We have seen the TCP Port Scanning methods. If you have any doubt ask me frankly. So now we are going to UDP Port Scanning section . but Before that you should know something about UDP.
UDP (User Datagram Protocol) is a simple OSI transport layer protocol for client/server network applications based on Internet Protocol (IP).
UDP network traffic is organized in the form of datagrams. A datagram comprises one message unit. The first eight (8) bytes of a datagram contain header information and the remaining bytes contain message data.
A UDP datagram header consists of four (4) fields of two bytes each:
1) source port number
2) destination port number
3) datagram size
4) checksum
--> In UDP there is no three way handshaking.
--> The system does not respond with a message when the port is open.
--> When it sent to the open port, The system responds with ICMP port unreachable message.
--> Spyware, Virus, Trojan horse & other malicious applications use UDP ports.
Attacker send TCP probe packets with various TCP flags ( FIN,URG,PSH) set or with no flags, If there is no response means port is open & RST/ACK means the port is closed.
We also called it as Inverse flag Scanning.
Now we will see about ACK flag scanning. In which firewall performs main role, i.e when attacker send an ACK probe packet with random sequence number attacker get no response message. It means port is filtered (i.e firewall is present) But when target host give RST response it means that the port is not filtered because of firewall is not present at that target host.
How could we perform IDS Evasion technique in scanning.
Rules to remember
1) Use fragment IP Packet
2) Spoof your IP address when launching attacks & Sniff response from server
3) Use source routing ( If Possible)
4) Connect to proxy servers or compromised trojaned machines to launch attacks
There is one thing I left in it. i.e Tools regarding IP Fragmentation. There is no need because you can search it from google. You have to practice Art of googling also. :) :p :-D
Now we can proceed to next part i.e Scanning Tools.
1) NMAP
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.
In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). For Info and get the software here http://nmap.org/.(Download link)
Now I will listed some software also for scanning purpose.
1) Advanced Port Scanner
2) AWSPS UDP Scanner
3) Netifera
4) Nscan
5) AWPTA
Now it's time to discuss Scanning countermeasure.
1) A company wants to scan its own networks, but at the same time the company should take countermeasures to protect itself from being scanned by hackers. Here is a checklist of countermeasures to use when you’re considering technical modifications to networks and filtering devices to reduce the effectiveness of network scanning and probing undertaken by attackers:
2) Filter inbound Internet Control Message Protocol (ICMP) message types at border routers and firewalls. This forces attackers to use full-blown TCP port scans against all your IP addresses to map your network correctly.
3) Filter all outbound ICMP type 3 unreachable messages at border routers and firewalls to prevent UDP port scanning and firewalking from being effective.
4) Consider configuring Internet firewalls so that they can identify port scans and throttle the connections accordingly. You can configure commercial firewall appliances (such as those from Check Point, NetScreen, and WatchGuard) to prevent fast port scans and SYN floods being launched against your networks. On the open-source side, many tools such as port sentry can identify port scans and drop all packets from the source IP address for a given period of time.
5) Assess the way that your network firewall and IDS devices handle fragmented IP packets by using fragtest and fragroute when performing scanning and probing exercises. Some devices crash or fail under conditions in which high volumes of fragmented packets are being processed.
6) Ensure that your routing and filtering mechanisms (both firewalls and routers) can’t be bypassed using specific source ports or source-routing techniques.
7) If you house publicly accessible FTP services, ensure that your firewalls aren’t vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands.
8) If a commercial firewall is in use, ensure the following:
a)The latest service pack is installed.
b) Antispoofing rules have been correctly defined so that the device doesn’t accept packets with private spoofed source addresses on its external interfaces.
c) Fastmode services aren’t used in Check Point Firewall-1 environments.
9) Investigate using inbound proxy servers in your environment if you require a high level of security. A proxy server will not forward fragmented or malformed packets, so it isn’t possible to launch FIN scanning or other stealth methods.
10) Be aware of your own network configuration and its publicly accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space. It is surprising how many large companies still don’t properly undertake even simple port-scanning exercises.
So see you later guys . enough for today. being tired now . :p :-D
If you have any doubt email me at dineshine@hotmail.com.
