Theory:

 

Port Scans:

 

A port scan is an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service. Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need.

 

Portsweep:

 

Portsweep differs from portscan, in portsweep multiple hosts are scanned for a specific listening port. For example, if the attacker would like to find out all the webservers which is running in the target network, Portsweep is used against port 80 and 443 towards all the hosts in the network.

 

There are 65536 distinct and usable port numbers. Most of the popular services use a limited range of numbers.

 

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports.

 

• The Well Known Ports are those from 0 through 1023.
• The Registered Ports are those from 1024 through 49151.
• The Dynamic and/or Private Ports are those from 49152 through 65535.

 

 

Below are some of the popular ports and applications for each category.

 

Popular ports and applications on the "Well known ports" category (From port 0 to 1023).

 

• 20 FTP data (File Transfer Protocol).
• 21 FTP (File Transfer Protocol).
• 22 SSH (Secure Shell).
• 23 Telnet.
• 25 SMTP (Send Mail Transfer Protocol).
• 43 whois.
• 53 DNS (Domain Name Service).
• 68 DHCP (Dynamic Host Control Protocol).
• 79 Finger.
• 80 HTTP (HyperText Transfer Protocol).
• 110 POP3 (Post Office Protocol, version 3).
• 115 SFTP (Secure File Transfer Protocol).
• 119 NNTP (Network New Transfer Protocol).
• 123 NTP (Network Time Protocol).
• 137 NetBIOS-ns.
• 138 NetBIOS-dgm.
• 139 NetBIOS.
• 143 IMAP (Internet Message Access Protocol).
• 161 SNMP (Simple Network Management Protocol).
• 194 IRC (Internet Relay Chat).
• 220 IMAP3 (Internet Message Access Protocol 3).
• 389 LDAP (Lightweight Directory Access Protocol).
• 443 SSL (Secure Socket Layer).
• 445 SMB (NetBIOS over TCP).

 

 

Popular ports and applications on the "Registered ports" category (From port 1024 to 29151).

 

• 1243 SubSeven.
• 1352 Lotus Notes.
• 1433 Microsoft SQL Server.
• 1494 Citrix ICA Protocol.
• 1521 Oracle SQL.
• 1604 Citrix ICA / Microsoft Terminal Server.
• 2049 NFS (Network File System).
• 3306 mySQL.
• 4000 ICQ.
• 5010 Yahoo! Messenger.
• 5190 AOL Instant Messenger.
• 5632 PCAnywhere.
• 5800 VNC.
• 5900 VNC.
• 6000 X Windowing System.
• 6699 Napster.
• 6776 SubSeven.
• 7070 RealServer / QuickTime.
• 7778 Unreal.
• 8080 HTTP.
• 26000 Quake.
• 27010 Half-Life.
• 27960 Quake III.
• 31337 BackOrifice.

 

 

Types of Scanning:

 

The following are some of the common type of scanning, for Network, Host and Port detection.

 

TCP connect scanning: TCP connect scanning is the most basic form of TCP scanning. The connect() system call provided by the operating system is used to open a connection to any port on the target machine. If the port is listening, connect() scanning will succeed, otherwise the port will not be reachable.

 

 Advantages:

 

• The user / attacker does not require any special privileges to scan.
• Scanning can be performed much more quickly as the speed of the scan is higher.

 

Disadvantages:

 

• Easily detectable by IDS and IPS systems. And many operating systems can detect these type of connection attempts.

 

TCP SYN scanning: TCP SYN scanning is also known as "half-open" scanning, as the originator / attacker does not open a full TCP connection. The attacker sends a SYN packet and wait for a response. A SYN|ACK response from the target indicates the port is listening and as soon as a SYN|ACK is received the originator or the attacker sends a RST response.

 

Advantages:

 

• Most of the target hosts does not log this attempt.

 

Disadvantages:

 

• None.

 

TCP FIN scanning: Most of the firewalls and IPS devices moniter, detect and filter SYN based scanning. But many firewalls and IPS devices allow FIN packets. When the FIN packets are sent by the attacker to the target, the closed ports reply with the RST packet response, whereas open ports ignore the FIN packets sent by the attacker. While this method works in in the unix based systems, Microsoft windows based operating systems send RST packet responses to the attacker in the both the conditions whether the port is closed or open. Hence it could be also used to distinguish between windows and Unix hosts.

 

Advantages:

 

• Can be used to evade many firewall and IPS systems.

 

Disadvantages:

 

• None.

 

Fragmentation scanning: Fragmentation scanning is performed for evading the firewalls and other packet filtering devices by sending the TCP headers in small tiny fragments, which may confuse the firewalls and other devices when processing packets. While many firewalls can queue the packets for assembling, this type of scanning can consume the processing power of the victim host or the devices which are in the front of the victim IP addresses.

 

Advantages:

 

• Can be used to evade many firewall and IPS systems.

 

Disadvantages

 

• Scanning can have a negative impact on the target devices and other devices which is on the path.

 

 

Virtual Lab Experiment Objective:

 

Understanding Portscan and Portsweep based scanning of the networks and hosts and detecting the scanning activity provides the following benefit to the students.

 

1. Understand Portscan and portsweep  and its purpose.
2. Understand the basics of scanning and its use in Network Reconnaissance and security.
3. Perform various types of scanning of the hosts and networks.
4. Using intrusion detection systems and techniques, detect various types of scans performed.