Port Scanning and
ECE4893 – Internetwork Security
Georgia Institute of Technology
• Network Mapping
• OS detection
• Internet Network Information Center who-is
• Registrar’s database i.e.
• American Registry for Internet Numbers (ARIN)
Scanning: Network Mapping
Ping and traceroute
Created by Mark Spencer for Linux systems, available at
Purpose: “To provide system administrators and users with a simple interface to managing and accessing their networks. Cheops aims to do for the network what the file manager did for the filesystem.” This tool automates ping and traceroute.
Cheops-ng: What does it do?
• Finds active hosts in a network
• Determines the names of active hosts • Discovers host operating systems
• Detects open ports
• Maps the complete network in a graphical format • Monitors hosts
Cheops-ng: How does it work?
• Utilizes ICMP “ping” packets to search a network for alive hosts
• Domain Name Transfers (nslookup) are used to list hosts
• Invalid flags on TCP packets (queso) are used to detect the OS • Half-open TCP connections are used to detect ports
• UDP packets with small TTL values are used to map the network
Scanning:Port scanning (1)
Why: To find open ports in order to exploit them.
• TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan
• TCP SYN Scan -- “half-open” scan, look for SYN-ACK, then send RESET, target system will not record connection, also faster than TCP connect scan
• TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing (Windows does not respond to these scans)
Port scanning (2)
• TCP ACK Scan -- may be useful to get past packet filters (believes it is a response to a request from inside firewall), if receive RESET, know this port is open through firewall
• FTP Bounce Scan -- request that server send file to a victim machine inside their network (most servers have disabled this service)
• UDP Scan -- unreliable, if receive ICMP Port Unreachable, assume closed, otherwise open
Port scanning (3)Additional Info:
• Decoys -- insert false IP addresses in scan packets • Ping Sweeps -- identify active hosts on a target network
• Find RPCs -- connect to each open port looking for common RPC services (send NULL RPC commands)
Why: To determine what Operating System is in use in order to exploit known vulnerabilities.
• Also known as TCP stack fingerprinting.
• Take advantage of ambiguity of how to handle illegal combinations of TCP code bits that is found in the RFCs. • Each OS responds to illegal combinations in different ways.
Purpose: “To allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.” Available at: http://www.insecure.org/nmap/
Nmap: What does it do?
• Port scanning • OS detection • Ping sweeps
Nmap: How does it work?
• Null Scan • ICMP (ping sweep)
• IP Protocol • Reverse-Identification
• SYN sweep • ftp proxy (bounce attack)
• Xmas Tree • TCP SYN (half open)
• ACK sweep • TCP connect()
• FIN • UDP
Nmap: How does it work? (2)
• Uses the following OS detection techniques • TCP/IP fingerprinting
• stealth scanning
• dynamic delay and retransmission calculations • parallel scanning
• detection of down hosts via parallel pings • decoy scanning
• port filtering detection
• direct (non-portmapper) RPC scanning • fragmentation scanning
Vulnerability Assessment (1)Vulnerabilities come from:
• Default configuration weakness • Configuration errors
• Security holes in applications and protocols • Failure to implement patches!
Vulnerability Assessment (2)Vulnerability checkers use:
• Database of known vulnerabilities • Configuration tool
• Scanning engine
• Knowledge base of current scan • Report generation tool
Purpose: “To provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.”
Security Scanner: “A software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way.”
Available platforms: UNIX for client and server Windows for client only
Nessus: What does it do?
• Iteratively tests a target system (or systems) for known exploitation vulnerabilities
• Uses a separate plug-in (written in C or Nessus Attack scripting Language) for each security test
• Can test multiple hosts concurrently
• Produces a thorough vulnerability assessment report at the conclusion of the vulnerability scan
What does Nessus check for?
• Backdoors • CGI abuses
• Denial of Service • Finger abuses • FTP
• Gain a shell remotely • Gain root remotely
• Port scanners
• Remote file access • RPC
• SMTP problems • Useless services • Windows