PORT SCANNING

While some computers allow access through a telephone line, more computers allow access over the Internet. Instead of having a unique telephone number that identifies a computer over the phone network, Internet-connected computers have a unique Internet Protocol (IP) address that identifies them over the Internet. Instead of using a war-dialer to find computers on the Internet, hackers use a hacking tool called a scanner (also called a port or network scanner). See Figure 11-2.

Figure 11-2: A port scanner can search for a range of IP addresses for a computer to attack.

Some popular scanners include NetScanTools (http://www.nwpsw.com), Nessus (http://www.nessus.org), iNetTools (http://www.wildpackets.com), SAINT (http://www.wwdsi.com/products/saint_engine.html), SARA (http://www-arc.com/sara ), SATAN (http://www.fish.com/satan), and Nmap (http://www.insecure.org/nmap).

Scanning works much like war-dialing, but instead of dialing multiple phone numbers to find a way into a computer, scanners probe a range of IP addresses. When the scanner finds a computer at a particular IP address, it then examines the ports on that computer to see which ones could be exploited.

A port isn't a physical cable or opening in your computer. Instead, a port represents a specific way for a computer to communicate over the Internet. When a computer connects to the Internet, it needs to know when it's receiving email and when it's accessing a web page. Since information from the Internet flows into the computer through the same physical connection (a telephone line or cable modem), computers create separate channels or ports that only accept certain data. That way, whenever information flows into a computer through a specific port, the computer knows how to handle that data.

To identify different ports, computers give each port a number. So if a computer wants to access a web page stored on another computer, it asks for this information through port 80. Computers that display web pages (also known as web hosting computers) simply keep port 80 open and wait for another computer to ask for a web page through port 80.

Every computer connected to the Internet uses ports, which means that ports open up a door that hackers can use to access a computer. Table 11-1 lists the more common ports, but keep in mind that a computer may have several hundred ports that could be open at any given time.

When a computer wants to communicate with another computer through a port, it sends a SYN (synchronize) message to that computer, which essentially tells the other computer, "I'm ready to connect to your port." When the target computer receives this message, it sends back a SYN/ACK (synchronize/acknowledgment) message, which says to the first computer, "Okay, I'm ready." When the first computer receives this SYN/ACK message, it sends back a return ACK (acknowledgment) message to the target computer so the first computer knows the port is open and the other computer is ready to send data through the port.

Port scanners use this basic sequence of events to find open ports and probe them for vulnerabilities.

Ping sweeping

Ping sweeping checks for computers at a specific IP address by sending a message to that computer. If the computer responds by returning the data, this tells the ping sweeper that the target computer is up and running. If the scanner doesn't receive a return ping, it concludes that there is either no computer at that IP address or that the computer normally connected to that IP address is temporarily offline.

An ordinary ping uses a protocol called Internet Control Message Protocol (ICMP), which defines the way two computers transfer messages to one another. ICMP pings are harmless and not necessarily considered an attack, although some firewalls may block ICMP pings to certain ports to guard against ping flooding (one of the earliest and most primitive denial of service attacks, also called the "Ping of Death," where the attacking computer simply sends more pings than the receiving computer can handle).

If an ICMP ping can't get through to a computer that a hacker knows should be up and running, they often try using a port scanner, such as Nmap (see Figure 11-3), to send an ACK message (ping) to the target computer. ACK pings sometimes fool firewalls because they trick the target computer into thinking that it's receiving an acknowledgment message from another computer that the target computer already contacted. Because the firewall assumes that the target computer initiated the communication, the firewall lets the ACK ping through, which tells a scanner like Nmap that the target computer is available even though an ordinary ICMP ping couldn't find that same computer.

Figure 11-3: Nmap can probe the Internet for vulnerable computers.

Pinging a range of IP addresses can be slow and time-consuming, because your computer needs to send a ping and then wait for a reply. To speed up this process, some scanners send a flood of pings without waiting for replies; each acknowledged ping reveals a computer that is a potential target.

To attack a computer, you need your target's IP address, which you can get either through ping sweeping or by looking up a domain name on the Network Solutions website (at http://www.networksolutions.com/cgi-bin/whois/whois and shown in Figure 11-4). Once you know a computer's IP address, the next step is to find which ports are open so you know which ones you may be able to use to access the target computer.

Figure 11-4: The Whols command can help you identify the IP address of any website.

Some common port-scanning techniques include:

TCP connect scanning Connects to a port by sending a synchronize (SYN) packet, waits for a return acknowledgment packet (SYN/ACK), and then sends another acknowledgment packet (ACK) to connect. This type of scanning is easily recognized and often logged by target computers to alert them of a possible hacker attack.

TCP SYN scanning Connects to a port by sending a SYN packet and waits for a return acknowledgment packet (SYN/ACK), which indicates that the port is listening. Known as half-scanning, this technique is less likely to be logged and detected by the target than ordinary TCP connect scanning because the scanning computer never sends back an acknowledgment packet (ACK).

TCP FIN scanning Connects to a port by sending a "No more data from sender" (FIN) packet to a port. A closed port responds with a Reset (RST) message, while an open port simply ignores the FIN packet, thereby revealing its existence.

Fragmentation scanning Breaks up the initial SYN packet into smaller pieces in order to mask your actions from a packet filter or firewall. This is used in conjunction with other scanning techniques, such as TCP connect, TCP SYN, or TCP FIN scanning.

FTP bounce attack Requests a file from an FTP server. Because the request contains the IP address and port number of a target computer, an FTP bounce attack masks the source of the attack and can bypass any firewalls or other security measures aimed at keeping outsiders (but not other computers on the same network) from accessing the target computer. A successful file transfer indicates an open port.

UDP (User Datagram Protocol) scanning Uses UDP instead of TCP. When a port receives a probe, its closed ports send an ICMP_PORT_UNREACH error. Ports that don't send back an ICMP_PORT_UNREACH error are open.

Fingerprinting the operating system

Finding a computer and an open port can get you into a computer, but finding an open port is not enough. Hackers must find out which operating system the computer uses so they can know which commands to use and how to take advantage of any known vulnerabilities in the software that could save them from having to guess the computer's password.

Most webservers use a variation of Unix (such as Linux, Digital UNIX, or Solaris), but many run a version of Microsoft Windows. A handful of webservers may even use OS/2 or the Mac OS.

Operating system probing works by sending data to different ports. Since different operating systems respond differently depending on the data they receive at a specific port, hackers can deduce the type of operating system used on a target computer. These are some common probing techniques:

• FIN probing: Sends a FIN ("No more data from sender") packet to a port and waits for a response. Windows responds to FIN packets with RST (Reset) messages, so if a RST message returns from your FIN probe, you know the computer is running Windows.

• FIN/SYN probing: Sends a FIN/SYN packet to a port and waits for a response. Linux systems respond with a FIN/SYN/ACK packet.

• TCP initial window checking: Checks the window size on packets returned from the target computer. The window size from the AIX operating system is 0x3F25 and the window size from OpenBSD or FreeBSD is 0x402E.

• ICMP message quoting: Sends data to a closed port and waits to receive an error message. All computers should send back the initial IP header of the data with an additional eight bytes tacked on. Solaris and Linux systems, however, return more than eight bytes.

By using a program like Nmap, hackers can also scan a target computer and narrow down (or pinpoint) the operating system name and possibly even the version number as well.

Probing can be difficult to block, since it's difficult to tell the difference between a probing hacker and a legitimate connection with another computer. These hacker probes can often go unnoticed by firewalls or system administrators since their probing actions may appear completely harmless. Once a hacker knows the IP address, the open ports available, and the type of operating system for a target computer, the hacker can plan his strategy for breaking into the computer much like a burglar might study a house before trying to break into it.