Once you have accumulated a list of active IP addresses through the host discovery techniques outlined in the previous section, you can start to investigate each address further for its listening services. The technique of connecting to TCP and UDP ports on a target to search for active services is called port scanning . Port scanning is a necessary and essential step in an attacker's modus operandi for determining what vulnerabilities may be present on the target host or device. At the very least, by identifying an active service on the target, an attacker may be able to interact with the associated application (WWW, SIP, FTP, and so on) to enumerate sensitive details about your deployment. Enumeration is discussed in more detail in the next chapter.
Companion Web Site There are a variety of methods for port scanning UDP and TCP ports on a target host. TCP and UDP are the primary two protocols that support VoIP services. For instance, the popular SIP protocol is typically implemented as a service on most phones and PBXs that listen on UDP and/or TCP port 5060. A more comprehensive list of ports not restricted to VoIP can be found at http://www.iana.org/assignments/port- numbers . WWW, FTP, and SMTP (TCP ports 80, 20/21, and 25) are fairly common TCP services, while DNS, SNMP, and DHCP (UDP ports 53, 161/162, and 67/68) are some of the more popular UDP services.
This section is not meant to be an exhaustive treatment of port scanningrather, we recommend referencing the original Hacking Exposed, Fifth Edition by Stuart McClure, Joel Scambray, and George Kurtz (McGraw-Hill, 2005) and Nmap Network Scanning by Fyodor for more information. We will, however, detail the most effective port-scanning techniques that are likely to yield the most valuable information.
The Nmap tool, as we mentioned earlier, is a robust port scanner that is capable of performing a multitude of different types of scans. The command-line version is full of features, flags, and options that can be mind-boggling, but also extremely powerful. The two most effective scan types are TCP SYN scanning and UDP scanning. Let's take a page directly from the Nmap manual that describes each:
TCP SYN scan A TCP SYN packet is sent to a specific port as if to set up a TCP connection with the target host. A returned SYN/ACK-flagged TCP packet indicates the port is open , while an RST indicates a closed port. A "filtered" port in the Nmap results means that no response was received.
UDP scan A UDP scan typically involves sending an empty UDP header to each UDP port on the target. If a port responds with a UDP packet, an active service is listening. Otherwise , if you get an ICMP port unreachable error, it usually means the port is unused or filtered in some way.
As an example, let's focus on one of the actual Internet-exposed Cisco CallManager systems we identified in Chapter 1 through Google hacking. Here is what a simple TCP SYN scan looks like (this is the default scan type for Nmap):
% nmap [X.X.X.X] Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-24 09:12 CST Interesting ports on [X.X.X.X]: (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http 443/tcp open https 1720/tcp open H.323/Q.931 2000/tcp open callbook 2001/tcp open dc 2002/tcp open globe
A Cisco CallManager system that employs Cisco's proprietary SCCP protocol will typically respond on TCP ports 20002002. By using the -sV option for service detection in Nmap, we can find out more about the target services and confirm our guess that this is a Windows host running Cisco CallManager:
% nmap -sV [X.X.X.X] Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-30 15:13 CST Interesting ports on [X.X.X.X]: (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp closed ssh 23/tcp closed telnet 80/tcp open http Microsoft IIS webserver 5.0 443/tcp open ssl/http Microsoft IIS webserver 5.0 1720/tcp open tcpwrapped 2000/tcp open callbook? 2001/tcp open dc? 2002/tcp open globe? Service Info: OS: Windows Nmap finished: 1 IP address (1 host up) scanned in 112.869 seconds
The definitions of the following reported port states are excerpted from Nmap's man page:
Open An application is actively accepting TCP connections or UDP packets on this port.
Closed A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.
Filtered Nmap cannot determine whether or not the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.
Unfiltered The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed.
openfiltered Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response.
closedfiltered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IPID Idle scan.
tcpwrapped TCP Wrapper is a public domain computer program that provides firewall services for UNIX servers and monitors incoming packets. If an external computer or host attempts to connect, TCP Wrapper checks to see if that external entity is authorized to connect. If it is authorized, then access is permitted; if not, access is denied .
Let's go back to our internal SIP test bed and scan our SIP Asterisk server (192.168.1.103). Using Nmap scans with just the default options can often leave vital VoIP services untouched, as we can see from these results:
[root@attacker]# nmap P0 -sV 192.168.1.103 Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-19 21:49 CST Interesting ports on 192.168.1.103: (The 1666 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 1.2.1 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99) 80/tcp open http Apache httpd 2.0.46 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 113/tcp open ident authd 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Service Info: OS: Unix Nmap finished: 1 IP address (1 host up) scanned in 6.437 seconds
Now let's try a UDP scan with Nmap to see what other ports we can find:
Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-20 05:26 EST Interesting ports on asterisk1 (192.168.1.103): (The 1473 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 67/udp openfiltered dhcpserver 69/udp openfiltered tftp 111/udp openfiltered rpcbind 123/udp openfiltered ntp 784/udp openfiltered unknown 5060/udp openfiltered sip 32768/udp openfiltered omad Nmap finished: 1 IP address (1 host up) scanned in 1.491 seconds
Notice that with our UDP scan we just found that this server supports both DCHP and TFTP services (UDP ports 67 and 69, respectively)this will come in handy in the next chapter once we start to enumerate these types of critical VoIP support services.
Even though we also see an open UDP 5060 port (SIP), there really is not enough information in these scans to truly determine the exact type of VoIP device. Now you can start to see the need for further investigation, otherwise known as enumeration, which is covered in the next chapter. In a nutshell , enumeration will entail probing the service on the application level to glean various bits of information about the target device.
As a interesting aside, for some reason, several vendors don't use standard (RFC 5060/5061 assigned) ports for SIP services. The SIP services on Snom phones, for example, listen on UDP port 2051 by default. As a security-through-obscurity feature, we suppose this is a nice "feature" but so much for interoperability, however.
Using a non-Internet-addressable IP address scheme (a la RFC 1918Address Allocation for Private Internets) will prevent many types of incoming Internet probes; however, as we stressed in the first chapter, obtaining internal access to your network is often a trivial task to the attacker.
From a network perspective, the first step in preventing internal scanning of your infrastructure is to apply appropriate firewall rules according to your security policy. Logically separating your network through VLANs can, for example, help prevent contractors from being able to scan your core VoIP servers and infrastructure (TFTP servers, DSHP server, and so on). Many intrusion prevention systems and stateful firewalls can also detect certain port scans and blacklist or quarantine the offending IP address. Doing this for UDP scans is often not a good idea because the source can be easily spoofed.
From a host-based perspective, fine-tuning firewall access control rules and disabling unnecessary services is the best defense against scanning, as well as enumeration, which we'll talk about in the next chapter.