-of-sync ACK packets and then port is marked as filtered. The information received from the respond is used to map out the firewall rule set. ACK scanning with the SYN also facilitates the attacker to analyze whether a firewall is state-full or non-state-full. The port is state-fully unfiltered when SYN solicits a SYN/ACK or ACT and RST solicit a RST. On the other hand port is state-fully filtered when a SYN generates neither a RST nor a SYN/ACK but an ACK generates a RST. In case both SYN and ACK do not generate any response the port is blocked by a specific firewall rule that occurs in any type of firewall. As the TCP ACK speed is fast compared to other types of scan and it is also stealthy scanning. The issue with the TCP ACK scanning is that it can not detect the open ports and closed ports. It only detects when combined with SYN the state-full vs. non-state-full filters. It can detect the unfiltered ports when combined with the SYN probes.
The two techniques are elaborated with the example to show the functions of techniques. The PC or laptop provided interface fire walled are scanned for ports when window XP sp2 is installed. The SYN scan reports that all ports are filtered. There may be few options which are as follows
-v for increased verbosity, -A for the OS version, -p1 for setting the range of the ports to scan
This port scanning takes more than one hour time to complete the port scanning. To detect the OS version one open port and one close port are required to give reliable port scanning reports.
C:'Documents and Settings' Administrator>NMap -v -A -p1-65535 192.168.1.64
Starting NMap 4.20 (http://insecure.org) at 2010-05-23 16:04
Initiating ARP Ping Scan at 16:04
Scanning 192.168.1.64 [1 port]
Completed ARP Ping Scan at 16:04, 0.17s
Initiating Parallel DNS resolution of 1 host. At 16:04
Completed Parallel DNS resolution of 1 host. At 16:04, 0.03s elapsed
Initiating SYN Stealth Scan at 16:04
Scanning 192.168.1.64 [65535 ports]
Completed SYN Stealth Scan at 16:54, 2951.77s elapsed (65535 total ports)
Initiating Service scan at 16:54
OS and Service detection performed. Please report any incorrect results at http:
//insecure.org/NMap/submit/.
NMap finished: 1 IP address (1 host up) scanned in 2976.652 seconds
Raw packets sent: 131095 (5.770MB) | Rcvd: 1 (42B)
-vv may be used for detailed reporting.
To elaborate more the NMap technique functions a TCP connect SCAN of all ports on my PC or laptop from Windows 2003 Server SP1 machine. This time too all ports are filtered. This technique function takes more than two hours. In this technique following options are used.
C:'WINDOWS'system32'drivers'etc>NMap -sT -p1-65535 192.168.1.64
Starting NMap 4.20 (http://insecure.org) at 2010-04-24 00:39
All 65535 scanned ports on 192.168.1.124 are filtered
MAC Address: 00:16:41:17:9D: B1 (USI)
NMap finished: 1 IP address (1 host up) scanned in 6925.996 seconds
-sT for the TCP connect scan, -v for increased verbosity and -p1-65535 which specifies the range from 1 to 65535 all the TCP ports.
In this paper we have discussed the technique of NMap and related literature work about it. Remote operating system can be detected by the use of NMap. Why we detect the remote operating system? Discovering the underlying OS and devices services are obvious. Operating
System detection can help to reduce false positives as the remote determination of vulnerability is difficult. OS detection can exploit the vulnerability. Many techniques are used to detect the operating system and it is tried to create new ideas which are not yet good fit. To illustrate and comprehend the operating system detection new methods are developed which work with the NMap. Exploit Chronology can be effective to determine the different versions of the same operating system. A few vendors update the systems and other only fix the bugs eventually and these fixes are easy to detect them. Send the one attack at once if it does not give the response then immediately contact the system again. If it again does not give response it is found that you have narrowed the OS to versions and it is not shipped with fix.
Many problems are faced to intrude the network and simulate the presence of the many hosts on a network. To achieve this first of all accept the incoming TCP connections and second simulate the applications servers running over to TCP. To establish a connection between server and client three segments are exchanged.
Rise of Stealth Scanning
Network administrator remains unnoticed when an attacker scans the ports. An attacker leaves less information for the network administrator and stealth scanning has increased its popularity with attackers. It is now questions mark that how stealth scanning has proved to be a good tool for the attacker to avoid the intrusion detection systems. Many different techniques have been developed to perform the stealth scanning. To enhance the performance of the stealth scanning a slow scan approach is adopted. An attacker wants to not be detected by the administrator therefore he chooses the slow scan in which time factor is involved. It takes much time to scan a single port. This is a low tech solution but it proves that unless a history of all attempts to all ports is not kept in record the detection is very difficult.
Spoofing
The main technique used by the attacker that conceals their identity and location is the spoofing. It gains the unauthorized access to computers whereby intruder sends the message to a computer with an IP address indicating that message is received from the trusted host. An attacker uses this IP address of trusted host. The intent of an attacker to use a spoofed IP address is to conceal his/her identity.
Another spoofing technique is dealt with the Ethernet and IP protocols that involve the Address Resolution Protocols. The attacker can spoof ARP information and appears as a different computer on local area network environment. Although the MAC address is static but it can be changed on Linux and other OS by different programs. In this way port scanning activity appears that MAC address information different from the actual computer information. The NMap supports the IP spoofing, fragmentation, decoying and number of many useful features. It makes an attacker as it knows much similar to the system administrator. In addition we have discussed briefly the detection of the remote Operating System. To accomplish this process a fingerprinting technique comes into the hands of attackers. The TCP/IP is the specification but its implementation on functioning systems shows a little different behavior due to different software companies. When the data sent to TCP/IP stack is same the implementation reacts in a similar way and on sending the data different to TCP/IP stack its implementation reacts a little different. On the basis of these small differences operating systems are compared and a fingerprint is created. This is very useful for scanning the specific services. The current issues the attackers face today are provided the solutions to conceal their identification and location.
Legal and ethical issues relating the NMap are controversial and rare chances of court trial are on the record. It is less legal issue as compare to ethical one. Ethics teach us the rules and regulations to follow them. In case of port scanning your ISP will notice a scan and send a complaint to network service provider from where the scan is initiated. However the legal authorities come into action when you are harming a big company. The Computer Fraud and Abuse Act of America Section 1030(a) (5)-b applies to anyone involved in such kind of activities.
Conclusions
In this paper we have discussed the NMap and its two main standards The NMap TCP XMAS Scan and NMap TCP ACK Scan. Both standards with their advance features have been studied. The pertaining flaws with their possible solution are taken into consideration to serve the attackers in port scanning. The number of port scanning techniques are in constantly rise and attempts to get intelligence and eventually trying to hack into number of local as well as remote networks. However the intrusion systems come into the way of the attackers but they take challenge of it by identifying new probe attempts to get into the networks. An attempt is made to facilitate the attacker to detect the operating system of the remote computers to get maximum information about the network. If NMap is used on the administrator end he becomes aware of the possible attacks with their possible ways to prevent the port detection
