SCANNING

 

A number of utilities freely available on the Internet for performing scans. Some of the more common Once you have used VisualRoute or perhaps simply used the traceroute utility and manually looked up information on www.internic.net, you are now ready to move to the next phase in gathering information about a target system. This phase is completed by scanning.

The process of scanning can involve many tools and a variety of techniques. The basic goal of scanning is to identify security host or network. Scanning is best in science, but considered an art by many because a skilled attacker is patient and has a knack for knowing (usually based on experience) precisely where and how to scan target devices.

There are tools are as under:

1.      Nmap (Powerful tool available for Unix or Windows that finds ports and services available via IP)

2.      Hping2 (Powerful Unix-based tool used to gain important information about a network.)

3.      Netcat (Others have quat4ed this application as the “Swiss Army knife” of network utilities)

4.      Ping (available for testing IP connectivity on at most every platform and operating system)

5.      Traceroute (Map out the hops of the network to the target device or system)

Of these, Nmap (“Network Mapper”) is probably the best known and most flexible scanning tool available today. It uses IP packets in a new way to determine which hosts are available on the network. What operating systems are running, and what firewalls are in use. It also provides options for fragmentation; use to decoy IP addresses, spoofing stealth scans and a number of other features. Nmap is the most widely used tool by both cracker and security professionals for the purpose of port scanning and operating system identification. Formerly, this was only a Unix-based utility; however, it has recently been extended for use with Windows systems. If you have access to or will be working on a UNIX system or care to obtain the newer Windows-based Nmap, this is a utility with which you should certainly become familiar.

Network mapping is a process in which you discover information about the topology of the network. This can include gateways, routers and servers. The first step is to sweep for a live system. To find live hosts, hackers ping them by sending ICMP packets. If a system is live, it will send an ICMP echo reply. ICMP messages can be blocked, so an alternative is to send a TCP or UDP packet to a p[rot, such as 80 (http), that is frequently open, and live machines will send a SYN-ACK (acknowledgment) packet in response. Once the live system is known, utilities such traceroute or the others already discussed can pro0vide additional information about network by discovering the paths taken by packets to each host. This provides information about the routers and gateways in the network and general layout of the network.

In following sections, we will examine some methods for performing port scans. Fortunately, there are a number of utilities freely available on the Internet for doing port scanning. We will also discuss network mapping and vulnerability scanning.

FYI: Scanning Utilities
You can find a list of additional URLs for port scanning software in Appendix B of this book. You can also search the Internet using the keywords “port scanning.”

 

Port Scanning

Once the IP address of a target system is known, the next step is port scanning & network scanning, such scanning is the process of sending packets to each port on a target system to see what ports it has open (in the LISTEN state). A system has 65,535 port numbers, with one TCP port and one UDP port for each number. Each port has an affiliate service that may be exploited or vulnerable. Thus, viewing the ports tells you what sort of software is running. If someone has port 80 open , then he or she is probably running a Web server. If you see that all the default ports are open, the discovery probably indicates a network administrator who is not particular security conscious and may have left all default setting on all of his or her systems. Th9is deduction gives you valuable clues as to the kind of target you are examining. In the following section, we will experiment with a few port scanning utilities.

Now that you have a tool to find out which ports are open on the target machine, what can you do with this information? As we already mentioned, an open port can tell you a great deal about a system. We briefly reviewed a number of well-known ports. This lidt was not exhaustive, but the list should give you an idea. The following list well-known ports.

·         www.networkssorcery.com/protocol/ip/ports00000.html

·         www.iana.org/assignments/port-numbers

·         www.techadvice.com/tech/T/TCP_well_known_ports.htm

Using this information about well-known ports, you should be able to tell whether a system is using NetBIOS because such a system will have ports 137, 138 & 139 open. If a system is running an SQL server, then it may have port 118 open. This information can then be used by a hacker to begin to explore possible flaws or vulnerabilities in the service running on a given port number. Therefore, this information is quit important from a security perspective. If you are scanning your own machine and see ports that are open (once that you do not use), then close them. All firewalls give you the option of blocking ports. That function is necessary purpose of any firewall. A basic rule of thumb in security is that any port that you are not actively using should be blocked.

FYI: SQL Server
Generically, an SQL server is any database management system (DBMS) that can respond to queries from client machines formatted in the SQL language

 NetBrute

Some port scanners do more than just scan open ports; some even give you extra information. One such product is NetBrue form RawLogic. Located at www.rawlogic.com/netbrute/. This one is quite proper with both the security and hacker community. No computer security professionals should be without this item in their tool chest. This utility will give open ports, as well as other vital information in future. Once you install and launch NetBrue, you will see a screen such as the one depicted.

We will concentrate on the NetBrute lab first. You can elect to scan a range of IP address (per feet for network administrators assessing the vulnerability of their own systems), or you can choose to target an individual IP. When you are done, it will show you all the shared drives on the computer.

With the PortScan tab, you can find ports. It works exactly like the first tab except that, instead of giving you a list of shared folder/drives, it gives you a list of open ports. That way, with NetBrute, you get a port scanner and a shared folder scanner. The WebBrute tab gives the permission to you to scan your required targeted Web site and obtain information similar to what you would get from Netcraft. This scan gives you information such as the target system’s operating system and Webserver software. Shared folders and drives are important for security because they provide a possible way for hackers to gain access to the system. If a hacker can gain access to this shared folder, it can use this area to upload Trojan horses, viruses, key loggers, or other devices.

Cerberus Internet Scanner

Perhaps one of the most popular scanning utilities is the Cerberus Internet Scanner (a number of download locations are listed in Appendix B). this tool is very simple in use as well as informative for us.

From this screen, you can click the button on the far left that has an icon of a house or you can go to “File” and select “Host”. Then key the URL or IP address of the machine you want to scan. Click the "S" button or go to "File" and select "Start Scan". Cerberus will then scan that machine and give you back wealth of information. You can see all the various categories of information that you r4eceive.

For review the report click on the third button. A Hypertext Markup Language (html) will launch by the reprot (thus the document is easy to save for future reference) with links to each category.

One of the most interesting parts to review, especially for the security administrator, is the NT Registry Report. This report will examine the Window Registry and information you of any security flaws found there and how to correct them.

This list shows specific Windows registry settings, why those settings aren't particularly secure, and what you can do to keep them safe. For obvious reasons, this tool very popular with hackers. Cerberus can provide a comprehensive map of all potential vulnerabilities of the system, including, but not limited to, shared drives, insecure registry settings, running services, and known bugs in the operating system.

All of those tools (and others we have not examined) have one thing in common: They provide information to anyone who wants it. Information is a powerful weapon, but it is also a double-edged sword. Any information is network administrator can use to secure his network; a cracker can also use to break into the network. It is imperative that all network administrators be comfort with the virus scanning tools that are available. It is a good idea to make a routine habit of scanning your own system to search for vulnerabilities – and then close these vulnerabilities.

Port Scanner for UNIX: SATAN

UNIX administrator for years (as well as hackers) is SATAN. This tool is not some evil supernatural being, but an acronym for Security Administrator tool for analyzing networks.  It can be downloading for free from any number of Web sites. Many of those sites are listed at www.fish.com/satan/mirrors.html. This tool is strictly for Unix and will not work in Windows. For that reason, we will not be discussing it here, but it is important that you be aware of it. If you inte3nd to work with Unix or Linux, you should definitely get this utility.

Vulnerability Scanning

In addition to the utilities and scanners we have already discussed, another essential type of tool for any attacker or defender is vulnerability scanner. A vulnerability scanner, or security scanner, will remotely audit a network and determine whether someone (“or something, such as worm) may break into it or misuse it in some way. These tools allow the attacker to connect to a target system and check for such vulnerabilities as configuration errors, default configuration setting that allow attackers access, and the most recently reported system vulnerabilities. As with port scanners, there3 are both commercial as well as free open-source versions of vulnerability scanners. We will discuss two vulnerability scanners here, but there are many others available.

SAINT

SAINT is a network vulnerability assessment scanner that takes a preventatives approach to securing computer networks. It scans is system and finds security weaknesses. It prioritizes critical vulnerabilities in the network and recommends safeguards for your data. SAINT gives you benefits in several ways:

·         Prioritized vulnerabilities let you focus your resources on the most critical security issues.

·         Fast assessment results help you identify problems quickly.

·         Highly configurable scans increase the efficiency of your network security program.

NetBrute

Some port scanners do more than just scan open ports; some even give you extra information. One such product is NetBrue form RawLogic. Located at www.rawlogic.com/netbrute/. This one is quite proper with both the security and hacker community. No computer security professionals should be without this item in their tool chest. This utility will give open ports, as well as other vital information in future. Once you install and launch NetBrue, you will see a screen such as the one depicted.

We will concentrate on the NetBrute lab first. You can elect to scan a range of IP address (per feet for network administrators assessing the vulnerability of their own systems), or you can choose to target an individual IP. When you are done, it will show you all the shared drives on the computer.

With the PortScan tab, you can find ports. It works exactly like the first tab except that, instead of giving you a list of shared folder/drives, it gives you a list of open ports. That way, with NetBrute, you get a port scanner and a shared folder scanner. The WebBrute tab gives the permission to you to scan your required targeted Web site and obtain information similar to what you would get from Netcraft. This scan gives you information such as the target system’s operating system and Webserver software. Shared folders and drives are important for security because they provide a possible way for hackers to gain access to the system. If a hacker can gain access to this shared folder, it can use this area to upload Trojan horses, viruses, key loggers, or other devices.

Cerberus Internet Scanner

Perhaps one of the most popular scanning utilities is the Cerberus Internet Scanner (a number of download locations are listed in Appendix B). this tool is very simple in use as well as informative for us.

From this screen, you can click the button on the far left that has an icon of a house or you can go to “File” and select “Host”. Then key the URL or IP address of the machine you want to scan. Click the "S" button or go to "File" and select "Start Scan". Cerberus will then scan that machine and give you back wealth of information. You can see all the various categories of information that you r4eceive.

For review the report click on the third button. A Hypertext Markup Language (html) will launch by the reprot (thus the document is easy to save for future reference) with links to each category.

One of the most interesting parts to review, especially for the security administrator, is the NT Registry Report. This report will examine the Window Registry and information you of any security flaws found there and how to correct them.

This list shows specific Windows registry settings, why those settings aren't particularly secure, and what you can do to keep them safe. For obvious reasons, this tool very popular with hackers. Cerberus can provide a comprehensive map of all potential vulnerabilities of the system, including, but not limited to, shared drives, insecure registry settings, running services, and known bugs in the operating system.

All of those tools (and others we have not examined) have one thing in common: They provide information to anyone who wants it. Information is a powerful weapon, but it is also a double-edged sword. Any information is network administrator can use to secure his network; a cracker can also use to break into the network. It is imperative that all network administrators be comfort with the virus scanning tools that are available. It is a good idea to make a routine habit of scanning your own system to search for vulnerabilities – and then close these vulnerabilities.

Port Scanner for UNIX: SATAN

UNIX administrator for years (as well as hackers) is SATAN. This tool is not some evil supernatural being, but an acronym for Security Administrator tool for analyzing networks.  It can be downloading for free from any number of Web sites. Many of those sites are listed at www.fish.com/satan/mirrors.html. This tool is strictly for Unix and will not work in Windows. For that reason, we will not be discussing it here, but it is important that you be aware of it. If you inte3nd to work with Unix or Linux, you should definitely get this utility.

Vulnerability Scanning

In addition to the utilities and scanners we have already discussed, another essential type of tool for any attacker or defender is vulnerability scanner. A vulnerability scanner, or security scanner, will remotely audit a network and determine whether someone (“or something, such as worm) may break into it or misuse it in some way. These tools allow the attacker to connect to a target system and check for such vulnerabilities as configuration errors, default configuration setting that allow attackers access, and the most recently reported system vulnerabilities. As with port scanners, there3 are both commercial as well as free open-source versions of vulnerability scanners. We will discuss two vulnerability scanners here, but there are many others available.

SAINT

SAINT is a network vulnerability assessment scanner that takes a preventatives approach to securing computer networks. It scans is system and finds security weaknesses. It prioritizes critical vulnerabilities in the network and recommends safeguards for your data. SAINT gives you benefits in several ways:

·         Prioritized vulnerabilities let you focus your resources on the most critical security issues.

·         Fast assessment results help you identify problems quickly.

·         Highly configurable scans increase the efficiency of your network security program.

    Nessus

Nessus, or the “Nessus Project” as it is also known, is another extremely powerful network scanner. It is one of the most up-to-date and easy-to-use remote security scanners currently available. It has fast, reliable and modular architecture that allows you to customize it to your needs. Works on systems such as Ness Unix (Mac OS X, Free BSD, Linux, Solaris and more) also has a Windows version called NeWT.

Additionally, Nessus includes a variety of plug-ins that can be enabled depending on the type of security checks you want to perform. These plugins work cooperatively with each test specifying what is needed to proceed with the test. For example, if a specific test requires a remote FTP server and a previous test shows that none exists, it will not be tested. Not performing futile test speeds up the scanning process. This plug-ins is updated daily and is available from the Nessus Web site.

The output from Nessus scan of a system is incredibly detailed & there are multiple formats available for the reports. These reports give information about security holes, warnings & notes. Nessus does not attempt to fix any security holes that it finds. It simply reports them and gives suggestions on how to make the vulnerable system more secure.