nst_6
6
Nmap and Hping6 are tools that support TCP Sweep, both for the Unix platform. Hping even
adds an additional option to fragment packets, which allows the TCP packet to pass through
certain access control devices.
An example with nmap:
[root@mia /root] ./nmap sP PT80 192.168.2.0/24
TCP probe port is 80
Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Host host1.MyDomain.com (192.168.2.0) appears to be up.
Host host2.MyDomain.com (192.168.2.1) appears to be up.
Host.host3.MyDomain.com (192.168.2.2) appears to be up.
Host host4.MyDomain.com (192.168.2.3) appears to be up.
Host host5.MyDomain.com (192.168.2.4) appears to be up.
Host host6.MyDomain.com (192.168.2.5) appears to be up.
Host host254.MyDomain.com (192.168.2.254) appears to be up.
Nmap run completed -- 32 IP addresses (13 hosts up) scanned in 12 seconds
2.5 UDP Sweeps (Also known as UDP Scans)
This method relies on the ICMP PORT UNREACHABLE message, initiated by a closed UDP
port. If no ICMP PORT UNREACHABLE message is received after sending a UDP data gram
to a UDP port that we wish to examine on a targeted system, we may assume the port is
opened.
UDP scanning is unreliable because of a number of reasons7:
·
Routers can drop UDP packets as they cross the Internet.
·
Many UDP services do not respond when correctly probed.
·
Firewalls are usually configured to drop UDP packets (except for DNS).
·
UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP
PORT UNREACHABLE message.
3.0 Port Scanning
Ping Sweeps help us identify which systems are alive. The next step is trying to determine
what services (if any) are running or in a LISTENING state on the targeted system, by
connecting to the TCP and UDP ports of that system. This is called Port Scanning.
For the hacker it is critical to identify listening ports, because it helps him identify the
operating system and application in use.
The services detected as listening may suffer from vulnerabilities which may result from two
reasons:
·
Misconfiguration of the service
·
The version of the software is known to have security flaws
If identified, these vulnerabilities can lead to unprivileged access gained by the attacker.
We will further discuss port scanning types, techniques, and tools.
6
http://www.kyuzz.org/antirez
7
Ron Gula, How to Handle and Identify Network Probes, Netowrk Defense Consultng.