Port Scanning with nmap

port scanningThe list of potential targets from the footprinting phase of penetration testing can be expansive. To streamline the port scanning process, it makes sense to first determine if the systems are up and responsive. Several methods can be used to test a TCP/IP-connected system’s availability, but the most common technique uses Internet Control Message Protocol (ICMP) packets.

Of course, if you’ve done any type of network troubleshooting and/or are a reader of this blog, you probably recognize this as the protocol that ping uses. The ICMP echo request packet is a basic one that, according to RFC 1122, every host needs to implement and respond to. In reality, many networks, internally and externally, block ICMP echo requests to defend against one of the earliest DoS attacks, the ping flood. They may also block it to prevent scanning from the outside.

If ICMP packets are blocked, TCP ACK packets can also be used for port scanning. This is often referred to as a TCP ping. RFC 1122 states that unsolicited ACK packets should return a TCP RST. Therefore, sending this type of packet to a port that is allowed through a firewall (e.g. port 80), the target should respond with an RST indicating that the target is active. When you combine either ICMP or TCP ping methods to check for active targets in a range, you are performing a “ping sweep”. Such a sweep should be done and captured to a log file that specifies active machines that you can later input into a scanner. Most scanner tools will accept a cariage return delimited file of IP addresses.


Although there are many different port scanners, they all operate in pretty much the same way. Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing. There are a few basic types of TCP port scans, the most common of which is a SYN scan (also called a SYN stealth scan), named for the TCP SYN flag, which appears in the TCP connection sequence (the handshake). This type of scan begins by sending a SYN packet, responding with a SYN/ACK response if the port is open, or an RST if the port is closed. This is what happens with most scans: a packet is sent, the return is analyzed, and a determination is made about the state of the system or port. SYN scans are relatively fast, and relatively stealthy, since a full handshake does not occur. Since the TCP handshake did not complete, the service on the target does not see a connection, and does not get a chance to log.

Port Scanning Methods

Other types of port scans that may be used for specific situations include port scanning with various TCP flags set, such as FIN, PUSH, and URG. Different systems respond differently to these packets, so there is an element of OS detection when using these flags, but the primary purpose is to bypass access controls that specifically key on connections initiated with specific TCP flags set.

One of the more interesting port scanning options for nmap is the FTP bounce scan. RFC 959 specifies that FTP servers should support “proxy” FTP connections. In other words, you should be able to connect to an FTP server’s protocol interpreter (PI) to establish the control communication connection. Then you should be able to request that the server-PI initiate an active server data transfer process (DTP) to send a file anywhere on the Internet. This protocol flaw can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, and try to hop firewalls. The FTP bounce scan can be done with nmap using the -b flag.


Here is a summary of a few nmap options:

nmap Switch Type of Packet Sent Response if Open Response if Open Response if Closed
-sT OS-based connect() Connection Made Connection Refused or Timeout Basic nonprivileged scan type
-sS TCP SYN packet SYN/ACK RST Default scan type with root privileges
-sN Bare TCP packet (no flags) Connection Timeout RST Designed to bypass non-stateful firewalls
-sW TCP packet with ACK flag RST RST Uses value of TCP Window (positive or zero) in header to determine if filtered port is open or close
-b OS-based connect() Connection Made Connection Refused or Timeout FTP bounce scan used to hide originating scan source

External Links:

RFC 1122 at tools.ietf.org

The Art of Port Scanning at nmap.org

nmap documentation (in 16 different languages) at nmap.org

Ping Utility in pfSense

The Ping Utility Explained

Ping

Using the Ping utility in pfSense.

Ping is a computer network administration utility used to test the reachability of a host on an IP network and to measure the round-trip time for messages sent from the originating host to a destination host. It operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response. In the process it measures the time from transmission to reception and records any packet loss.


RFC 1122, which defines communication layer requirements for Internet hosts, says the following about Echo Requests and Replies:

Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes.

An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.

DISCUSSION:

This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms.

The echo request (“ping”) is an ICMP message whose data is to be received back in an echo reply (“pong”). The host must respond to all echo requests with an echo reply containing the exact data received in the request message. The echo reply is an ICMP message generated in response to an echo request, and is mandatory for all hosts and routers.


Using the Ping Utility in pfSense

To use the pfSense ping utility, first navigate to Diagnostics -> Ping. Then at “Host”, set the host to the IP address or hostname of the host we are trying to ping. At “Interface”, choose the interface from which to initiate the ping (WAN for remote hosts, LAN for local hosts). At “Count”, use the dropdown set the number of ping requests (anywhere from 1 to 10; the default of 3 is usually sufficient). Then press the “Ping” button to invoke the utility. Sending out ICMP echo requests is often a useful diagnostic tool; however, multi-WAN is not supported with this utility.

External Links:

Ping at Wikipedia

RFC 1122 (which mandates that Internet hosts reply to ICMP echo requests)

© 2013 David Zientara. All rights reserved. Privacy Policy