Port Scanning Techniques and the Defense Against Them

Introduction

Port Scanning is one of the most popular techniques attackers use to discover services that they can
exploit to break into systems. All systems that are connected to a LAN or the Internet via a modem run
services that listen to well-known and not so well-known ports. By port scanning, the attacker can find the
following information about the targeted systems: what services are running, what users own those
services, whether anonymous logins are supported, and whether certain network services require
authentication.
Port scanning is accomplished by sending a message to each port, one at a time. The kind of response
received indicates whether the port is used and can be probed for further weaknesses. Port scanners are
important to network security technicians because they can reveal possible security vulnerabilities on the
targeted system.

Just as port scans can be ran against your systems, port scans can be detected and the amount of
information about open services can be limited utilizing the proper tools. Every publicly available system
has ports that are open and available for use. The object is to limit the exposure of open ports to
authorized users and to deny access to the closed ports.
Port Scan Techniques
To defend against port scans, you have to understand how port scans are performed. There are various
port scanning techniques available. Port scans have been made automated by popular port scanning tools
such as Nmap and Nessus.
The following scans are available for standard for Nmap and Nessus.
1. Address Resolution Protocol (ARP) scans discover active devices on the local network segment by
sending a series of ARP broadcasts and incrementing the value for the target IP address field in each
broadcast packet. This type of scan will have every IP device
Free Port Scanning Tools
2.2.1 nmap
The command-line driven nmap utility is a port scanner designed to scan large networks
and determine which hosts are up and which TCP and UDP network services they
offer.nmap supports a large number of popular ICMP, TCP, and UDP scanning techniques,
also offering a number of advanced features such as service protocol fingerprinting, IP
fingerprinting, stealth scanning and low-level filter analysis.
nmap is available from http://www.insecure.org/nmap/. Currently nmap can be run under
Windows 2000 and Unix operating systems, including Linux and MacOS X.
2.2.2 Nessus
Nessus is a vulnerability assessment package that can perform many automated tests
against a target network, including:
ICMP sweeping
TCP and UDP port scanning
Banner grabbing and network service assessment
Brute force against common network services
IP fingerprinting and other peripheral functions
I know of auditing teams within the big five accounting firms who use Nessus to undertake
much of their network scanning and assessment work. Nessus has two components
(daemon and client) and deploys in a distributed fashion that permits effective network
coverage and management.
Nessus has a good reporting engine that can present comprehensive results along with
relevant CVE entries. CVE is a detailed list of common vulnerabilities maintained by the
MITRE Corporation (accessible at http://cve.mitre.org).
Nessus is available for download from http://www.nessus.org. At the time of writing, the
daemon component is available only for Unix-based systems such as Linux, Solaris, and
FreeBSD. The Unix Nessus client software is bundled with the daemon component in a
single package; Windows clients are also available.
2.2.3 NSAT
Mixter's Network Security Analysis Tool (NSAT) is a fast bulk network scanner with decent
functionality. Although the NSAT checklist of vulnerabilities isn't as comprehensive as that
found in Nessus, the utility is very fast and can perform a high-level sweep of a target
network space in order to identify potentially interesting components.
In particular, NSAT performs ICMP, TCP, and UDP scanning along with good assessment of
common services including Telnet, FTP SMTP, DNS, POP3, RPC, NetBIOS, SNMP, and HTTP.
With NSAT, you can also define virtual network interfaces to scan through, so that in a
situation in which an IDS protected network is being assessed, you can assess the space
from IP addresses in your network block that aren't being used.
NSAT can be run under Linux, FreeBSD, and Solaris at the time of writing. The tool is
available from the NSAT project page at http://sourceforge.net/projects/nsat/.
2.2.4 Foundstone SuperScan
A Windows GUI-based ICMP, TCP, and UDP network scanning utility, SuperScan is
extremely fast and efficient. When it locates plaintext network services (such as FTP, Telnet,
SMTP, or HTTP), the tool performs banner grabbing to extract additional service information
(which usually includes version numbers and details of enabled options).
SuperScan is available from http://www.foundstone.com/knowledge/scanning.html along
with a selection of other freely downloadable network scanning utilities.

2.3 Commercial Network Scanning Tools
Commercial scanning packages are used by many network administrators and those
responsible for the security of large networks. Although not cheap (with software licenses
often in the magnitude of tens of thousands of dollars), commercial systems are supported
and maintained by the respective vendor, so vulnerability databases are kept up-to-date.
With this level of professional support, a network administrator can assure the security of
his network to a certain level.
Here's a selection of popular commercial packages:
Core IMPACT (http://www.corest.com/products/coreimpact/)
ISS Internet Scanner (http://www.iss.net)
Cisco Secure Scanner (http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/)
A problem with such one-stop automated vulnerability assessment packages is that
increasingly, they record false positive results. When professionally scanning large
networks, it is often advisable to use a commercial system such as ISS Internet Scanner to
perform an initial bulk scanning and network service assessment of a network, then fully
qualify vulnerabilities and investigate network components by hand to produce accurate
results.
ere is a checklist of countermeasures to use when considering technical modifications to
networks and filtering devices to reduce the effectiveness of network scanning and probing
undertaken by attackers:
Filter inbound ICMP message types at border routers and firewalls. This forces attackers
to use full-blown TCP port scans against all of your IP addresses to map your network
correctly.
Filter all outbound ICMP type 3 unreachable messages at border routers and firewalls to
prevent UDP port scanning and firewalking from being effective.
Consider configuring Internet firewalls so that they can identify port scans and throttle
the connections accordingly. You can configure commercial firewall appliances (such as
those from Check Point, NetScreen, and WatchGuard) to prevent fast port scans and
SYN floods being launched against your networks. On the open source side, there are
many tools such as portsentry that can identify port scans and drop all packets from the
source IP address for a given period of time.
Assess the way that your network firewall and IDS devices handle fragmented IP
packets by using fragtest and fragroute when performing scanning and probing
exercises. Some devices crash or fail under conditions in which high volumes of
fragmented packets are being processed.
Ensure that your routing and filtering mechanisms (both firewalls and routers) can't be
bypassed using specific source ports or source-routing techniques.
If you house publicly accessible FTP services, ensure that your firewalls aren't vulnerable
to stateful circumvention attacks relating to malformed PORT and PASV commands.
If a commercial firewall is in use, ensure the following:
o The latest service pack is installed.
o Antispoofing rules have been correctly defined, so that the device doesn't accept
packets with private spoofed source addresses on its external interfaces.
o Fastmode services aren't used in Check Point Firewall-1 environments.
Investigate using inbound proxy servers in your environment if you require a high level
of security. A proxy server will not forward fragmented or malformed packets, so it isn't
possible to launch FIN scanning or other stealth methods.
Be aware of your own network configuration and its publicly accessible ports by
launching TCP and UDP port scans along with ICMP probes against your own IP address
space. It is surprising how many large companies still don't properly undertake even
simple port-scanning exercises.



Different types of port scanning techniques:
1. Open Scan : Also known as vanilla scan. In this type of scan hacker try to connect to all the
ports of the victim. This scan uses a normal TCP connection to determine port availability and utilizes
a TCP 3-way handshake connection that typically every other TCP application will use on a network .
Because of this fact this technique has a drawback that it can be easily detected and blocked.
How open scan works?
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is
acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is
terminated by the client. This confirm an open port. When the port is closed or "not listening" the
server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the
connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing
would require sending a correct sequence number as well as setting the appropriate return flags to
setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both
the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional
privilege.

2. Half Open Scan : Half open scan is similar to Open or vanilla scan. The
only difference is that it does not establishes a complete connection with the
host so it becomes little bit typical for victim firewall to detect it but it still
detectable as for receiving ICMP echos a connection has to be established
between your PC and victim.
How Half Open Scan works?
In half-open scan, a complete TCP connection is not established. Instead as soon as the server
acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag.
This way, the attacker detect an open port and not establish full connection.
However, some good IDS and firewall like zone alarm can detect a SYN packet from the void and
prevent half open scan. Besides, this scan require attacker to make a customer IP packet, which in
turn requires the access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf
(Berkeley packet filter), /dev/nit (Sun network interface tap). This requires admin privilege access.

3. Strobe Scan In strobe scan, hackers try to scan only a selected
number of port connections.(usually under 20) and rest of the working is
similar to open scan. The only difference is that its light weight scan where
hackers scan specific ports on the host and analyze the results. A strobe does a
narrower scan, only looking for those services the attacker knows how to exploit. Almost 90% of
crackers uses this technique as its fastest and accurate.
Drawback: Limited scan may not produce expected results but its too fast. Free Port scanner works on
strobe scan technique only. It only scan the internet and web application services ports.

4. Stealth Scan In this type of scanning technique, scanning is done in
stealth manner, which aims to prevent the request for connection being
logged.
Initially half open scans were considered stealth, however as IDS software evolved, these scan were
easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular
set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as
normal traffic, using fragmented packet or avoiding filtering devices by any other means. All
these techniques resort to inverse mapping to determine open ports.
Different type of Stealth scans:
SYN|ACK Scan
Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an
open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection.
This scan may generate certain amount of false positives. For instance, packets dropped by filtering
devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may
or may not be open. However this is a fast scan that avoid three-way handshake.
FIN Scan
Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to
reply to the probe packet with RST, while open ports must ignore the packet in question. This scan
attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD,
this was a scan that can return good result. However, most OS applied patches to correct the problem,
still there remains a possibility that the attacker may come across one where these patches have not
be applied.
ACK Scan
The scan take advantage of the IP routing function to deduce the state of the port from the TTL value.
This is based on the fact that IP function is a routing function. Therefore TTL value will be
decremented by on by an interface when the IP packet passes through it.
NULL Scan
In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC
does not specify how the system should respond. Most UNIX and UNIX related system respond with a
RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide
with this standard and reacts differently to such scan. An attacker can use this to differentiate
between a Windows machine and others by collaborating with other scan results. For example, if -sF, -
sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker
can infer that he is scanning a windows machine. This is not an exclusive property though, as this
behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1,
RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related
systems.
Xmas Scan
In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN,
URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and
cause the kernel to drop the packet if the receiving port is open.

5. FTP Bounce Scan The ability to hide their tracks is important task for hackers. And in
port scanning this is achieved using FTP bounce scan technique.
FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. This scan takes
advantage of the FTP servers with read/write access. The advantage of this scan can be both
anonymity and accessibility. Suppose the target network allows FTP data transfer from only its
recognized partners. An attacker might discover a service business partner who has a FTP service
running with a world-writable directory that any anonymous user can drop files into and read them
back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP
server and able to run in passive mode, logs in anonymously to the legitimate server and issues
instructions for scanning or accessing the target server through a series of FTP commands. He may
choose to make this into a batch file and execute it from the legitimate server to avoid detection.
If a connection is established as a means of active data transfer processing (DTP), the client knows a
port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be
generated with a refused build data message. The PASV listener connection can be opened on any
machine that grants a file write access to the attacker and used to bounce the scan attack for
anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port
and read raw data from it into a file will do.

Often these scan are executed as batch files padded with junk so that the TCP windows are full and
the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the
OS scan help determine the TCP window size and allow the attacker to pad this commands for further
access accordingly.

This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP
servers have patched this vulnerability by adopting countermeasures such as preventing third party
connection and disallowing listing of restricted ports. Another measure adopted has been restrict write
access.


6. Fragmented Packets Scans : FPS is an attempt to bypass rules in some
routers. This approach is evolved from the need to avoid false positive arising from other scans due
to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must
contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the
next, which allows the remote host to reassemble the packet upon receipt through an internet protocol
module that identifies the fragmented packets by the field equivalent values of source, destination,
protocol and identification.

The scan works by splitting the TCP header into small fragments and transmitting it over the network.
However, there is a possibility that IP reassembly on the server-side may result in unpredictable and
abnormal results - such as fragmentation of the data in the IP header. Some hosts may be incapable
of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even
network device monitoring dumps.

Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the
CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) - though this is not widely implemented due
to the adverse affect on performance. Since several intrusion detection systems use signature-based
mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often
able to evade this type of packet filtering and detection. There is a high possibility of causing network
problems on the target network.

7. UDP Scan : As the name suggest its a one way scan as UDP is a FIRE AND GO portocol. Port
scanning usually means scanning for TCP ports, which are connection-oriented and therefore give
good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the
attacker generally sends empty UDP datagrams. If the port is listening, the service should send back
an error message or ignore the incoming datagram. If the port is closed, then most operating systems
send back an ICMP Port Unreachable message. Thus, you can find out if a port is NOT open, and by
exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed
to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to
be lost (or you will get a bunch of false positives).


Also, this scanning technique is slow because of compensation for machines that implement the
suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit
destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is
exceeded.

Some people think UDP scanning is pointless not so. Sometimes for example, Rpcbind can be found
hiding on an undocumented UDP port somewhere above 32770. So it doesnt matter that port 111 is
blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on?
With a UDP scanner you can.
The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not
retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and
unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable
set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This
makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS
and can scan non-TCP ports.


Some more advanced techniques:
1. TCP SCTP Scan: SCTP is a relatively new alternative to the TCP and UDP protocols, combining most
characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.
It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other
applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by restrictive
firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes
SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered
states.

2. SCTP COOKIE ECHO scan : It is more advanced SCTP scan. It takes advantage of the fact that SCTP
implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but
send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port
scan than an INIT scan. Also, there may be non-stateful firewall rulesets blocking INIT chunks, but not
COOKIE ECHO chunks. Don't be fooled into thinking that this will make a port scan invisible; a good
IDS will be able to detect SCTP COOKIE ECHO scans too. The downside is that SCTP COOKIE ECHO
scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in
both cases.