HostedDB - Dedicated UNIX Servers
nst_10 10 An example can be scanning behind a firewall – connect to an FTP server behind a firewall, and then try to scan ports that the firewall blocks. If a directory is writable for the account you are using on the FTP server, you can also send data to the ports you find open15.   Nmap supports this kind of scan and uses the PORT FTP command to declare that our passive user data transfer process is listening on the target box at a certain port number. We then use the LIST FTP command to try to list the current directory. The result is sent over the server data transfer process channel.   If the transfer is successful (150 and 226 response), the target host is listening on the specified port scanned. Otherwise, a “425 Can’t build data connection: Connection refused” message will be received.   By using this method we can scan all the target’s ports simply by issuing PORT commands one after another. This scan is rather slow. Some FTP servers disable the “Proxy” feature, but there are still many who do not, making this kind of scanning still available. 3.1.5 TCP Reverse Ident Scanning   The ident protocol (RFC 141316) is used to determine the owner username of a particular TCP connection by communicating with port 113. This involves opening a full TCP connection to the target machine port. The scanning method gives the attacker information that helps determine which server to attack. If a certain server is running as “root”, and one of its services was compromised, attackers can gain instant root access. So it is more common that in a group of services that can be attacked, the services which are at the highest privilege will be attacked first.   3.2 Port Scanning Techniques   3.2.1 “Random” Port Scan   Many commercial intrusion detection systems and firewalls are looking for sequential connection attempts. When the pattern is matched a port scan is reported.   Randomizing the sequence of ports probed may prevent detection. 3.2.2 Slow Scan   Intrusion detection systems can determine if a specific IP tries to port scan the network they are defending. It is done by analyzing the network traffic over a certain amount of time. The amount of time is called the site detection threshold.   Some hackers are very patient and can use network scanners that spread out the scan over a long period of time. The scan rate can be, for example, as low as 2 packets per day per target site. 15 Fyodor, The Art of Port Scanning, Phrack 51 16 www.ietf.org/rfc/rfc1413.txt