Use port scanners—so will the hackers

Chapter 3

3.5 Use port scanners—so will the hackers

Shutting down unnecessary communication protocols is a great thing. The next step is to shut down unnecessary networked services and ports. Any database will open and maintain numerous ports on the network, and you should be aware of these. Many people think they understand which ser-vices are up and listening on the network, but some only know the half of it; make an effort to track and monitor open ports and services. As an example, most SQL Server database administrators (DBAs) know that 1433 is a port that SQL Server listens to, but previous to SQL Slammer many were not aware that UDP port 1434 is also active. As another example, Table 3.1 lists the default ports for various Oracle network services that may be active. How many of you Oracle DBAs actually think about all of these?

Another example (from a somewhat different environment) is Table 3.2, which lists the default ports in an Oracle 11i environment (including an Oracle database).

There are two tools you should know about. The first—called netstat—

allows you to display current TCP/IP connections. Netstat runs on all oper-ating systems. For example, if I run netstat on my Windows machine (which Table 3.1 Oracle Listener Ports

Port Number Description

1521 Default port for the TNS listener

1522–1540 Commonly used ports for the TNS listener 1575 Default port for the Oracle Names Server

1630 Default port for the Oracle Connection Manager–client connec-tions

1830 Default port for the Oracle Connection Manager–administrative connections

2481 Default port for Oracle JServer/JVM listener

2482 Default port for Oracle JServer/JVM listener using SSL

2483 New officially registered port for the TNS listener

2484 New officially registered port for the TNS listener using SSL

@Spy

82 3.5 Use port scanners—so will the hackers

is at the moment disconnected from the network), I get a listing that includes my SQL Server connection on port 1433 (display as ms-sql-s):

Active Connections

Proto Local Address Foreign Address State

TCP ron-snyhr85g9dj:ms-sql-s localhost:3245 ESTABLISHED TCP ron-snyhr85g9dj:3241 localhost:ms-sql-s TIME_WAIT TCP ron-snyhr85g9dj:3245 localhost:ms-sql-s ESTABLISHED TCP ron-snyhr85g9dj:1830 ron-snyhr85g9dj.mshome.net:3203 TIME_WAIT TCP ron-snyhr85g9dj:1830 ron-snyhr85g9dj.mshome.net:3218 TIME_WAIT TCP ron-snyhr85g9dj:1830 ron-snyhr85g9dj.mshome.net:3234 TIME_WAIT TCP ron-snyhr85g9dj:3200 ron-snyhr85g9dj.mshome.net:5500 TIME_WAIT TCP ron-snyhr85g9dj:3215 ron-snyhr85g9dj.mshome.net:5500 TIME_WAIT TCP ron-snyhr85g9dj:3231 ron-snyhr85g9dj.mshome.net:5500 TIME_WAIT TCP ron-snyhr85g9dj:3242 ron-snyhr85g9dj.mshome.net:5500 ESTABLISHED TCP ron-snyhr85g9dj:3244 ron-snyhr85g9dj.mshome.net:5500 ESTABLISHED TCP ron-snyhr85g9dj:3246 ron-snyhr85g9dj.mshome.net:1521 SYN_SENT TCP ron-snyhr85g9dj:3247 ron-snyhr85g9dj.mshome.net:1521 SYN_SENT TCP ron-snyhr85g9dj:5500 ron-snyhr85g9dj.mshome.net:3242 ESTABLISHED TCP ron-snyhr85g9dj:5500 ron-snyhr85g9dj.mshome.net:3244 ESTABLISHED TCP ron-snyhr85g9dj:29839 ron-snyhr85g9dj.mshome.net:2869 TIME_WAIT

The second tool you should know about is nmap—one of the most pop-ular port scanners. You need to know about port scanning because it is one of the most popular reconnaissance techniques hackers use to discover ser-vices they can break into. Port scanning consists of sending a message to each port and deciding, based on the response, whether a service is running on that port and often what that service is. If you’re wondering, port scan-ning is completely legal and was actually disputed in a federal court in 2000. You would be amazed at the number of port scans any system on the Table 3.2 Default Oracle 11i Ports

Component Default Port

Database ¹⁵²¹

RPC/FNDFS ¹⁵²⁶

Reports Server ⁷⁰⁰⁰

Web Server (Apache) ⁸⁰⁰⁰

Forms Server ⁹⁰⁰⁰

Servlet ⁸⁸⁸⁰

TCF Server ¹⁵⁰⁰⁰

Metrics Server Data ⁹¹¹⁰

Metrics Server Requests ⁹¹²⁰

@Spy

3.5 Use port scanners—so will the hackers 83

Chapter 3

public Internet gets—another reason not to expose your database to the Internet, as discussed in Section 3.1.

Nmap is the most popular free port scanner and is available for UNIX at www.insecure.org. To run nmap, specify a scan type, options, and a host or list of hosts to scan. There are many types of port scans, including connec-tion attempts to the service on the port, sending fragmented packets, send-ing a SYN packet, sendsend-ing a FIN packet, and more (SYN and FIN packets are TCP/IP packets used to start and end sessions). There are also numerous nmap options, including ranges of ports to scan and ability to hide the source IP address. The details are beyond the scope of this chapter, but many of the differences are related to whether the party initiating the port scan can or cannot be easily detected by an administrator on the scanned host, and whether there is an easy way to trace back to the scanner. As an example, if I scan a server running SQL Server and Oracle as well as some additional services like a Web server, I will get the following sample output:

The Connect() Scan took 63 seconds to scan 51000 ports.

Interesting ports on falcon.guardium.com (192.168.2.21):

(The 50970 ports scanned but not shown below are in state:

closed)

@Spy

84 3.6 Secure services from known network attacks

3339/tcp open unknown 3372/tcp open msdtc 4443/tcp open unknown 5800/tcp open vnc-http 5900/tcp open vnc 7778/tcp open unknown 8228/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 63 seconds

You should perform this scan on your machines. For example, I was actu-ally surprised I had a Web server running on this particular machine and managed to find a security vulnerability in the course of writing this example!