Download Port Scanning Techniques and the Defense Against Them PDF

TitlePort Scanning Techniques and the Defense Against Them
File Size222.7 KB
Total Pages9
Document Text Contents
Page 1

Port Scanning Techniques and the Defense Against Them
Introduction



Port Scanning is one of the most popular techniques attackers use to discover services that they can

exploit to break into systems. All systems that are connected to a LAN or the Internet via a modem run

services that listen to well-known and not so well-known ports. By port scanning, the attacker can find the

following information about the targeted systems: what services are running, what users own those

services, whether anonymous logins are supported, and whether certain network services require

authentication.

Port scanning is accomplished by sending a message to each port, one at a time. The kind of response

received indicates whether the port is used and can be probed for further weaknesses. Port scanners are

important to network security technicians because they can reveal possible security vulnerabilities on the

targeted system.



Just as port scans can be ran against your systems, port scans can be detected and the amount of

information about open services can be limited utilizing the proper tools. Every publicly available system

has ports that are open and available for use. The object is to limit the exposure of open ports to

authorized users and to deny access to the closed ports.

Port Scan Techniques

To defend against port scans, you have to understand how port scans are performed. There are various

port scanning techniques available. Port scans have been made automated by popular port scanning tools

such as Nmap and Nessus.

The following scans are available for standard for Nmap and Nessus.

1. Address Resolution Protocol (ARP) scans discover active devices on the local network segment by

sending a series of ARP broadcasts and incrementing the value for the target IP address field in each

broadcast packet. This type of scan will have every IP device

Free Port Scanning Tools

2.2.1 nmap

The command-line driven nmap utility is a port scanner designed to scan large networks

and determine which hosts are up and which TCP and UDP network services they

offer.nmap supports a large number of popular ICMP, TCP, and UDP scanning techniques,

also offering a number of advanced features such as service protocol fingerprinting, IP

fingerprinting, stealth scanning and low-level filter analysis.

Page 2

nmap is available from http://www.insecure.org/nmap/. Currently nmap can be run under

Windows 2000 and Unix operating systems, including Linux and MacOS X.

2.2.2 Nessus

Nessus is a vulnerability assessment package that can perform many automated tests

against a target network, including:

 ICMP sweeping

 TCP and UDP port scanning

 Banner grabbing and network service assessment

 Brute force against common network services

 IP fingerprinting and other peripheral functions

I know of auditing teams within the big five accounting firms who use Nessus to undertake

much of their network scanning and assessment work. Nessus has two components

(daemon and client) and deploys in a distributed fashion that permits effective network

coverage and management.

Nessus has a good reporting engine that can present comprehensive results along with

relevant CVE entries. CVE is a detailed list of common vulnerabilities maintained by the

MITRE Corporation (accessible at http://cve.mitre.org).

Nessus is available for download from http://www.nessus.org. At the time of writing, the

daemon component is available only for Unix-based systems such as Linux, Solaris, and

FreeBSD. The Unix Nessus client software is bundled with the daemon component in a

single package; Windows clients are also available.

2.2.3 NSAT

Mixter's Network Security Analysis Tool (NSAT) is a fast bulk network scanner with decent

functionality. Although the NSAT checklist of vulnerabilities isn't as comprehensive as that

found in Nessus, the utility is very fast and can perform a high-level sweep of a target

network space in order to identify potentially interesting components.

In particular, NSAT performs ICMP, TCP, and UDP scanning along with good assessment of

common services including Telnet, FTP SMTP, DNS, POP3, RPC, NetBIOS, SNMP, and HTTP.

With NSAT, you can also define virtual network interfaces to scan through, so that in a

Page 4

2.3 Commercial Network Scanning Tools

Commercial scanning packages are used by many network administrators and those

responsible for the security of large networks. Although not cheap (with software licenses

often in the magnitude of tens of thousands of dollars), commercial systems are supported

and maintained by the respective vendor, so vulnerability databases are kept up-to-date.

With this level of professional support, a network administrator can assure the security of

his network to a certain level.

Here's a selection of popular commercial packages:

 Core IMPACT (http://www.corest.com/products/coreimpact/)

 ISS Internet Scanner (http://www.iss.net)

 Cisco Secure Scanner (http://www.cisco.com/warp/public/cc/pd/sqsw/nesn/)

A problem with such one-stop automated vulnerability assessment packages is that

increasingly, they record false positive results. When professionally scanning large

networks, it is often advisable to use a commercial system such as ISS Internet Scanner to

perform an initial bulk scanning and network service assessment of a network, then fully

qualify vulnerabilities and investigate network components by hand to produce accurate

results.

ere is a checklist of countermeasures to use when considering technical modifications to

networks and filtering devices to reduce the effectiveness of network scanning and probing

undertaken by attackers:

 Filter inbound ICMP message types at border routers and firewalls. This forces attackers

to use full-blown TCP port scans against all of your IP addresses to map your network

correctly.

 Filter all outbound ICMP type 3 unreachable messages at border routers and firewalls to

prevent UDP port scanning and firewalking from being effective.

 Consider configuring Internet firewalls so that they can identify port scans and throttle

the connections accordingly. You can configure commercial firewall appliances (such as

those from Check Point, NetScreen, and WatchGuard) to prevent fast port scans and

SYN floods being launched against your networks. On the open source side, there are

many tools such as portsentry that can identify port scans and drop all packets from the

source IP address for a given period of time.

Similer Documents