14

Network Penetration Testing

Penetration Testing IntroPen Testing Process and LawPlanning and Passive ReconPort ScanningPractice QuestionsForged Emails (Lab 4b)Introduction to Basic Exploits (Lab 5)Metasploit Framework (Lab 6)Web Application Technologies/Vulnerabilities (Lab 7)Apache Web Application Configuration (Lab 8a)Web Application Testing (Lab 8b)SQL Injection Testing/Attacks (Lab 9)Password Attacks (Lab 10)Active Recon - Network Scanning, Enumeration and Vulnerability Scanning (Lab 4a)

Port Scanning

Week 1 Day 3 - Lecture 2

Last Update Unknown

Port Scanning

Identify services on a single Target

  • Found target machines, now want to determine which ports are open and which are closed - which services are running
  • How: Scan targets for open TCP and UDP ports

Port Numbers: Used to identify client/server application on

communicating systems

  • TCP and UDP port numbers are 16-bit (0-65535 x 2)
  • Server application binds to a well known port number, and client connects to this using TCP/UPD transport protocol

TCP & UDP Services

  • Provide the transport between the TCP/IP applications
  • TCP: Connection oriented transport protocol. Reliable ordered packet delivery using sequence numbers. Retransmits lost packets.
  • UDP: Connectionless transport service, no reliable delivery

TCP Header

  • Source and Destination Port (16-bits) - communication applications
  • Seq Number/Acknowledgement number - track packets arrival and order
  • Control Bits (flags) - use to track state of connection

Port Scanner can manipulate (misuse) these values and interpret

responses to identify services

TCP Control Bits / Flags

  • SYN: Synchronise Sequence no's - SYN packets are used in the TCP connection handshake - new connection
  • RST: Connection should be reset, due to a problem/error
  • FIN: Data transfer finished, gracefully tear down connection
  • PSH: Data should be sent on network/passed on to application immediately, and not wait till buffer full
  • URG: Check the urgent pointer field of the TCP header
  • ACK: Acknowledgement - ACK packets are acknowledging earlier packet

TCP 3-Way Handshake

  • Handshake performed before data is transferred - synchronise sequence numbers so packet ordering for reliability can be monitored
  • SYN packet is sent by the client to a server port
  • SYN-ACK must be sent back from the server if the port is open, (otherwise a RST packet is returned).
  • Client then sends an ACK and data can be transferred.

Basic TCP Rules

When a TCP listener on any port receives a SYN packet one of the following will happen:


1. Has to Respond with a SYN-ACK - PORT IS OPEN (regardless of payload or anything else in the packet)
  • Thus, we can tell if a TCP service is listening on a port by simply sending it a SYN packet


Other possible responses:

2. Responds with RST-ACK packet - PORT IS CLOSED (or Firewall is blocking the port - Firewall could have sent the RST-ACK packet)
  • nmap reports port is Closed


3. Responds with a 'ICMP Port Unreachable'

  • Port is 'inaccessible', typically Firewall blocking it (Network or Host Firewall)
  • nmap marks as Filtered


4. Does not Respond

  • Port is 'inaccessible', typically a Firewall/IPS is blocking
  • Have to wait for timeout -slows down scanning!
  • nmap marks as Filtered (--reason displays reasoning)