2007
A HACKING ODYSSEY PART 2:
NETWORK SCANNING & NMAP CONTINUED...
11) Maimon scan –sM
Lastly for those who want to scan BSD boxes the Maimon scan may come in
useful.
Uriel Maimon discovered that sending a FIN/ACK probe to a BSD box
resulted in the probe being dropped if the port was open, and a RST
being returned by a closed port, whereas non BSD boxed would return a
RST regardless of the port state.
The syntax for this scan is: nmap –sM ip address
Nmap –sM 80.80.80.80
That covers all available ‘type of scan’ available to Nmap users when
scaning TCP ports, there are a lot of options to use in conjunction
with these scan types which I will cover shortly after I have explained
UDP scanning.
12)UDP Scanning
Due to the nature of User Datagram Protocol (UDP) and its
connectionless method of data transmission it is very hard to reliably
scan the UDP stack of ports.
We already know that a TCP session requires a three-way handshake, ergo
if we send a SYN packet we will get a SYN|ACK back from an open port.
UDP does not have anything in its rules to say it has got to send a
single thing back in response to a packet arriving at an open port.
If we send a packet to a closed port we may get an ICMP type 3 code 3
reply – port unreachable. If this happened Nmap will inform us that the
port is closed.
If any other ICMP type 3 messages are returned such as Host unreachable
(code 1), Protocol unreachable (type 2) etc then Nmap will mark the
port down as filtered – meaning something is receiving the probes but
it may not be the interned target, i.e. it may be a packet filter of
some kind, hence Nmap can’t say if the port is open or closed.
If no reply is received from the probe then the port is displayed as
open|filtered which means that Nmap was unable to confirm the port was
definitely closed hence could be open or be behind a packet filter of
some kind.
As you can see due to the unreliable nature of UDP port scanning via
empty USP datagram’s is a fairly unreliable method to use.
It is usually the service that replies on a UDP port – take port 53 for
example which is the DNS port. If you send an empty UDP probe to it
(which is what Nmap will do with the default USP scan) then the DNS
server is never going to reply to it – why should it as there are no
rules such as those in TCP to say it has to.
However if you conduct a ‘version scan’ ,which I will cover next, then
Nmap will try to connect to the service that listens on the port by
default.
So take our DNS service on port 53 for example – Nmap knows DNS uses
UDP:53 so by carrying out a version scan Nmap will consult its
database, look for a nslookup query and send it out to the target on
port 53. If a reply comes back to this DNS query then Nmap will inform
you that the port was open.
As you can see, for UDP ports it is the actual service that will reply
to Nmap, but to get it to reply we need to give it information it can
understand, not just a blank UDP packet. For this reason usually a
version scan is conducted in conjunction to the UDP scan.
Timing is another issue with UDP scanning, as most operating systems
(especially Linux) will limit the rate that the ICMP type 3 messages
can be sent out at. Most set it to one every second but this can be
changed manually by the user of the machine. If nmap has to wait one
second for every probe on every port and you are scanning all 65,536
ports then you are going to be in for a long wait…….
The syntax for a UDP scan is: nmap –sU ip address
nmap –sU 80.80.80.80
It is possible to conduct a TCP scan and a UDP scan at the same time:
nmap –sT –sU 80.80.80.80
Version Scanning
All of the above is great providing that any services are using the
port number they are meant to, i.e. the mail server is listening on
port 25 and the FTP server is listening on port 21 etc.
There is however nothing illegal about setting your FTP server to use
port 54321 and setting your mail server to use port 60000. In fact some
companies do this to certain services and PAT/Port Forward them on to
the correct port internally.
Code:
+++++++++++++
++++++++++
+
+
+Firewall+
+ Us +FTP logon request port
54321 + +
+81.81.81.81+--->--->--->--->--->--->-->-->+>-->
+
+ + ftp
someftpserver.com:54321 + V +
+++++++++++++
+ | +
+ V +
+ | +FTP request port 21
+ >-->-->-->-->- ++++++++
++++++++++
+ +
+ +
The firewall will take the FTP traffic destined for
54321 + FTP +
and will be configured to Port Forward the request
to +Server+
the FTP server on Port 21. To our knowledge the FTP
Server + +
is listening at ‘someftpserver.com:54321’. A basic port
scan + +
will only tell us that port 54321 is open, it won’t say
what ++++++++
is listening behind it, which is where the version scan comes
in handy as we will now know there is an FTP service there.
So the old security by obscurity technique, whereby reconfiguring the
default ports your service listens on to confuse would be attackers,
does not really help anymore.
But how does Nmap know it is an FTP server listen on port 54321?
To accomplish this is does something called Banner Grabbing. To
demonstrate Banner Grabbing it is best to show it first hand; so if you
open up a command prompt (go to Start > Run > type cmd > press
enter, if you don’t know how to do this). You will know have a black
command window open.
Type: ftp wu-ftpd.org
Code:
C:\Documents and Settings\Nokia>ftp wu-ftpd.org
Once you have successfully connected, you will be greeted with some
information:
Code:
Connected to wu-ftpd.org.
220 ftp.wu-ftpd.org FTP server ready.
User (wu-ftpd.org:(none)):
530 Please login with USER and PASS.
This information is known as the banner and is what Nmap will grab.
Once it has this banner it will compare it to an internal database and
look for a match, it will also continue to probe the service to solicit
as many responses as possible to enable it to get an accurate result.
If you really want to continue logging in to the FTP server with
anonymous credentials, you can do like so:
Code:
ftp> user anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome to the FTP server for the WU-FTPD Development Group
230-
230-This server is the primary distribution site for the WU-FTPD daemon.
230-
230-The pub directory contains the distribution and supporting files.
230-
230-If you are uploading contributions; please place them in the
incoming
230-directory and email wuftpd-members@wu-ftpd.org announcing your
upload.
230-
230 Guest login ok, access restrictions apply.
ftp>
Ok, well this is all well and good but what has it got to do with
version scanning? Well although we were able to identify this as an FTP
server by trying to connect to it via FTP on the default port, what
version FTP server is it using? If we wanted to try and exploit it we
will need to know the version to know what vulnerabilities it has.
It may also be of interest to know if there is anything else listening
on it, so let’s give it a quick SYN scan:
Code:
C:\Documents and Settings\Nokia>nmap wu-ftpd.org
Starting Nmap 4.20 ( http://insecure.org ) at 2007-02-24 18:39 GMT
Standard Time
Interesting ports on 67.66.8.211:
Not shown: 1692 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
26/tcp open unknown
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 334.140 seconds
We can see there are FTP, SSH, Mail and Web servers available to
connect to. However Nmap only makes this determination by listing what
should be using those ports – if the mail server was listening on port
80, Nmap would still list is as HTTP. We could telnet and SSH to all
the different ports and see if any banners are displayed, however an
Nmap version scan will be much more productive for us and tell us
exactly what services are using these open ports, which is informative
if we want to try and exploit these services.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on March 2nd, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.