270 likes | 441 Vues
Study of Network Port Scanning Attacks. Brady Clarke <clarkeb@onid.orst.edu> Oregon State University Network Security - ECE 478. Port definition. Port: There are two types of ports relating to computers 1) Connections to peripherals such as USB devices, serial cables, or mouse's etc
E N D
Study of Network Port Scanning Attacks Brady Clarke <clarkeb@onid.orst.edu> Oregon State University Network Security - ECE 478
Port definition • Port: There are two types of ports relating to computers • 1) Connections to peripherals such as USB devices, serial cables, or mouse's etc • 2) Virtual ports found in TCP/IP communications
Expanded definition • For information relating to network security we are more concerned with virtual ports • Ports are like channels that carry information into, out of, and internal to a computer • There are 65,536 standard ports on a computer • Each port is assigned to a certain type of communication “traffic”
Example of port assignments • Port #21: FTP • Port #35: Private printer server • Port #80: HTTP traffic • Port #110: POP3 e-mail • Port #515: Printer spooler • Port #5002: Radio free Ethernet
What is port scanning? • Ports to a computer are like windows or doors to a house • Port scanning attacks are much like a burglar searching all the windows and doors of a house to look for unlocked entry ways • If a window is left unlocked (like a port being “open” or not in use), it may be easy for the intruder to enter the house
Shortcomings of port scanning • Adversaries can only attack the type of communication which is carried on the specific port that they are accessing • Adversaries cannot gain direct access to your computer’s file system through port scanning
Different types of port scanning • Simple port scanning • Strobe port scanning • Stealth port scanning • SYN scanning • FIN scanning
Simple port scanning • An attacker searches all ports looking for, and noting, all open ports • Pros • Attacker will see ALL available ports • Cons • Takes a long time to scan all 65,000+ ports • Can be detected fairly easily, due to large number of ports being scanned • Specific ports that are found to be open may not be useful to attack
Strobe port scanning • An attacker selects a certain range of ports to check for open ports • Pros • Quicker than a full scan • Already knows that all searched ports can lead to vulnerable access points • Cons • Does not give entire vulnerability profile of target • Is somewhat easy for target to detect
Stealth port scanning • An attacker searches only a few random ports at once over a long period of time (usually a day or more). Often jumping between different computers on a network. • Pros • Hard to detect because individual port scans, from the network’s point of view, appear to be accidental communication attempts • Cons • Takes a long time (usually a day or more)
SYN scanning • Also known as: half-open scanning • Attacker does not complete all the formal steps necessary to make a TCP connection, but the state of the port can still be identified • Pros • The attack is not detected, because the computer doesn’t think that a communication has been made
FIN scanning • Attackers send erroneous packets to ports and listen for a response. If a port is closed, the attacker will receive an error message. However TCP requires than an open port ignore the erroneous packet. Based on the response, the attacker can determine the state of the port. • Pros • It is difficult for the target’s computer to recognize this as an attack since the packets being send are random data • Cons • If the target sends an error message response, it could get dropped or blocked by a firewall. This will lead the attacker to believe that a closed port is really open since it did not receive a response.
Example of a port scanning attack • E-mail attack example • Adversary first accesses your IMAP port (#143) when it is open (not in use by you) • Adversary will then attempt to discover e-mail program being used and exploit its weaknesses • A virus can be planted in the e-mail program • The adversary may be able to give themselves “administrator privileges” and then be able to access account through various other means to plant malicious files
Laws regarding port scanning • Port scanning is NOT illegal • Port scanning is analogous to ringing someone’s doorbell to see if they’re home • Port scanning is considered illegal only if a crime is committed • Rarely a company may be able to press charges if they’re being scanned so frequently that it is affecting their network’s performance
Port scanning software • Port scanning software is easily available. Free versions are readily available for download on the internet, or more complex versions can be purchased. • Nmap – the most widely used software • SuperScan – similar to Nmap but with less features
Nmap software details • Nmap gives adversaries a number of important pieces of information • Provides a list of all available open ports • Gives the target’s operating system • Most importantly: can search for all open ports on a range of IP addresses • Meaning multiple computers on a network can be searched at once
Protecting against port scanning • Users can configure their system to use non-standard unregistered ports to communicate on • Port scanning sniffing software can be implemented on a network
Using non-standard ports • Technique used to “hide” communications • This allows users to transmit sensitive data on ports that are normally unassigned. For example: instead of using the standard port #21 for FTP, the user can transmit FTP files over the normally unregistered port #49152. • Therefore an attacker will not generally look for vulnerabilities on this normally unused port #49152, but rather will look on port #21
Port scanning sniffing • Programs such as iNetTools can be used to watch for port scanning attacks • These programs do not prevent the scanning, but log attacker’s attempts for later investigation • Depending on the security needed, the number of attempted scans that trigger an alert can be adjusted • For larger networks, more “accidental” scans would likely be allowed without a security concern
Summary – attacks • Port scanning • Shows an attacker which ports are vulnerable and may allow access • Attacker can use the type of communication that is meant for that channel to exploit program (i.e. plant a virus via FTP) • There are multiple types of port scanning attacks for different types of targets, so the attacker can try to go undetected
Summary – prevention • Using non-standard port assignments for data transfer • This port is still unprotected and vulnerable, however it is more difficult for the adversary to locate • Networks can implement port scanning sniffing programs • Choosing amount of acceptable “accidental” scans is crucial • Balancing the amount of security required and the amount of resources necessary to implement the security is usually the main concern with this type of protection
References • Black, Ronald (2000). How Does Network Security Scanning Work Anyway? The SANS Institute; Bethesda, Maryland. • Bradley, Tony (2004). Introduction to Port Scanning. About, Inc. World Wide Web: http://netsecurity.about.com/cs/hackertools/qt/qt_portscan.htm • Fyodor, “The Art of Port Scanning”, Phrack Magazine Volume 7, article 11, Issue 51 September,1997. • Kanlayasiri, Urupoj (2001). A Rule-based Approach for Port Scanning Detection. Faculty research project, Kasetsart University; Bangkok, Thailand.