• No results found

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology


Academic year: 2021

Share "Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology"


Full text


Port Scanning and

Vulnerability Assessment

ECE4893 – Internetwork Security

Georgia Institute of Technology



• Reconnaissance

• Scanning

• Network Mapping

• OS detection



• Internet Network Information Center who-is

database www.internic.net/whois.html

• Registrar’s database i.e.


• American Registry for Internet Numbers (ARIN)



Scanning: Network Mapping

Ping and traceroute



Created by Mark Spencer for Linux systems, available at


Purpose: “To provide system administrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem.” This tool automates ping and traceroute.


Cheops-ng: What does it do?

• Finds active hosts in a network

• Determines the names of active hosts • Discovers host operating systems

• Detects open ports

• Maps the complete network in a graphical format • Monitors hosts


Cheops-ng: How does it work?

• Utilizes ICMP “ping” packets to search a network for alive hosts

• Domain Name Transfers (nslookup) are used to list hosts

• Invalid flags on TCP packets (queso) are used to detect the OS • Half-open TCP connections are used to detect ports

• UDP packets with small TTL values are used to map the network


Scanning:Port scanning (1)

Why: To find open ports in order to exploit them.


• TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan

• TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan

• TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)


Port scanning (2)

How (cont.):

• TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall

• FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service)

• UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open


Port scanning (3)

Additional Info:

• Decoys -- insert false IP addresses in scan packets • Ping Sweeps -- identify active hosts on a target network

• Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)


OS detection

Why: To determine what Operating System is in use in order to exploit known vulnerabilities.

• Also known as TCP stack fingerprinting.

• Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. • Each OS responds to illegal combinations in different ways.



Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.” Available at: http://www.insecure.org/nmap/


Nmap: What does it do?

• Port scanning • OS detection • Ping sweeps


Nmap: How does it work?

• Null Scan • ICMP (ping sweep)

• IP Protocol • Reverse-Identification

• SYN sweep • ftp proxy (bounce attack)

• Xmas Tree • TCP SYN (half open)

• ACK sweep • TCP connect()



Nmap: How does it work? (2)

• Uses the following OS detection techniques • TCP/IP fingerprinting

• stealth scanning

• dynamic delay and retransmission calculations • parallel scanning

• detection of down hosts via parallel pings • decoy scanning

• port filtering detection

• direct (non-portmapper) RPC scanning • fragmentation scanning


Vulnerability Assessment (1)

Vulnerabilities come from:

• Default configuration weakness • Configuration errors

• Security holes in applications and protocols • Failure to implement patches!


Vulnerability Assessment (2)

Vulnerability checkers use:

• Database of known vulnerabilities • Configuration tool

• Scanning engine

• Knowledge base of current scan • Report generation tool



Purpose: “To provide to the internet community a free,

powerful, up-to-date and easy to use remote security scanner.”

Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.”

Available platforms: UNIX for client and server Windows for client only


Nessus: What does it do?

• Iteratively tests a target system (or systems) for known exploitation vulnerabilities

• Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test

• Can test multiple hosts concurrently

• Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan


What does Nessus check for?

• Backdoors • CGI abuses

• Denial of Service • Finger abuses • FTP

• Gain a shell remotely • Gain root remotely

• Port scanners

• Remote file access • RPC

• SMTP problems • Useless services • Windows





Network Mapping

OS detection

Vulnerability assessment

Cheops, Nmap, Nessus


Related documents

• In a port scan based on SYN packets, the scanner machine sends out SYN packets to the different ports of a remote machine.. When the scanner machine machine receives a SYN+ACK

The member farmers may receive new information on the policy applications faster and may get more details on how to apply for receiving the premium via the assistance from

Inštalácia musí byť vykonaná licencovanú plynárenskou firmou a všetky spoje musia byť preskúšané z hľadiska tesnosti pred použitím grilu. Nepoužívajte lak,

In Figure 7c a FIN scan is run on a closed port and provided the target host’s TCP/IP stack conforms to the RFC 793 Transmission Control Protocol, a RST packet is sent back to

From the full scale design layout, Figure 1, a complete detail drawing was prepared for each component of the instrument. These drawings, located in Appendix IV,

If a scan type is not specified on the command line and Nmap is run from root or administrator, the TCP SYN scan is used by default!. This scan works on all operating systems and is

Introduction Active Scanning Passive scanning Q and A TCP Port Scanning - Inversed or stealh TCP scan. TCP Port Scanning - Inversed or stealh

Description It is a network mapper which is used to scan a remote machine through various nmap scanning techniques like TCP connect scan(TCP), Stealth scan (SYN), UDP

internal server firewall client SYN SYN SYN+ACK ACK SYN+ACK ACK SYN data data Application Layer Socket Layer TCP/IP Layer NIC driver NIC Application Layer Socket Layer TCP/IP Layer

The models were grouped as follows: (1) one-way ANOVAs that examined the effects of job category, age, experience, and gender on both psychological distress and pain regions; (2)

The research formulated several conjectures regarding factors that may lead to faster malware detection times, and described a research plan and a survey instrument to test

Wanneer die verskillende punte waarin die kortverhaal met die novelle ooreen- stem, ook op die Jonaverhaal toegepas word, word dit duidelik dat die Jonateks nie geskiedskrywing of

A priori, we specified that to be classified as effective, our implementation intervention would have to first, increase the proportion of "eligible" hypertensive

-sn No port scan; discovery only; use combination of ICMP, ECHO, REQUEST, TCP SYN to port 443; TCP ACK to port 80; and an ICMP timestamp request.. -PS<portlist> Discover

This fixture has been re-arranged from Saturday 28 Feb 2015 Saffron Walden - Rochford Hundred 18/04/2015. London 2

Notably, apart from a name change of the defendant, the texts of the complaint and the Motion Subpoena Felony Complaint are substantively identical to other civil actions in this

Faculty members of the Departments/Institutes of Chemistry, Physics, Biological Sciences, Applied Mathematics, Biomedical Sciences, as well as Medical Science and Technology

After previous market research offered the Seven Essentials of Highly Engaged Alumni as a tool for understanding alumni engagement and program offerings, a series of

Findings This population-based cohort study using a twin differences design (11 108 twins) provides evidence that childhood exposure to bullying directly contributes to multiple

Installation packages (also known as packages) contain products or product components (known as the package’s payload) and installation information used by the Installer application

This study revealed that the use of high fidelity simulation for interdisciplinary obstetrics skills/drills emergency training significantly (P<0.05) impacted on the