Looking At Port Scanning Techniques Information Technology Essay

Looking At mien S ordurening Techniques Information engine room EssayThis article gives you an in-depth knowledge on some of the commonly employ transmission control protocol mienhole examine techniques along with the pros and cons associated with each of the carriage examine technique. away from the transmission control protocol based larboard s bathroomning, it also briefly explains the different style examine techniques available to scan the non transmission control protocol expressions.Index Terms common chord-way handshake, diffuse style examine, slip ones mindth scanning, half(prenominal) pass port scanning, Ident scanning, FTP bounce scanning, Decoy scanning, UDP scanning.In this paper firstly we depart see an overview of port scanning, which includes what it is, wherefore it is used, how it can be used and what ar its effects.The flake section explains in details about the various port scanning modes. This section includes detailed explanation on each of the port scanning modes based on TCP and some of the opposite port scanning methods, including the advantages and disadvantages of each of the methods. This section also contains instruction on the TCP connection establishment, which would be helpful to have a better understanding on the various port scanning techniques.Overview on Port examineBefore start discussing about the actual topic port scanning, first lets see what a port is, how it is used and what its functions are. The Transmission Control communications protocol and User Datagram protocol are used for communication over the internet. Each of this protocol contains 65536 ports (from 0 to 65535). Each port has an associated service running. The first 1024 ports are the mute/privilege ports which runs the dedicated service defined by IANA (Internet Assigned Numbers Authority) (for example port 80 is reserved for HTTP service, port 21 for FTP, port 23 for telnet access and etc.) and these ports are kn witness as well-kn make ports. The remaining are called registered ports (from 1024 to 49151) and dynamic and/or private ports (from 49152 to 65535). So, the applications in the figurer use its specific port for communication with the server or with another ready reckoner.Now lets discuss about port scanning. Port scanning is a technique used to uncover the port details in a computing device. Details like whether the port is overt/ auditory sense or not, if it is vindicated/listening which service is running on that port, etc can be obtained by scanning the ports. Port scanning is mainly used to find if there is any security risk involved in the computer and also to check for its weaknesses. Port scanning is done by sending messages to all the ports of the computer, and based on the chemical reaction from each of the ports we can check whether the computer is prone to attacks. This technique is used by the network administrators to check for vulnerabilities in the network, like if a p ort is unused and it is dissonant, then it should be closed immediately, because unaffixed ports go out listen to the incoming messages which could me malicious. This could be a useful technique for the network administrators to secure their network. Also it would be good to port scan our own computers periodically, so that we will be able to find out what are the unwanted process and some of the malwares running in our own computer systems. Having verbalize this, we should also be aware of the fact that, the port scanning methods will be known to the hackers too, who will try to break into the network/computer to steal the vital information. Using this technique the hackers will try to get a list of unused open/available ports. The hackers will then try to study these ports for additional information and weakness. Using these results the hacker will try to exploit and will gain access to the computer. The operating system in the score computer will have the knowledge of loggi ng the request that is used for port scanning activities. So the hacker will use an effective method to bring about port scanning else the hacker can be easily identified.Port Scanning MethodsThe port scanning technique can be classified into three main types, they areOpen scanning This type of scan opens a full TCP connection with the targeted server.Half-open scanning In this type of scan the node terminates the connection on receiving a receipt from the targeted entertain.Stealth scanning This type of scan prevents the connection request to the targeted soldiery to be logged. wholly the supra mentioned scanning types are used by a hacker to get the list of open or closed ports in the server. Among the three the open scanning technique gives accurate information about the state of the port, but it is easily obtrusive. Stealth scan technique can fool some of the basic Intrusion staining systems and some of the basic firewall rule sets.Before explaining in detail about ea ch of the port scanning technique lets look into the steps involved in establishing a full TCP connection and the usage of each of the oarlocks in the TCP message Marco, Eddy, Germinal, Gabriela, 1999. This is because most of the port scanning methods are based on the TCP connection and the functionalities of each of the sag downs bits in the TCP message.Following are the list of flags used in the TCP message and its functionalities.SYN This flag is used to tiro a TCP connection.FIN This flag specifies that the sender has finished sending the entire data.RST This flag is set to reset the connection.ACK This flag is set to acknowledge for the request.URG This flag is set to indicate that the urgent pointer is valid.PSH This flag is set to indicate that all the data should be pushed to receiver immediately without waiting for the additional information.The TCP connection establishment consists of three steps hence it called as many-sided handshake. First the client will send a TCP message with SYN flag set with an initial sequence account to the targeted host. The second step is that, if the respective(prenominal) port in the target host is open then the target host will acknowledge the clients SYN by incrementing the clients initial sequence depend by 1 and sends back to the client along with its own initial sequence number with the SYN message. Third step, the client on receiving the target hosts TCP message with SYN flag set it will send an ACK message and the target hosts initial sequence number incremented by 1 to the target host. This is how the TCP connection will be established between two hosts. Shown below is the pictorial representation of three-way handshake TCP connection.SYN, Clients ISN (initial seq. num)Client fall guy hostSYN, Target hosts ISN (initial seq. num)Clients ISN + 1Client Target hostACK, Target hosts ISN + 1Client Target hostHaving the basic knowledge of TCP connection and the functionalities of each of the flags in TCP m essage we will discuss in detail in each of the port scanning techniques.Open Scanning TechniqueThe open scanning technique will try to establish a full TCP connection with the target host. base on the reception from the target the client will dissolve whether the port in the target host is open or closed. This technique is slower when compared to other two techniques, since it involves in establishing a three way connection with the target. Also this technique is easily detectable and can be filtered easily. Described below is one of the open scanning methods.TCP connect scan methodThe TCP connect scan method uses the connect() method in the operating system to establish a three-way connection between the target host Dethy, 2001.Client will send SYN innkeeper will react with SYN, ACKClient will serve with ACKIn the above three-way handshake the server responds with the SYN message which means that the listening port in the targeted host is in the open state.Client will send SYNServer will respond with RST, ACKClient will respond with RSTIn this case, the server responds with the RST message to the request. This shows that the listening port in the targeted host in the closed state. By this way a list of open or closed ports in the targeted host can be obtained. The advantages of this scanning method are that it is fast, accurate and does not require extra user privileges. The disadvantages are this method is easily detectable and could be logged.Half Open Scanning TechniqueIn the half open scanning technique the client will terminate the connection even before the three-way handshake is completed. Two types of scanning methods come under the half open scanning technique. They are 1) SYN scanning and 2) IP ID header or dumb scanning.SYN scan methodThis method is similar to the full connection/TCP connect scan method. The difference is that when the client receives a SYN message from the target host it will close the connection by sending a RST messa ge to the target machine. This is because the SYN message from the target host is enough to know that its listening port is in open state. If a RST message is received from the target host then it means that the listening port in the target host is in closed state. Thus a three-way handshake is restricted in this type of scan method. The pictorial representation of which is shown below Dethy, 2001.Pictorial representation if the port is in open state,Client will send SYNTarget will respond with SYN, ACKClient will respond with RSTPictorial representation if the port is in closed state,Client will send SYNTarget will respond with RST, ACKThe advantages of this method are it is fast, accurate and it is less frequently logged when compared to open scan method. The main disadvantage is that for this type of scanning the sender or client postulate to customise the IP packet which requires special user privileges, and this is the case for almost all of the operating systems.IP ID he ader or dumb scanning methodThe basis of this scan method is similar to the SYN scan method but the difference is that IP ID header or dumb scanning method uses a third host to scan the target host, and based on the id value in the IP header field this scan method will decide whether the listening port in the targeted host is in open or closed state. The third host should be identified in such a way that it should send very little amount of traffic or preferably no traffic, hence this type of host is said to be tacit or dumb host. It requires lots of effort to identify this type of host.In this scenario, there will three different host. One is the attacker host (A), second is the silent host (S) and third is the target host (T). First A will send consecutive ping packets to S, this is to analyse the id value in the IP header field. Each time the silent host will increment the id value by 1 in its response. An example of which is shown below,60 bytes from AAA.BBB.CCC.DDD seq=1 ttl=6 4 id=+1 win=0 time=96 ms60 bytes from AAA.BBB.CCC.DDD seq=2 ttl=64 id=+1 win=0 time=88 ms60 bytes from AAA.BBB.CCC.DDD seq=2 ttl=64 id=+1 win=0 time=88 msNow using the source address of host S, host A will send a spoofed SYN message to the host T. The host T will respond to host S with either SYN message or the RST message based on the listening ports state. Now the host A will examine the ping responses from the host S to check the id value in the IP header. If the id value is more than 1 then it shows that the respective port in the host T is open, because only when the host S will respond back to host T and increments the id value. That is the host T would have responded to the host S with the SYN message for the spoofed SYN message from the host A. If the value of id is 1 then it indicates that the respective listening port in the host T is in closed state.Stealth scanning techniqueThe thievery scanning technique is a technique used to avoid the logging of port scan comeing in a host and to break into the basic filters and firewalls implemented. This technique slows the scan due to which the ports are scanned over a long time period. Thus it restricts the target host to trigger an alert. In this section we will discuss about four types of stealth scanning techniques.FIN scan methodAs the name implies this method uses the FIN flag in the TCP message to identify the list of open or close ports in the target host. That is the attacker will send a TCP message with FIN flag set to target host. Based on the response from the target the attacker will determine whether the listening port in the target is open or closed. If the listening port in the target is closed then it will reply back with the RST message. The negotiation is shown below,Attacker will send FINTarget will respond with RSTIf the listening port is open then the target will not send any response back. The negotiation is shown below,Attacker will send FINTarget response noneThe advantages of th is method are it can bypass many intrusion detection systems and these scans are not logged. The disadvantage is that at clock it can produce false results. zilch scanning methodThe null scanning method will send a TCP message to the target without lay any of the six flags in the TCP message. Based on the response from the target the attacker will generate a list of open ports. If the response from the target is RST then the listening port in the target host is said to be in closed state, else if a there is no response from the target then the port is open. The advantages of this method are it can bypass many intrusion detection systems and these scans are not logged. The disadvantage is that at times it can produce false results and it can be used only in UNIX systems.XMAS scanning methodThe implementation of XMAS method is exactly opposite to the NULL scanning method. That is, the Xmas scanning method will send a TCP message with all the six flags set. If the response from the t arget is RST then the listening port in the target host is said to be in closed state, else if a there is no response from the target then the port is open. The advantages and disadvantages of this method are same as that of the NULL scanning method.TCP fragmenting methodThe TCP fragmenting itself is not a port scanning method instead it is used to improve the other stealth port scanning methods like FIN, NULL, and XMAS Marco, Eddy, Germinal, Gabriela, 1999. This method splits the TCP header into smaller fragments such that it is not easily detected by the firewalls and other intrusion detection systems implemented.All the above discussed port scanning techniques are specific to the TCP ports. There are other port scanning techniques available for scanning non TCP ports, some of which are explained below.UDP scanning techniqueThe UDP scanning technique is used to get a list of available/open DUP ports in a target host. The method sends a UDP message to the target, and based on the r esponse from the target the attacker will determine whether the port is open or closed. If the response from the target host is a UDP message then the port is open. If the response from the target is an ICMP port unreachable Dethy, 2001 message then the port is closed. If the response is some other ICMP unreachable message then the port is filtered. If there is no response from the target host then the listening port is either open or filtered. The advantages are, it is used to scan non TCP ports and it is not restricted by TCP Intrusion detection system. Its disadvantages are it is easily detectable and requires root access.Ident scanning techniqueThe scanning methods that we have discussed so far is used to get a list of open/available ports, but the Ident scanning technique is used to get the information about the owner of the process running in those available/open ports. This method uses the insecure issue in the Identification protocol to uncover the owner details of the proce ss running in the listening ports. This technique can be employed only when the target host is running the identd service in port 113.FTP bounce scanning techniqueThis technique uses an option in the FTP protocol to perform port scanning. That is, this method uses proxy transfer servers to communicate with the target host and to perform port scanning in each of its ports. For this the proxy functionality in the ftp server should be enabled. In this method, first the attacker establishes ftp connection with the proxy FTP server. Then using the port and list commands it tries to scan each of the ports in the target host. If the listening port is open then the server will send 150 and 226 response codes to the attacker, else if the port is closed the server will respond with the 425 reply code to the attacker.Decoy scanning techniqueThe decoy scanning technique sends several packets to the same port in the target host. All of these IP packets contain spoofed IP address except one of t he packet. That is, one in a several packets holds the actual attackers IP address. Thus this method makes legitimate that at least one response from the target host is sent to the attacker. The advantages of this method are that it is extremely hard for the administrator to identify the exact electronic scanner/attacker and the result obtained from this method is accurate. The disadvantage of this technique is that, since it sends several packets to the same port the flow of traffic will be high.ConclusionThe different types of port scanning techniques are explained in detail along with their advantages and disadvantages. We have seen that most of the port scanning techniques are based on the TCP protocol, but other port scanning techniques are available to scan the non TCP ports. At present numerous software tools are available to perform an effective port scanning in the local host or the remote host to check for the existing vulnerabilities and ways to fix them. Some of the pop ular tools are daimon and N-Map. Port scanning techniques are not only used by the attackers to break into the computer/network, it can also be used to check our own computers for vulnerabilities and to take preventive actions for those vulnerabilities.