nst_10
10
An example can be scanning behind a firewall connect to an FTP server behind a firewall,
and then try to scan ports that the firewall blocks. If a directory is writable for the account you
are using on the FTP server, you can also send data to the ports you find open15.
Nmap supports this kind of scan and uses the PORT FTP command to declare that our
passive user data transfer process is listening on the target box at a certain port number. We
then use the LIST FTP command to try to list the current directory. The result is sent over the
server data transfer process channel.
If the transfer is successful (150 and 226 response), the target host is listening on the
specified port scanned. Otherwise, a 425 Cant build data connection: Connection refused
message will be received.
By using this method we can scan all the targets ports simply by issuing PORT commands
one after another.
This scan is rather slow. Some FTP servers disable the Proxy feature, but there are still
many who do not, making this kind of scanning still available.
3.1.5 TCP Reverse Ident Scanning
The ident protocol (RFC 141316) is used to determine the owner username of a particular TCP
connection by communicating with port 113.
This involves opening a full TCP connection to the target machine port.
The scanning method gives the attacker information that helps determine which server to
attack.
If a certain server is running as root, and one of its services was compromised, attackers
can gain instant root access. So it is more common that in a group of services that can be
attacked, the services which are at the highest privilege will be attacked first.
3.2 Port Scanning Techniques
3.2.1 Random Port Scan
Many commercial intrusion detection systems and firewalls are looking for sequential
connection attempts. When the pattern is matched a port scan is reported.
Randomizing the sequence of ports probed may prevent detection.
3.2.2 Slow Scan
Intrusion detection systems can determine if a specific IP tries to port scan the network they
are defending. It is done by analyzing the network traffic over a certain amount of time.
The amount of time is called the site detection threshold.
Some hackers are very patient and can use network scanners that spread out the scan over a
long period of time.
The scan rate can be, for example, as low as 2 packets per day per target site.
15
Fyodor, The Art of Port Scanning, Phrack 51
16
www.ietf.org/rfc/rfc1413.txt