Identifying Active Machines
Once a valid network range has been determined, the next step is to identify active machines on the network. There are several ways that this task can be accomplished, including the following:
Wardialing (legacy technique that is rarely used)
Wardriving and related activities
Pinging
Port scanning
Each of these methods offers different capabilities useful in detecting active systems and as such will need to be explored individually. To use each of these techniques, the attacker must clearly understand areas for which they are useful as well as those areas in which they are weak.
Wardialing
A technique used by many hackers in the first few decades of widespread personal computer use is wardialing. Wardialing is a technique that was popular in the 1980s and 1990s as a footprinting tool, which explains why the process involves the use of modems. Wardialing is very simple: It uses a modem to dial phone numbers to locate modems. An attacker who picked a town at random and dialed up a range of phone numbers in that town would likely turn up several computers with modems attached. Wardialing using modems is a legacy technique with extremely limited utility value today, but it does give rise to many similar techniques that essentially search for open communication ports.
Wardriving and Related Activities
Wardriving is another technique for uncovering access points into a network. Wardriving is the process of locating wireless access points and gaining information about the configuration of each. This “sniffing” was initially performed with a laptop computer, a car, and software designed to record the access points detected. Additionally, a Global Positioning System (GPS) was optionally included to go to the next step of mapping the physical location of the access points. It wasn’t long before mobile devices became smaller, more functional, and better suited to finding wireless access points. The ease of carrying around a small device with a wireless adapter, GPS receiver, and software to collect information gave rise to warwalking, warjogging, warbiking, and even warflying. If an attacker is able to locate even a single unsecured access point, the dangers can be enormous because it can give that same attacker quick and easy access to the internal network of a company. An attacker connecting to an unsecured access point is more than likely bypassing protective measures, such as the corporate firewall.
Although there are a multitude of tools used to perform wardriving, other tools, including the following, are useful in defending against these attacks:
AirSnort—Wireless cracking tool
AirSnare—An intrusion detection system to help you monitor your wireless networks. It can notify you as soon as an unapproved machine connects to your wireless network.
Kismet—Wireless network detector, sniffer, and intrusion detection system commonly found on Linux
NetStumbler—Wireless network detector; also available for Mac and handheld devices
So why is wardriving successful? One of the most common reasons is that in spite of increasingly aggressive security measures, personnel sometimes install their own access points on the company network without company permission (known as a rogue access point). An individual who installs an access point in such a way will more than likely have no knowledge of, or possibly not care about, good security practices and may well leave the access point completely unsecured. Another reason is that sometimes when an access point has been installed, those performing the installation have actively decided not to configure any security features. Wardriving generally preys upon situations in which security is not considered or is poorly planned. Make sure you stay out of situations like that.
Pinging
A technique that is useful at determining whether a system is present and active is a ping sweep of an IP address range. By default, a computer will respond to a ping request with a ping reply or echo. A ping is a network utility that sends an Internet Control Message Protocol (ICMP) message. With the use of a ping, it is possible to identify active machines and measure the speed at which packets are moved from one host to another as well as obtain details, such as the time to live (TTL).
A key advantage of ICMP scanning is that it can be performed rapidly because it runs scanning and analysis processes in parallel. In other words, it means multiple systems can be scanned simultaneously. In fact, it is possible to scan an entire network rapidly. The ping utility is available as a command-line utility in all common operating systems and is often available as a feature in larger network management software packages.
Of course, for every pro there is a con, and pinging in this manner is not without issue. First, it is not uncommon for network administrators to specifically block ping ICMP messages at the firewall or even turn off ping messages completely on host devices. Second, it is a safe bet that any intrusion detection system (IDS) or intrusion prevention system (IPS) that is in place will detect and alert network managers in the event a ping sweep occurs. Finally, ping sweeps have no capability to detect systems that are attached to the network but powered down.
Port Scanning
The next step to take after discovering active systems is to find out what services are available on the systems. The most straightforward technique is to scan ports for active services. Port scanning is designed to probe each port on a system in an effort to determine which ports are open. It is effective for gaining information about a host because the probes sent to a system have the capability to reveal more information than a ping sweep can. A successful port scan will return results that will give a clear picture of what services are running on a system. This is because ports are bound to services.
Before discussing how to scan ports, it is important to cover some of the fundamentals of ports. In all, there are 65,535 TCP and 65,535 UDP ports on any given system. Each of these port numbers identifies a specific process that is either sending or receiving information at any time. At first glance, it might seem that you would need to memorize all 65,000-plus ports to be adequately prepared, but this is not the case. In reality, only a few ports should ever be committed to memory, and if a port scan returns any ports that are not immediately recognizable, those port numbers should be further scrutinized. Some common port numbers are shown in TABLE 6-1.
TABLE 6-1 Common port numbers |
||
|---|---|---|
| PORT | SERVICE | PROTOCOL |
| 20/21 | FTP | TCP |
| 22 | SSH | TCP |
| 23 | Telnet | TCP |
| 25 | SMTP | TCP |
| 53 | DNS | TCP/UDP |
| 80 | HTTP | TCP |
| 110 | POP3 | TCP |
| 135 | RPC | TCP |
| 161/162 | SNMP | UDP |
| 1433/1434 | MSSQL | TCP |
Look closely at the last column of Table 6-1. In this column, the protocol in use is listed as either TCP or UDP. In practice, applications that access the network can do so using either TCP or UDP, based on how the service is designed. An effective port scan will be designed to consider both TCP and UDP as part of the scanning process. These two transport layer protocols work in different ways. TCP acknowledges each connection attempt. UDP does not, so it tends to produce less reliable results.
A Closer Look at TCP Port Scanning Techniques
TCP is a protocol that was designed to enable reliable communication, fault tolerance, and reliable delivery. All of these attributes allow for a better communication mechanism, but at the same time, these features allow an attacker to craft TCP packets designed to gain information about running applications or services.
To better understand these attacks, a quick overview of flags is needed. Flags are bits that are set in the header of a packet, each describing a specific behavior as shown in TABLE 6-2. A penetration tester or attacker with a good knowledge of these flags can use this knowledge to craft packets and tune scans to get the best results every time.
TABLE 6-2 TCP flag types |
|
|---|---|
| FLAG | PURPOSE |
| SYN | Synchronize sequence number |
| ACK | Acknowledge sequence number |
| FIN | Final data flag used during the four-step shutdown |
| RST | Reset bit used to close an abnormal connection |
| PSH | Push data bit used to signal that data in this packet should be pushed to the beginning of the queue |
| URG | Urgent data bit used to signify that there are urgent control characters in this packet that should have priority |
| CWR | Congestion Windows Reduced flag is a response to a host receiving a TCP message with the ECE flag set |
| ECE | ECN-Echo flag indicates the sender is Explicit Congestion Notification (ECN) capable |
TCP offers a tremendous capability and flexibility because of flags that can be set as needed. However, UDP does not offer the same capabilities, largely because of the mechanics of the protocol itself. UDP can be thought of as a fire-and-forget or best-effort protocol and, as such, uses none of the flags and offers none of the feedback that is provided with TCP. UDP is harder to use for port scans successfully. The reason UDP is more difficult to use in port scanning is that as data is transmitted, there are no mechanisms designed to return feedback to the sender. A failed delivery of a packet from a client to a server offers only an ICMP message as an indicator of events that have transpired.
One of the mechanisms that port scanning relies on is the use of flags. Flags are used in the TCP protocol to describe the status of a packet and the communication that goes with it. For example, a packet flagged with the FIN flag signals the end or clearing of a connection. The ACK flag is a signal used to indicate that a connection has been acknowledged. An XMAS scan is a packet that has the FIN, PSH, and URG flags active at once, in effect lighting it up “like a Christmas tree,” as the saying goes.
Some of the more popular scans designed for TCP port scanning include:
TCP connect scan—This type of scan is the most reliable but also the easiest to detect. This attack can be easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK, whereas closed ports respond with an RST/ACK.
TCP SYN scan—This type of scan is commonly referred to as half open because a full TCP connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems, although most modern systems have adapted to detect it. Open ports reply with a SYN/ACK, whereas closed ports respond with an RST/ACK.
TCP FIN scan—This scan attempts to detect a port by sending a request to close a nonexistent connection. This type of attack is enacted by sending a FIN packet to a target port; if the port responds with an RST, it signals a closed port. This technique is usually effective only on UNIX devices.
TCP NULL scan—This attack is designed to send packets with no flags set. The goal is to elicit a response from a system to see how it responds and then use the results to determine the ports that are open and closed.
TCP ACK scan—This scan attempts to determine access control list (ACL) rule sets or identify whether stateless inspection is being used. If an ICMP destination is unreachable, the port is considered to be filtered.
TCP XMAS tree scan—This scan functions by sending packets to a target port with flags set in combinations that are illegal or illogical (e.g., FIN, PSH, and URG). The results are then monitored to see how a system responds. Closed ports should return an RST.
Port Scanning Countermeasures
Port scanning is an effective tool for an ethical hacker or attacker, and proper countermeasures should be deployed to limit results to authorized individuals. These countermeasures include the range of techniques utilized by an organization’s IT security group to detect and prevent port scanning from returning useful information. Because there are several techniques that can be used to thwart port scanning, it is impossible to cover them all, but listed here are some countermeasures that can prevent an attacker from acquiring information from a port scan:
Deny all—An approach to access control designed to block all traffic to all ports unless such traffic has been explicitly approved
Proper design—An aspect of a carefully planned network, including security measures such as IDSs and firewalls
Firewall testing—A way to verify a firewall’s capability to detect and block undesirable traffic
Port scanning—A technique that utilizes the same tools that an attacker will use to attack a system with the goal of gaining a better understanding of the methods involved
Security awareness training—Something every organization should strive to provide. Effective security awareness teaches personnel to know how to look for certain behaviors and maintain security. Security awareness should also be used to encourage that security policies and practices are being followed and help administrators determine whether adjustments need to be made.