Introduction

Though the scanning phase of an attack is interesting, it can be very difficult as well. From the defensive side, the less you reveal the better. There must be a balance in the business driver when it comes to accessibility.

Scanning involves taking the information discovered during reconnaissance and using it to examine the network. There are various tools at the hacker's disposal that they can use for this phase. These tools include:

  • Dialers
  • Port Scanners
  • Network Mappers
  • Sweepers
  • Vulnerability Scanners

The attacker want to know just how vulnerable the internal network is before going through the steps to gain access to the network. This is one reason the previous steps, footprinting and reconnaissance is so important.

If this method proves to be unsuccessful, another method can be used and that is to deploy a botnet using techniques of distributing malicious code. If this method is successful, the attacker will be able to overcome the Stateful Packet Inspection (SPI) in firewalls and my possibly as well have a position on every subnet on the network.

The Scanning Methodology

After the attacker has determined the network segments, the next step is to pinpoint the live hosts with a discovery scan. This may require several techniques to conduct, but once completed, a port scan is conducted to determine access points. Services are then verified on each discovered port. This knowledge will give the attacker information about the services and operating system. From there, a vulnerability scan can be customized for each host.

The attacker now faces two basic challenges and that is to have the best position on the network to scan from and to avoid excessive noise that might trigger intrusion alarms.

The attacker will repeat these procedures and with each probe they will get more accurate and proceed deeper into the network. The attacker must maintain access and this is accomplished by backdoors that will allow the attacker access to the network.

Local Segment Scanning

Once the attacker has gained an internal position, they will be able to see who shares the local network segment. This segment is also known as a Broadcast Domain, so it is only necessary to send broadcast messages to each address on the domain and wait to see who responds. This is accomplished by the Address Resolution Protocol (ARP).

Address Resolution Protocol (ARP) is the method that hosts determine the hardware address a frame needs to be marked for. However, knowing the logical address of the host only gives the attacker an idea of who the packet is intended for. To accomplish the actual delivery of the packet, the logical address needs to be resolved into a physical address. This address is known as the Media Access Control (MAC) address. The easiest way to find this information is to simply ask. For example, say you were in a room of people and you wanted to know who owns, let's say, a ring you found, you could ask the people, "Who owns this ring." Of course by human nature, some people may try to claim they own the ring when they don't. In the world of ARP, this doesn't happen. The ARP request goes like this.

"Hello network! Who owns the address 172.16.10.44?" Please tell 172.16.8.5." Then the response would be from the owner of 172.16.10.44, "Hello 172.16.8.5! I own 172.16.10.44. My hardware address is 12:42:50:68:75:18." All others who don't own 172.16.10.44 would simply ignore the request for information.

Scanning Remote Segments

When the target is not located on the local segment, there are other options for discovery. This is where the attacker is only looking for a response, regardless of what the response might be. There are three methods to accomplish this.

  • ICMP Scans
  • Normal Scans
  • Inverse Scans

ICMP Scans

ICMP (Internet Control Message Protocol) is a pinging tool. Ping is short for Packet INternet Groper. This is the most common way to test the connectivity to a host. It works by sending ICMP type 8 code 0 messages which are Echo Requests. The payload is determined by the local OS. If the target is accessible, it will respond with an ICMP type 0 code 0 Echo Reply and return the same payload it receives.

The attacker could send a ping sweep where an entire block of addresses are sent the type 8 message and waits to see if there are any responses received. Of course it is not uncommon to have ICMP requests block at the firewall level.

This is a short list of common ICMP Types, Codes and their meanings.

  • Type 0 Code 0 - Echo Reply
  • Type 3 - Destination Unreachable
  • Type 3 Code 13 - Administratively Prohibited
  • Type 5 - Redirect
  • Type 8 Code 0 - Echo Request
  • Type 11 - Time Exceeded
  • Type 13 - Timestamp Request

Normal Scans

Normal scans simply look for open ports. The two basic scan types are connect and stealth.

Connect scans do not modify the behavior of TCP. A flag known as SYN is sent from the scanner to the target's destination port. If the port is open, a SYN ACK (Sync Acknowledgment) is returned to the source port. If this is done, the handshake is completed and a RST (Reset) is issued to drop the session. Since the handshake is completed, a log entry will result.

Stealth scans modifies the behavior of TCP. This is done by issuing a RST (Reset) on the third step of the handshake instead of sending an ACK (Acknowledgment) if the port is open. By doing so, this prevents the target port from entering the established state and no log entry is recorded. This type of scan requires root privilege since this type of scan is non-standard behavior.

Inverse Scans

When the scanner cannot send a SYN flag to the target due to filters that are placed between the scanner and the target, an Inverse scan must be used. The objection to the scan is to confirm closed ports as the open ports do not produce a response at all. Filters will drop packets and not inform the scanner. It also does not make any sense to using flag combinations that avoid using the SYN flag as this will not produce a reply. The only ports that will inform the scanner of their unavailability are the closed ports.

X-Mas Scans will trigger all six flags or just the URG, PSH and FIN flags. Newer versions avoid using the SYN, ACK or RST flags because if used in these scans would make for less accurate results.

FIN and NULL act in the same way as other inverse scans. Sending only a FIN flag or sending no flags at all (NULL) make no sense to an open port so they will not licit any response.

Vulnerability Scanning

This was not listed with the others as it is a highly specialized scan. The products that exist to perform this scan are usually proprietary and competitive. This scan sends out a Specially Crafted Packet (SCP) toward the target host and analyzes the response. At times, more than one packet can be involved in this scan.

Vulnerability scanners are prone to false positive, however, since they do not actually perform an actual exploit. The best they can do is indicate the possibility of an exposed weakness. They also create extra traffic and well-known signatures. Using these tools, the attacker takes great risk in getting caught unless run during peak traffic time or a maintenance window.

Vulnerability scanners also do not perform vulnerability linkage or do they verify the exploit availability of the exposed weakness. Only though a multi-staged attack can some weaknesses be discovered as they depend on other exposed vulnerabilities being exploited first. There are other "Automated Penetration Testing" tools available such as Canvas, Impact or Metasploit. However these may not be allowed, or necessary for White Box testing.

Other Scan Types

Scanning can take weeks to complete, especially if the attacker does not wish to get caught. There are other scan types that can be utilized.

ARP Scan - This involves sending broadcast requests to each logical address withing a local segment. If the host exists it will respond with its MAC address.

Protocol Scan - This scan uses the protocol field of the IP header. The protocol looks for the transport services offered on a host. This is different than port scanning. Protocol scans happen a the layer three level and can be useful in finding VPN gateways or routers.

Idle Scan - This scan assumes two things. 1) the IPID field in the IP header increments by one every time a packet is sent, and 2) the zombie is actually idle.

The idle scan involves three hosts: the scanner, the target and the zombie. The scanner first sends a ping to the zombie checking its IPID field value. It then sends a SYN to the target while spoofing the zombie as the source of the packet. If the port on the target is open, it will send a SYN / ACK to the zombie, who then will send a RST since it didn't actually send the SYN and is "confused."

If the port is closed of course nothing would happen. When the scanner sends the ping to the zombie, its IPID field would only have incremented by one. This is mostly a clever method to exploit the way IPID fields work and many operating systems have since gone to a pseudo random number for this field. This scan may not also work if the zombie is not truly idle. If it is sending traffic to other hosts while being used in the scan, the IPID field will increment by more than one or two and the scanner cannot know what this means.

FTP Bounce Scan - This scan requires an FTP server that will accept Port commands. This command can be used to perform a port scan from the compromised FTP server that may have had a better position on the network than the attack otherwise had.

Windows Scan - This scan is looking for a non-zero value in the window size field as a response from open ports on certain versions of BSD machines. The ACK is sent to the port and the RST returns because they are not in sync, but the window field will report a size. If the port is closed, the window size will be 0 and still a RST will be returned.

ACK Scan - This scan will only provide meaningful results as a port scan from target versions of Solaris. Outside of this, it can still be used as a discovery scan or possibly to determine the rules of a filter.

Firewalk Scan - This scan is determining the Access Control Lists (ACLs) of a router. The attacker aims the scan to one hop past the target filter. If the Time To Live (TTL) expires on the receiving host it will send back a time exceeded indicating to the scanner that the packet made it through the firewall. All other packets are dropped and no response is expected.

UDP Scan - This scan does not have any flags. When a UDP datagram is delivered in a packet, there is no response expected from a higher layer service. Some may respond while others will not. It is all on the decision of the application developer.

These scans are at best Inverse Scans because closed ports are supposed to respond with ICMP port unreachable, (type 3 code 3). If this type is filtered, the scanner will still get no response.

The TCP 3-Way Handshake

The TCP 3-Way Handshake is a procedure that takes place between two TCP/IP nodes to establish a connection. This is also known as the SYN, SYN-ACK, SYN handshake where one computer transmits a synchronize packet to another computer and that computer in turn returns a synchronize - acknowledge back to the first transmitting computer.

TCP Flags

TCP Flags are important to understand for sniffing and scanning purposes. These flags are:

  • URG - Do not hold this packet for processing.
  • ACK - Send me some more data please.
  • PSH - Packet not buffered and sent as is.
  • RST - Unknown how to proceed. Leaving conversation.
  • SYN - Hello, I wish to synchronize with your
  • FIN - I am finished. Goodbye.

TCP Sessions

A TCP Session is established when two hosts complete their handshake. To help keep the session organized, two other fields are involved. Those fields are the Acknowledgment Number and the Sequence Number.

The TCP handshake between two hosts is a three step process. Here is an example using hosts A and B.

  1. A sends to B > Flag: SYN > SEQ = 1
  2. B sends to A > Flag: ACK > ACK = 2
  3. A sends to B > Flag: ACK > ACK = 501

This process causes a pair of SYN / ACK responses, one in each direction. Synchronization is established and full duplex communications between the two services listening on the same target port.

At this point, every byte of data sent between the two hosts will be counted. This is done to keep track of what needs to be sent next. To keep track of what needs to be sent next, TCP uses positive acknowledgment. In other words, the host asks for more data and it is implied that everything previously sent as been received.

The sequence number field establishes the beginning of this byte count. For example, if host A sends host B 100 bytes of data, then host B would acknowledge 101 to ask for the next segment. There is a formula for this.

The TCP Session Formula

SEQ + payload size + 1 = ACK for the next segment. During the handshake, the payload size is 0.

The hosts establish a session starting at where they are going to start counting the bytes they each send. The target port number is that number where a higher layer service is listening, or not, and the sending host selects a random port above 1023 to receive the responses.