Friday, January 4, 2008

Multipart PortScanning Tutorial part 1

This is not so much a "How To" but rather a "What Is" The tutorials come latter.

Today we will be talking about Port Scanning and what it is.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

Port Scanning is like a car thief walking around a busy parking lot and trying to find cars that are unlocked.
However on our computer or network. This can sometimes be bad if we leave the "doors" (ports) "unlocked" (open). When we leave ports open on the Internet it is not "if" someone will find it but "when". Port scanning software like [url=]Nmap[/url] Allows anyone to scan computers connected to a network. This can be done simply by the program sending out a request to connect to a target computer. Then it waits to see which port(s) responds or seems to be open so that it can be studied latter more in depth. Sometimes a computer doesn't respond and this information can be useful too. We will cover that more in depth latter.

When a scanner is looking for ports on a target computer it has two choices for port type. First is TCP which is the Transmission Control Protocol.This is simply the "rule set" by which data is exchanged over a network. This data exchange is bytes of data that are called packets. These packets normally consist of a "Header" and a "body". The header is the "address" of where the packet is going to. This is used by routers on a network to send the data along its way. The "body" is the information that has been sent. Think of it as a letter to grandma first you have the envelope which is the packet. You have the address to grandma which is the header, And finally you have the letter itself, which is the body of the packet. It doesn't really matter which order these packets arrive at its destination because the computer on the receiving end can put them back together in the right order.

Now UDP on the other hand does not guarantee reliability or ordering in the way that TCP does. This means that the packets can arrive out of order, they can be duplicated or become missing without notice. This sometimes makes UDP faster than TCP. We will talk more about UDP later on.

Back to port scanning. When we scan ports we have up to 65,535 to choose from. This is the same for TCP and UDP. Thats a lot of doors for us to lock and make sure they stay locked.

The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS.
The Registered Ports are those in the range 1024–49151.
The Dynamic and/or Private Ports are those in the range 49152–65535. Randomly chosen port numbers out of this range are called ephemeral ports. These ports are not permanently assigned to any publicly defined application.

If a port scan is being done with malicious intent, an attacker normally wants to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this an attacker can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65535 ports. Stealth scanning uses techniques such as slowing the scan down. By scanning the ports over a much longer period of time we can better evade IDS. Although this is not always the case!

By setting different TCP flags or sending different types of packets a port scan can generate different results or locate open ports in different ways. A SYN scan will tell the port scanner which ports are listening and which are not depending on the type of response generated. This is normally accomplished by a Three-Way Handshake.
First we have the Syn Packet sent from a computer wishing to connect to another saying "let's connect". Then the computer we wish to connect to says with a SYN-ACK "ok let's connect".Then we would send another ACK back saying "ok". At this point the two computers would be "connected". If the port however was closed then we normally wouldn't get any response back.

In the next few segments we will be looking at the output of some various scans on our target machine. We will be using nmap to do this.
So until then go and read up on nmap so that you have a basic understanding of the tool.

No comments: