Introduction
Though the scanning phase of an attack is interesting, it can be very difficult as well. From the defensive side,
the less you reveal the better. There must be a balance in the business driver when it comes to accessibility.
Scanning involves taking the information discovered during reconnaissance and using it to examine the network. There
are various tools at the hacker's disposal that they can use for this phase. These tools include:
- Dialers
- Port Scanners
- Network Mappers
- Sweepers
- Vulnerability Scanners
The attacker want to know just how vulnerable the internal network is before going through the steps to gain access to
the network. This is one reason the previous steps, footprinting and reconnaissance
is so important.
If this method proves to be unsuccessful, another method can be used and that is to deploy a botnet using techniques
of distributing malicious code. If this method is successful, the attacker will be able to overcome the Stateful
Packet Inspection (SPI) in firewalls and my possibly as well have a position on every subnet on the network.
The Scanning Methodology
After the attacker has determined the network segments, the next step is to pinpoint the live hosts with a
discovery scan. This may require several techniques to conduct, but once completed, a port scan is
conducted to determine access points. Services are then verified on each discovered port. This knowledge will give
the attacker information about the services and operating system. From there, a vulnerability scan can be customized
for each host.
The attacker now faces two basic challenges and that is to have the best position on the network to scan from and
to avoid excessive noise that might trigger intrusion alarms.
The attacker will repeat these procedures and with each probe they will get more accurate and proceed deeper into
the network. The attacker must maintain access and this is accomplished by backdoors that will allow the attacker
access to the network.
Local Segment Scanning
Once the attacker has gained an internal position, they will be able to see who shares the local network segment. This
segment is also known as a Broadcast Domain, so it is only necessary to send broadcast messages to each address on the
domain and wait to see who responds. This is accomplished by the Address Resolution Protocol (ARP).
Address Resolution Protocol (ARP) is the method that hosts determine the hardware address a frame needs to be marked
for. However, knowing the logical address of the host only gives the attacker an idea of who the packet is intended
for. To accomplish the actual delivery of the packet, the logical address needs to be resolved into a physical
address. This address is known as the Media Access Control (MAC) address. The easiest way to find this
information is to simply ask. For example, say you were in a room of people and you wanted to know who owns, let's say,
a ring you found, you could ask the people, "Who owns this ring." Of course by human nature, some people may try to
claim they own the ring when they don't. In the world of ARP, this doesn't happen. The ARP request goes like this.
"Hello network! Who owns the address 172.16.10.44?" Please tell 172.16.8.5." Then the response would be from the
owner of 172.16.10.44, "Hello 172.16.8.5! I own 172.16.10.44. My hardware address is 12:42:50:68:75:18." All others
who don't own 172.16.10.44 would simply ignore the request for information.
Scanning Remote Segments
When the target is not located on the local segment, there are other options for discovery. This is where the attacker
is only looking for a response, regardless of what the response might be. There are three methods to accomplish this.
- ICMP Scans
- Normal Scans
- Inverse Scans
ICMP Scans
ICMP (Internet Control Message Protocol) is a pinging tool. Ping is short for Packet INternet
Groper. This is the most common way to test the connectivity to a host. It works by sending
ICMP type 8 code 0 messages which are Echo Requests. The payload is determined by the local OS. If the target is
accessible, it will respond with an ICMP type 0 code 0 Echo Reply and return the same payload it receives.
The attacker could send a ping sweep where an entire block of addresses are sent the type 8 message and
waits to see if there are any responses received. Of course it is not uncommon to have ICMP requests block at the
firewall level.
This is a short list of common ICMP Types, Codes and their meanings.
- Type 0 Code 0 - Echo Reply
- Type 3 - Destination Unreachable
- Type 3 Code 13 - Administratively Prohibited
- Type 5 - Redirect
- Type 8 Code 0 - Echo Request
- Type 11 - Time Exceeded
- Type 13 - Timestamp Request
Normal Scans
Normal scans simply look for open ports. The two basic scan types are connect and stealth.
Connect scans do not modify the behavior of TCP. A flag known as SYN is sent from the scanner to
the target's destination port. If the port is open, a SYN ACK (Sync Acknowledgment) is returned to the source port.
If this is done, the handshake is completed and a RST (Reset) is issued to drop the session. Since the handshake is
completed, a log entry will result.
Stealth scans modifies the behavior of TCP. This is done by issuing a RST (Reset) on the third
step of the handshake instead of sending an ACK (Acknowledgment) if the port is open. By doing so, this prevents
the target port from entering the established state and no log entry is recorded. This type of scan requires root
privilege since this type of scan is non-standard behavior.
Inverse Scans
When the scanner cannot send a SYN flag to the target due to filters that are placed between the scanner and the target, an
Inverse scan must be used. The objection to the scan is to confirm closed ports as the open ports do not produce a
response at all. Filters will drop packets and not inform the scanner. It also does not make any sense to using flag
combinations that avoid using the SYN flag as this will not produce a reply. The only ports that will inform the scanner
of their unavailability are the closed ports.
X-Mas Scans will trigger all six flags or just the URG, PSH and FIN flags. Newer versions avoid
using the SYN, ACK or RST flags because if used in these scans would make for less accurate results.
FIN and NULL act in the same way as other inverse scans. Sending only a FIN flag or sending no
flags at all (NULL) make no sense to an open port so they will not licit any response.
Vulnerability Scanning
This was not listed with the others as it is a highly specialized scan. The products that exist to perform this
scan are usually proprietary and competitive. This scan sends out a Specially Crafted Packet (SCP) toward the target
host and analyzes the response. At times, more than one packet can be involved in this scan.
Vulnerability scanners are prone to false positive, however, since they do not actually perform an actual exploit. The
best they can do is indicate the possibility of an exposed weakness. They also create extra traffic and
well-known signatures. Using these tools, the attacker takes great risk in getting caught unless run during peak
traffic time or a maintenance window.
Vulnerability scanners also do not perform vulnerability linkage or do they verify the exploit availability of the
exposed weakness. Only though a multi-staged attack can some weaknesses be discovered as they depend on other
exposed vulnerabilities being exploited first. There are other "Automated Penetration Testing" tools available such as
Canvas, Impact or Metasploit. However these may not be allowed, or necessary for White Box testing.
Other Scan Types
Scanning can take weeks to complete, especially if the attacker does not wish to get caught. There are other scan
types that can be utilized.
ARP Scan - This involves sending broadcast requests to each logical address withing a local segment.
If the host exists it will respond with its MAC address.
Protocol Scan - This scan uses the protocol field of the IP header. The protocol looks for the
transport services offered on a host. This is different than port scanning. Protocol scans happen a the layer
three level and can be useful in finding VPN gateways or routers.
Idle Scan - This scan assumes two things. 1) the IPID field in the IP header increments by one
every time a packet is sent, and 2) the zombie is actually idle.
The idle scan involves three hosts: the scanner, the target and the zombie. The scanner first sends a ping to the
zombie checking its IPID field value. It then sends a SYN to the target while spoofing the zombie as the source
of the packet. If the port on the target is open, it will send a SYN / ACK to the zombie, who then will send
a RST since it didn't actually send the SYN and is "confused."
If the port is closed of course nothing would happen. When the scanner sends the ping to the zombie, its IPID
field would only have incremented by one. This is mostly a clever method to exploit the way IPID fields work
and many operating systems have since gone to a pseudo random number for this field. This scan may not also work
if the zombie is not truly idle. If it is sending traffic to other hosts while being used in the scan, the
IPID field will increment by more than one or two and the scanner cannot know what this means.
FTP Bounce Scan - This scan requires an FTP server that will accept Port commands.
This command can be used to perform a port scan from the compromised FTP server that may have had a better position
on the network than the attack otherwise had.
Windows Scan - This scan is looking for a non-zero value in the window size field as a response
from open ports on certain versions of BSD machines. The ACK is sent to the port and the RST returns because they
are not in sync, but the window field will report a size. If the port is closed, the window size will be 0 and
still a RST will be returned.
ACK Scan - This scan will only provide meaningful results as a port scan from target versions of
Solaris. Outside of this, it can still be used as a discovery scan or possibly to determine the rules of a filter.
Firewalk Scan - This scan is determining the Access Control Lists (ACLs) of a router. The attacker
aims the scan to one hop past the target filter. If the Time To Live (TTL) expires on the receiving host it will
send back a time exceeded indicating to the scanner that the packet made it through the firewall. All other packets
are dropped and no response is expected.
UDP Scan - This scan does not have any flags. When a UDP datagram is delivered in a packet,
there is no response expected from a higher layer service. Some may respond while others will not. It is all on the
decision of the application developer.
These scans are at best Inverse Scans because closed ports are supposed to respond with ICMP port unreachable,
(type 3 code 3). If this type is filtered, the scanner will still get no response.
The TCP 3-Way Handshake
The TCP 3-Way Handshake is a procedure that takes place between two TCP/IP nodes to establish a connection. This is
also known as the SYN, SYN-ACK, SYN handshake where one computer transmits a synchronize packet to another computer
and that computer in turn returns a synchronize - acknowledge back to the first transmitting computer.
TCP Flags
TCP Flags are important to understand for sniffing and scanning purposes. These flags are:
- URG - Do not hold this packet for processing.
- ACK - Send me some more data please.
- PSH - Packet not buffered and sent as is.
- RST - Unknown how to proceed. Leaving conversation.
- SYN - Hello, I wish to synchronize with your
- FIN - I am finished. Goodbye.
TCP Sessions
A TCP Session is established when two hosts complete their handshake. To help keep the session organized, two other
fields are involved. Those fields are the Acknowledgment Number and the Sequence Number.
The TCP handshake between two hosts is a three step process. Here is an example using hosts A and B.
- A sends to B > Flag: SYN > SEQ = 1
- B sends to A > Flag: ACK > ACK = 2
- A sends to B > Flag: ACK > ACK = 501
This process causes a pair of SYN / ACK responses, one in each direction. Synchronization is established and full
duplex communications between the two services listening on the same target port.
At this point, every byte of data sent between the two hosts will be counted. This is done to keep track of what
needs to be sent next. To keep track of what needs to be sent next, TCP uses positive acknowledgment. In other
words, the host asks for more data and it is implied that everything previously sent as been received.
The sequence number field establishes the beginning of this byte count. For example, if host A sends host B 100 bytes
of data, then host B would acknowledge 101 to ask for the next segment. There is a formula for this.
The TCP Session Formula
SEQ + payload size + 1 = ACK for the next segment. During the handshake, the payload size is 0.
The hosts establish a session starting at where they are going to start counting the bytes they each send. The
target port number is that number where a higher layer service is listening, or not, and the sending host selects
a random port above 1023 to receive the responses.