Sunday, January 6, 2008

Multipart PortScanning Tutorial Part 4

In part four of our "scanning journey" we are looking at FIN scans against our target box.
I am going to show you various combinations of the FIN scan and the resulting output.
If you have not done so you may need to brush up on the other lessons.

Part1
Part2
Part3

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!



This is our standard FIN Scan. Again this is a TCP SCAN NOT UDP. I am using the Insane scan because it is a local network with the firewall and IDS turned off! So no need to worry about that.
Remember if you are doing this on a network that is not yours outside of the legality issues remember the faster you go the more likely you will be discovered by IDS/IPS (Intrusion Detection Systems/ Intrusion Prevention Systems). If a firewall was turned on then we probably won't get much in the way of information. However we will see that a little later on in this lesson.


OK on a FIN scan we are only sending FIN or "Finished packets" to our target. This tells the target who we prior to our scan did not actually "talk" to so in essence we are "finishing a conversation" or connection that never took place. This will normally net us some weird results. Sometimes the target can get confused and tell us more than it should! Sometimes it will not say anything and that it what a good hardened target box should do!

These probes are only using the default port list not the entire range of ports. All Scans listed are with the "-vv" very verbose and
"-T5" Insane speed level.

Code:
bt~# nmap -sV -T5 -vv 192.168.102
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
All 1697 scanned ports on 192.168.1.102 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)

Nmap finished: 1 IP address (1 host up) scanned in 36.649 seconds
We didn't get much in the way of info with just the basic scan so we are moving on. This time using the version probe and the OS detection
Our command looks like this:
Code:
nmap -sF -sV -O -T5 -vv 192.168.1.102
And our output is as follows.

Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 11:43, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.05s elapsed
Initiating FIN Scan at 11:43
Scanning 192.168.1.102 [1697 ports]
Completed FIN Scan at 11:44, 2.31s elapsed (1697 total ports)
Initiating Service scan at 11:44
Warning: OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.102
Host 192.168.1.102 appears to be up ... good.
All 1697 scanned ports on 192.168.1.102 are closed
MAC Address:00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows 2003 Server SP1, Microsoft Windows Server 2003 Enterprise Edition 64-Bit SP1 (firewall disabled)
OS Fingerprint:
OS:SCAN THIS PART WAS INTENTIONALLY REMOVED BY ME!!

Network Distance: 5 hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 2.880 seconds
Raw packets sent: 1839 (74.156KB) | Rcvd: 1704 (78.744KB)

An now the same scan with a firewall in place.

Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 12:05
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 12:05, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:05
Completed Parallel DNS resolution of 1 host. at 12:05, 0.05s elapsed
Initiating FIN Scan at 12:05
Scanning 192.168.1.102 [1697 ports]
Completed FIN Scan at 12:05, 18.93s elapsed (1697 total ports)
Initiating Service scan at 12:05
Scanning 1689 services on 192.168.1.102
Service scan Timing: About 6.42% done; ETC: 12:13 (0:07:17 remaining)
Completed Service scan at 12:12, 425.24s elapsed (1697 services on 1 host)
Warning: OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.102
Host 192.168.1.102 appears to be up ... good.
All 1697 scanned ports on 192.168.1.102 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint by osscan system #2:
SCAN(P=i686-pc-linux-gnu)
U1(R=N)
IE(R=N)
Network Distance: 5 hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 445.304 seconds
Raw packets sent: 3419 (139.138KB) | Rcvd: 1 (42B)
Notice this time in the first scan we went from a possible Windows 2003 Server type box to a possible Linux box. The only difference was the addition of a firewall that was thrown in the mix. This can make a HUGE difference when we are looking for attack vectors!

This lesson shows you what FIN Scans look like. Remember that you can change some of the other options in Nmap to help evade and spoof IDS/IPS etc.
However right now we are only concerned with the basics.
In the next lesson we will be looking at a FIN|ACK scan.

No comments: