According to the SANS Institute, Port Scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems. Although Port Scanning isn’t inherently hostile, it is often the first step of reconnaissance used by hackers when trying to infiltrate a network or steal/destroy sensitive data. In this article, we will discuss some best practices you can employ to defend against attackers and prevent potential network breaches.
Where do we start?
To conduct a port scan, one must first have a list of active hosts. A network scan is the process of discovering all of the active hosts on a network and mapping those hosts to their IP addresses. With a list of active hosts, a port scan, the process of sending packets to specific ports on a host and analyzing the responses to learn details about its running services or identify potential vulnerabilities, can be conducted.
More on Network Scanning for Host Discovery
The process for determining what systems are up and running and listening on a network is called Host Discovery. This is often the first step used by hackers in a hostile attack. There are two primary protocols used for host discovery: Address Resolution Protocol (ARP) scans, and various forms of Internet Control Message Protocol (ICMP) scans.
An ARP scan is the process of mapping IP addresses to MAC addresses on a local subnet. ARP requests can be sent out to all of the IP addresses on a Local Area Network (LAN) to determine which hosts are up based on the ones that respond with an ARP reply. Because ARP requests only work within a LAN, this requires the potential attacker to be connected to your internal network.
To conduct a network scan outside of the LAN, there are a number of different ICMP packets that can be used instead, such as echo, timestamp, and address mask requests. Echo or ping requests are used to detect if a host can be reached, while timestamp packets determine the latency between two hosts. You can use address mask requests to find out the subnet mask used on the network.
Discovering hosts on a network via ICMP messages all depends on receiving a corresponding reply from the targeted hosts. If no response is received, it could mean that there is no host at the target address or that the ICMP message type isn’t supported by the target host. It could also mean that the original request was blocked by a firewall or packet filter. Generally, ICMP echo (ping) requests that do not originate from inside the network are blocked by firewalls, but timestamp and address mask requests are less likely to be blocked.
Moving On to Port Scanning
Now that the network scan has been completed and a list of available hosts has been compiled, a port scan can be used to identify the in use on specific ports by the available hosts. Port scanning will typically classify ports into one of three categories:
Open: The target host responds with a packet indicating it is listening on that port. It also indicates that the service that was used for the scan (typically TCP or UDP) is in use as well.
Closed: The target host received the request packet but responds back with a reply indicating that there is no service listening on that port.
Filtered: A port scan will categorize a port as filtered when a request packet is sent but no reply is received. This typically indicates that the request packet has been filtered out and dropped by a firewall.
Port Scan Methods
TCP and UDP are generally the protocols used in port scanning, as previously mentioned and there are several methods of actually performing a port scan with these protocols.
The most commonly used method of TCP scanning is SYN scans. This involves creating a partial connection to the host on the target port by sending a SYN packet and then evaluating the response from the host. If the request packet is not filtered or blocked by a firewall, then the host will reply by sending a SYN/ACK packet if the port is open or a RST packet if the port is closed.
Another method of TCP scanning is the TCP connect scan. This involves the scanner trying to connect to a port on the target host using the TCP connect system call and initiating the full TCP handshake process. This process creates a lot of overhead in terms of packets and is a lot easier to detect, therefore making it a less utilized method of port scanning.
Other types of TCP port scans include NULL, FIN and Xmas. These three types of scans involve manipulating the TCP header flags. NULL scans send packets with no flags set in their headers, while FIN scans only have the FIN bit set. Xmas scan packets have the FIN, PSH and URG flag bits turned on, making them appear to be “lit up like a Christmas tree”. Hence the name Xmas scan.
UDP scans, like TCP scans, send a UDP packet to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. As with TCP scans, receiving a response packet indicates that the port is open.
These days, network intrusion detection systems and firewalls are usually pre-configured to detect malicious network scans. Potential attackers though, have become smarter and can attempt avoiding common detection rules by altering the frequency of the scans, accessing ports out of order, or spoofing their source address. The best way to protect yourself against malicious network scans that can exploit holes in the network, is to make sure the holes don’t exist in the first place.
Understanding host vulnerabilities is a critical component of overall network security. As a network engineer, you are responsible for protecting your infrastructure from malware, worms, hackers, trojans, and viruses – reducing the opportunity for exploits to find their way in is your mission.
As is often the case, the best practice here is to fight fire with fire—scan your own networks for vulnerabilities before the bad guys can find them.