Network Scanning Over the World - Case Study Example

1- Introduction Network scanning probably is the most faster growing over the world wide. And there are huge valuable tools useful for the network security. Some of them help in identifying active hosts on a network from attacking or security purposes. Nmap(Network Mapper) is one intelligent tool that is used by thousands and thousands of network professionals to ensure their networks security and systems safety. It is a freely available open source for network exploration or security auditing and it is available to download free from the internet. Nmap uses IP packets to determine whether a port is open or closed. Nmap has been written and is maintained by “Fyodor” as the greatest security utility and an extremely powerful tool. This papers objective is to report about Nmap (network mapper) and covers in essence, information about scanning techniques. It starts of the discussion by describing the meaning of the network scanning as a process to establish active hosts on a network, and follows on to cover port scanning which is a technique for attackers to discover exploitable communication channels that they can use to break into systems. Thereon, the report moves on to providing a description of Nmap, an intelligent device for checking the accuracy of the scanned data. The Port Scanning Basics are then divided to six states and discussed.Thereon the Each technique is focused upon to solve a specific problem. The Nmap TCP Maimon scan and the Nmap TCP ACK scan have the main emphasis in this report and are described in significant detail. What is network scanning? The concept of the network scanning is that it is a process to establish active hosts on a network for the objectives of network security assessment or attacking them. Scanning processes such as port scans and ping sweeps return details which the respective IP addresses map to the live host that is active on the internet and what use this address offers . Another scanning tactic is the Inverse Mapping which returns information to show which IP addresses do not map to live host thereby allowing to an attacker to make assumptions about viable addresses. Scanning is one of three constituents of intelligence gathering for an attacker, and it provides him/her with the information necessary to enable him/her to apply the very large spectrum of attack techniques. The attacker can make a profile of the goal organization with some information such as domain name system and an E-mail server, and its IP address scope. Usually the information is available online and consequently the attacker can find details about the IP address which it decides to access over the internet through its operating system, the system architecture, and the services running on the computer. The attacker in the enumeration phase gathers information such as group names and network user routing tables and Simple Network Management Protocol (SNMP) data. 3- Port scanning Port scanning is the most popular technique for attackers to discover exploitable communication channels that they can use to break into systems. The main idea for the attackers is to probe the network port and find information about targeted systems that are useful for an attacker. Certainly the port scanning is an accomplished technique since from the kind of response received from each port to sent messages indicates the extent of weakness of the port thereby in turn letting the attacker know how vulnerable the port under consideration is. Therefore network security techniques care about port scanners because they can expose important security vulnerabilities on the system. At this time there are various port scanning techniques available have been made by port scan tools such as Nessus and Nmap. 4- What is Nmap ? Network Mapper is a brilliant device for checking the accuracy of the scan data. NMAP is a freely distributed port scanner developed and preserved by Fyodor. It is an open source tool for network exploration and for security auditing. It allows the network administrator to observe what is running on the servers and it can be used in multiple operating systems such as Debian linux, Hat linux, etc. The main purpose of the Nmap is to help to make the Internet more secure and to provide administrators, auditors, and hackers with a sophisticated tool for exploring their network. Furthermore many network administrators find it useful for routine tasks such as network inventory, managing service upgrade programme, and monitoring host or service uptime as well. Nmap supports dozens of scanning techniques. For instance, TCP connect(), UDP , TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, SYN sweep, Xmas Tree, IP Protocol, Null scan and so on. In addition, Nmap can provide further information on goals, including reverse DNS names, operating system guesses, device types, and MAC addresses. (See figure 1 for general view of Mind Nmap) 4-1 Port Scanning Basics Though over the years the scope of Nmap has grown it began as an efficient port scan tool this still is its core function. The Nmap target scan has command of more than 1660 TCP ports on the host target. Nmap is much more granular compared to many other port scanners since while these have traditionally lumped all ports into the close or opened states, Nmap divides ports into six states (open, closed, filtered, unfiltered, open filtered, or closed filtered). Open Simply the concept of the open port is that an active application that accepts TCP connection or UDP packets on this port. Discovering these is the main goal of port scanning. Every open port is an avenue for attack and the security people realize that. They attempt to close or protect the open ports with firewalls. Closed The close ports are easy to reach as they receive and respond to Nmap probe packets, though there is no application listing on it. They can show which host is up on an IP address ( finding host or ping scanning). Because a closed port is so accessible it is worth scanning for an attacker as it may be for some cases opened up later. Thus it is important for security to block such ports as well with firewalls. Filtered In the filtered port Nmap cannot establish if the port is open or not because filtering packets stop the probe from reaching the port. Filtering ports can be from firewall device or router rules. These ports do not provide much information which is depressing for attackers. Unfiltered In this state the port is accessible but Nmap cannot determine if the port is closed or open. The ACK scan is the only scan that can classify such ports into this state which is used to map firewall rulesets. Furthermore, unfiltered ports with other scan techniques such as (SYN scan, FIN scan, or window scan) may be able to secured if the port is open. Open filtered Nmap is unable to determine if the port is open or closed. Such problems exist in cases of scans where open ports do not respond back and the case of receiving few responses might mean that a packet filter dropped the probe thereby not allowing Nmap to figure out whether the port is open or has been filtered. Closed filtered Closed filtered is used when Nmap is not able to establish if the port is closed or filtered. It is used only for the IPID Idle scan. 4-2 Port Scanning Techniques: NMAP supports various methods of port scanning. These types of methods are simply known as scanning techniques. Each technology is designed to solve a specific problem. In many cases, several scans have to be run based on different techniques in order to obtain a more complete picture of the host. TCP Maimon scan (-sM ) – Uriel Maimon was the discoverer of the Maimon scan and he described in November the technique in Phrack Magazine.This technique is Similar to the TCP Null, Fin and Xmas scans but exploits a slightly different TCP stack implementation detail particular to many BSD systems. TCP ACK scan (sA) – Used to map out firewall rulesets and it sends an ACK packet to specific ports to evaluate if the port is filtered or unfiltered. TCP connect scan (-sT) – Uses a normal TCP connection to determine if a port is available. This scan method uses the same three handshake connection that other TCP application used on the network but is comparatively slower and has more overhead than a SYN scan. A TCP connect scan is the default when a SYN scan (RAW sockets) is not an option. TCP SYN scan (-sS) – Is the most popular option because it can be performed on many thousands of hosts very quickly on a fast network with no firewalls. SYN scan opens connections by sending SYN packet to allow nmap to collect information about open ports but it never completes the TCP handshake process. UDP scan (-sU) – Sends an empty data UDP header to every specified port. The packet from this header is used to determine the whether the UDP port is open without warning. Custom TCP scan (--scanflags) - this option is great for advance users who prefer to create their own scan type by specifying arbitrary TCP flags for some particular requirements is helpful to create scans that are less likely be detected by intrusion detection systems. IP protocol scan (-sO) – this technique is a bit different than the rest of nmap scans, the target machines support the IP protocols (TCP, ICMP, IGMP, etc.) by sending raw IP packets without further protocol headers. If a ICMP receives a message it assumes that the port is closed and if does not it is identified as being open. TCP Null, FIN and Xmas scans – These scans gather in one group because they do similar individual work. TCP Null, FIN and Xmas scans send a single frame to TCP port without the three handshakes. These are known as "stealth" scans precisely for this reason. FTP bounce scan – The FTP is a type of scan which is not very popular in the network security world. It uses a third workstation to work as proxy between the nmap host and the destination station that encourages the attacker to do the port scan and receive the result back. TCP Window scan – The windows scan and the ACK scan are similar in that both map firewall rulesets except that windows scan can determine if the port scan is opened or closed. Idle scan – Idle scan gathers port information by using another station on the network by nmap and. the scan will appear to originate another host instead of the nmap station. The Nmap TCP Maimon Scan: This is a general description to feature in detail the function of the Maimon scan on the network. The Maimon is a stealth scanning technique called by Uriel Maimon who profiled stealth scanning techniques in a Phrack Magazine, the same as FIN scan. The Maimon scan, the FIN scan and also NULL, Xmas scan are exactly similar in their operational mechanisms on the network world but the Maimon scan enables both the ACK flag and the FIN flag in the frame sent to the remote gadget. FIN scan was only the scan which is selected to be like the Maimon scan because the FIN scan always returns a RST frame response to the FIN packet when the TCP port not listing the same of what the maimon scan does. Both of the Maimon scan and FIN scan are designed to identify RST responses from the remote device if the TCP port received a RST response from the remote station, it means that the port is closed while if the TCP port is open, there are no responses that are received back The function trend of the Maimon scan works and receives the same result of the FIN scan, for greater clarification of the work trend of the Maimon scan and FIN scan see the diagrams below. 4- The Nmap TCP ACK Scan The ACK scan is a unique technique in Nmap . The ACK scan is used for mapping out firewall rulesets. This a progress scan that works to determine if a firewall is stateful or not. ACK scan sends an ACK packet for a specific port and if no response received it is filtered, if an RST response comes back the port is unfiltered. But this scan never shows an application to affirm an open state, although the ACK scan does an effective job of identifying port that is filtered through a firewall. The ACK process operations to indicate if the port is open or close by sending a TCP ACK frame to a port and waiting for response. If there is no any response or if there is an ICMP destination unreachable message the port is filtered. Please check diagrams for further details. 6-1 Advantages of the ACK Scan The ACK scan is always invisible when mixed with other network traffic and it doesnt open any application, also the connection is slightly simpler between the Nmap and the remote device. 6-2 Disadvantages of the ACK Scan The ACK scan is unable to identify open or closed port it never attempt to make connection with a remote device this the most significant disadvantage for the ACK scan. Conclusion Nmap is a brilliant utility for evaluating security. It is therefore useful for security providers who are interested to protect hosts as well as attackers who are interested to evade firewall restrictions. Nmap provides stealthy scanning options such as the maimon scan which designed to identify RST responses from the remote deviceas closed port, and the ACK scan which is efficiently identifies ports filtered through a firewall. Read More