Sunday, May 25, 2008

Multipart PortScanning Tutorial Part 6

Because there has been some interest I will try to do a couple more tutorials on [URL="http://nmap.org/"]nmap[/URL]. I am using the latest version available.

[B]In this edition we will be looking at the results of some "ACK" Scans[/B].

Disclaimer: This information is for educational purposes only and not to commit a crime! If you do something that causes you to hose your box don't cry to me. All IP Address' MAC Address' etc. have been munged!
[B]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]

[B]Next lets talk a minute about what a "ACK" scan is.[/B]
[quote]-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled filtered.
[URL="http://nmap.org/docs.html"]From the nmap online documentation[/URL]. [/quote]

So what does this mean to us. First when dealing with TCP/IP we all know how the connections work, so when a connection is finished one would normally see an ACK or Acknowledgment. Meaning that the connection was made and a transfer of some sort took place. So when we scan for hosts by sending out ACK packets what we are doing is telling the target machine that we have "received the transmission". But since this is our first real communication with said target. It will not no how to respond. This is turn will generate RST or reset packets. Now if we look above we see that nmap will label them as unfiltered, and in turn they are reachable. This second part is really the only part we care about. By sending out ACK packets we can then determine if a host is alive and possibly not set of IDS alarms. Now there is a caveat to this. If there are a lot of ACK packets hitting a target then an IDS will most likely see this and of course set off the alarm.
There are several ways we can mitigate this with nmap. Which I will show more of in a later tutorial.
[b]So our first default scan should look something like this.[/b]
[code]#nmap -v -v -sA 192.168.1.5 [/code]
Now I included the -v -v for verbosity level two just to get all of the information out of this basic scan that we can.
[b]Now lets look at the results. [/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 12:26 EDT
Initiating ARP Ping Scan at 12:26
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 12:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:26
Completed Parallel DNS resolution of 1 host. at 12:26, 0.05s elapsed
Initiating ACK Scan at 12:26
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 40 out of 133 dropped probes since last increase.
Completed ACK Scan at 12:26, 15.39s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.828 seconds
Raw packets sent: 1836 (73.442KB) | Rcvd: 1716 (78.932KB)[/code]

Now the only thing that we learned is that the target is there, which we should already have known before we started scanning it. Blindly scanning a target is how we set off alarms!
Ok now lets look at it again only this time we will be trying to find out some info on the OS and what services are running.
But remember we do not want to trip the alarm so we are going to be a little sneaky with our throttling. Note this may or may not hide us, That is not the real point here.
[code]
#nmap -sV -v -v -F -T Paranoid -sA -O -PN 192.168.1.5
[/code]
This time we have several flags set.
-sV for service versions.
-v -v again verbosity level 2
-F to only scan the ports listed on the service version scan. No sense scanning all possible ports as this could trigger alarms.
-T Paranoid again to help mask what we are doing.
-sA is for the ACK scan itself.
-O for OS detection
-PN so that we do not ping the target before scanning. Again to mask what we are doing from the target itself.
[b]And of course the output[/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 13:04 EDT
Initiating ARP Ping Scan at 13:04
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:04, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:04
Completed Parallel DNS resolution of 1 host. at 13:04, 0.05s elapsed
Initiating ACK Scan at 13:04
Scanning 192.168.1.5 [1276 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 45 out of 150 dropped probes since last increase.
Completed ACK Scan at 13:04, 11.45s elapsed (1276 total ports)
Initiating Service scan at 13:04
Initiating OS detection (try #1) against 192.168.1.5
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.5 appears to be up ... good.
All 1276 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF(Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely Removed
Network Distance: 1 hop
Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.866 seconds
Raw packets sent: 1343 (55.504KB) | Rcvd: 1283 (59.160KB) [/code]

So this time we picked up a bit more detail. I will say that what was reported by the scan's OS details is incorrect but they device type is. Also note that the mac address is listed as Cisco-Linksys. This along with the device type is the most relevant info we have gained. In order for us to actually penetrate the target we need more information. Which I will leave up to you to learn about.

So again we have covered using an ACK scan with nmap. There are more options, reasons, and ways of using this type of scan. I have showed you only the basics.
When I get the chance I will be showing more options for IDS spoofing and evasion techniques. I have purposely left this info out of this tutorial!

If this has helped or hindered you say something. :)

No comments: