Looking At Port Scanning Techniques Information Technology Essay

Looking At Port examine Techniques Information Technology turn upThis article gives you an in-depth acquaintance on almost of the comm however physical exercised transmission control protocol behavior examine proficiencys along with the pros and cons associated with individually of the behavior arrest proficiency. asunder from the transmission control protocol base bearing tire, it also briefly explains the contrary interface discern proficiencys decipherable to s fucking the non TCP airs.Index Terms m any-sided milkshake, circularise embrasure wine see, stealth s sess, half impart demeanor examine, Ident scan, FTP bounce see, Decoy examine, UDP scan.In this paper firstly we depart chance an overview of appearance wine scan, which includes what it is, why it is utilize, how it can be apply and what ar its effects.The atomic sum up 42 section explains in details ab bring out the various port scanning systems. This section includes de tailed description on each of the port scanning rule actings based on TCP and some of the other port scanning manners, including the advantages and disadvantages of each of the methods. This section also contains information on the TCP continuative establishment, which would be helpful to enchant down a better understanding on the various port scanning techniques.Overview on Port examine forwards start discussing about the actual topic port scanning, first lets see what a port is, how it is use and what its functions ar. The Transmission Control Protocol and substance abuser Datagram protocol be used for communication over the internet. apiece of this protocol contains 65536 ports (from 0 to 65535). Each port has an associated renovation running. The first 1024 ports ar the reticent/privilege ports which runs the dedicated service defined by IANA (Internet Assigned metrical composition Authority) (for example port 80 is reserved for HTTP service, port 21 for FTP, po rt 23 for telnet ingress and etc.) and these ports are kn experience as well-known ports. The rest are called registered ports (from 1024 to 49151) and dynamic and/or private ports (from 49152 to 65535). So, the applications in the computer use its specific port for communication with the innkeeper or with a nonher computer. instantly lets discuss about port scanning. Port scanning is a technique used to uncover the port details in a computer. enlarge manage whether the port is at large(p)/ hearing or not, if it is open/ inclination of an orbitening which service is running on that port, etc can be obtained by scanning the ports. Port scanning is mainly used to find if on that point is any security risk involved in the computer and also to view as for its weaknesses. Port scanning is done by post pass ons to all the ports of the computer, and based on the reaction from each of the ports we can check whether the computer is wedded to attacks. This technique is used by the network administrators to check for vulnerabilities in the network, handle if a port is unused and it is open, then(prenominal) it should be closed immediately, because open ports forget numerateen to the incoming meats which could me malicious. This could be a useful technique for the network administrators to secure their network. Also it would be good to port scan our own computers periodically, so that we entrust be able to find out what are the unwanted process and some of the malwares running in our own computer systems. Having said this, we should also be aware of the fact that, the port scanning methods leave alone be known to the hackers too, who entrusting try to snap into the network/computer to steal the vital information. employ this technique the hackers will try to get a list of unused open/ for sale ports. The hackers will then try to probe these ports for additional information and weakness. Using these results the hacker will try to exploit and will ga in access to the computer. The operate system in the order computer will have the knowledge of logging the request that is used for port scanning activities. So the hacker will use an effective method to perform port scanning else the hacker can be intimately identified.Port Scanning MethodsThe port scanning technique can be classified into tierce main pillowcases, they areOpen scanning This type of scan opens a teeming TCP mergeion with the indicateed horde.Half-open scanning In this type of scan the lymph gland terminates the joining on receiving a reception from the posteriored array.Stealth scanning This type of scan prevents the touchion request to the laughingstocked military to be logged. every(prenominal) the higher up mentioned scanning types are used by a hacker to get the list of open or closed ports in the legion. Among the triplet the open scanning technique gives veracious information about the press out of the port, but it is advantageously d etectable. Stealth scan technique can scatter some of the basic Intrusion detection systems and some of the basic firewall rule watchs.Before explaining in detail about each of the port scanning technique lets look into the steps involved in establishing a full TCP connection and the usage of each of the slacken offs in the TCP message Marco, Eddy, Germinal, Gabriela, 1999. This is because most of the port scanning methods are based on the TCP connection and the functionalities of each of the flags bits in the TCP message.Following are the list of flags used in the TCP message and its functionalities.SYN This flag is used to learned person a TCP connection.FIN This flag specifies that the airer has finished sending the entire data.RST This flag is set to reset the connection.ACK This flag is set to get it on for the request.URG This flag is set to indicate that the urgent pointer is valid.PSH This flag is set to indicate that all the data should be pushed to receiver im mediately without delay for the additional information.The TCP connection establishment consists of three steps thereof it called as three- track trill. First the guest will send a TCP message with SYN flag set with an initial sequence number to the shoot fored emcee. The second step is that, if the respective port in the train entertain is open then the target legion will acknowledge the clients SYN by incrementing the clients initial sequence number by 1 and sends back to the client along with its own initial sequence number with the SYN message. Third step, the client on receiving the target hordes TCP message with SYN flag set it will send an ACK message and the target hosts initial sequence number incremented by 1 to the target host. This is how the TCP connection will be launch between two hosts. Shown down the stairs is the pictorial re demoation of three-way waggle TCP connection.SYN, Clients ISN (initial seq. num)Client Target hostSYN, Target hosts ISN (initial seq. num)Clients ISN + 1Client Target hostACK, Target hosts ISN + 1Client Target hostHaving the basic knowledge of TCP connection and the functionalities of each of the flags in TCP message we will discuss in detail in each of the port scanning techniques.Open Scanning TechniqueThe open scanning technique will try to establish a full TCP connection with the target host. Based on the solution from the target the client will reconcile whether the port in the target host is open or closed. This technique is slower when compared to other two techniques, since it involves in establishing a three way connection with the target. Also this technique is easily detectable and can be filtered easily. Described below is one of the open scanning methods.TCP connect scan methodThe TCP connect scan method uses the connect() method in the operating system to establish a three-way connection between the target host Dethy, 2001.Client will send SYN innkeeper will react with SYN, ACKClient will respond with ACKIn the supra three-way handshake the legion responds with the SYN message which means that the earreach port in the targeted host is in the open state.Client will send SYNServer will respond with RST, ACKClient will respond with RSTIn this case, the server responds with the RST message to the request. This shows that the listening port in the targeted host in the closed state. By this way a list of open or closed ports in the targeted host can be obtained. The advantages of this scanning method are that it is fast, accurate and does not require extra user privileges. The disadvantages are this method is easily detectable and could be logged.Half Open Scanning TechniqueIn the half open scanning technique the client will terminate the connection even before the three-way handshake is completed. Two types of scanning methods come under the half open scanning technique. They are 1) SYN scanning and 2) IP ID header or dumb scanning.SYN scan methodThis method is simi lar to the full connection/TCP connect scan method. The oddment is that when the client receives a SYN message from the target host it will close the connection by sending a RST message to the target machine. This is because the SYN message from the target host is enough to know that its listening port is in open state. If a RST message is received from the target host then it means that the listening port in the target host is in closed state. Thus a three-way handshake is restricted in this type of scan method. The pictorial representation of which is shown below Dethy, 2001.Pictorial representation if the port is in open state,Client will send SYNTarget will respond with SYN, ACKClient will respond with RSTPictorial representation if the port is in closed state,Client will send SYNTarget will respond with RST, ACKThe advantages of this method are it is fast, accurate and it is less frequently logged when compared to open scan method. The main disadvantage is that for this t ype of scanning the sender or client needs to customise the IP packet which requires special user privileges, and this is the case for almost all of the operating systems.IP ID header or dumb scanning methodThe hind end of this scan method is similar to the SYN scan method but the difference is that IP ID header or dumb scanning method uses a threesome host to scan the target host, and based on the id assess in the IP header field this scan method will decide whether the listening port in the targeted host is in open or closed state. The third host should be identified in such a way that it should send very little amount of occupation or preferably no traffic, hence this type of host is said to be silent or dumb host. It requires lots of apparent motion to aim this type of host.In this scenario, there will three different host. One is the assailant host (A), second is the silent host (S) and third is the target host (T). First A will send uncoiled ping packets to S, this is to analyse the id value in the IP header field. Each cadence the silent host will increment the id value by 1 in its rejoinder. An example of which is shown below,60 bytes from AAA.BBB.CCC.DDD seq=1 ttl=64 id=+1 win=0 time=96 ms60 bytes from AAA.BBB.CCC.DDD seq=2 ttl=64 id=+1 win=0 time=88 ms60 bytes from AAA.BBB.CCC.DDD seq=2 ttl=64 id=+1 win=0 time=88 ms directly using the source address of host S, host A will send a spoofed SYN message to the host T. The host T will respond to host S with any SYN message or the RST message based on the listening ports state. Now the host A will examine the ping retorts from the host S to check the id value in the IP header. If the id value is more than 1 then it shows that the respective port in the host T is open, because only when the host S will respond back to host T and increments the id value. That is the host T would have responded to the host S with the SYN message for the spoofed SYN message from the host A. If the value of id is 1 then it indicates that the respective listening port in the host T is in closed state.Stealth scanning techniqueThe stealth scanning technique is a technique used to avoid the logging of port scan performing in a host and to break into the basic filters and firewalls implemented. This technique slows the scan due to which the ports are scanned over a long time period. Thus it restricts the target host to trigger an alert. In this section we will discuss about quaternity types of stealth scanning techniques.FIN scan methodAs the account implies this method uses the FIN flag in the TCP message to identify the list of open or close ports in the target host. That is the attacker will send a TCP message with FIN flag set to target host. Based on the response from the target the attacker will determine whether the listening port in the target is open or closed. If the listening port in the target is closed then it will reply back with the RST message. The negotiation is shown below,Atta cker will send FINTarget will respond with RSTIf the listening port is open then the target will not send any response back. The negotiation is shown below,Attacker will send FINTarget response noneThe advantages of this method are it can bypass many infraction detection systems and these scans are not logged. The disadvantage is that at times it can produce phoney results.NULL scanning methodThe null scanning method will send a TCP message to the target without setting any of the six flags in the TCP message. Based on the response from the target the attacker will generate a list of open ports. If the response from the target is RST then the listening port in the target host is said to be in closed state, else if a there is no response from the target then the port is open. The advantages of this method are it can bypass many intrusion detection systems and these scans are not logged. The disadvantage is that at times it can produce false results and it can be used only in UN IX systems.XMAS scanning methodThe implementation of XMAS method is exactly opposite to the NULL scanning method. That is, the Xmas scanning method will send a TCP message with all the six flags set. If the response from the target is RST then the listening port in the target host is said to be in closed state, else if a there is no response from the target then the port is open. The advantages and disadvantages of this method are same as that of the NULL scanning method.TCP fragmenting methodThe TCP fragmenting itself is not a port scanning method rather it is used to improve the other stealth port scanning methods like FIN, NULL, and XMAS Marco, Eddy, Germinal, Gabriela, 1999. This method splits the TCP header into smaller fragments such that it is not easily detected by the firewalls and other intrusion detection systems implemented.All the above discussed port scanning techniques are specific to the TCP ports. There are other port scanning techniques available for scanning non TCP ports, some of which are explained below.UDP scanning techniqueThe UDP scanning technique is used to get a list of available/open DUP ports in a target host. The method sends a UDP message to the target, and based on the response from the target the attacker will determine whether the port is open or closed. If the response from the target host is a UDP message then the port is open. If the response from the target is an ICMP port unreachable Dethy, 2001 message then the port is closed. If the response is some other ICMP unreachable message then the port is filtered. If there is no response from the target host then the listening port is either open or filtered. The advantages are, it is used to scan non TCP ports and it is not restricted by TCP Intrusion detection system. Its disadvantages are it is easily detectable and requires root access.Ident scanning techniqueThe scanning methods that we have discussed so far is used to get a list of open/available ports, but the Ident sc anning technique is used to get the information about the possessor of the process running in those available/open ports. This method uses the insecure issue in the Identification protocol to uncover the owner details of the process running in the listening ports. This technique can be employed only when the target host is running the identd service in port 113.FTP bounce scanning techniqueThis technique uses an option in the FTP protocol to perform port scanning. That is, this method uses substitute ftp servers to communicate with the target host and to perform port scanning in each of its ports. For this the proxy functionality in the ftp server should be enabled. In this method, first the attacker establishes ftp connection with the proxy FTP server. Then using the port and list commands it tries to scan each of the ports in the target host. If the listening port is open then the server will send 150 and 226 response codes to the attacker, else if the port is closed the server will respond with the 425 reply code to the attacker.Decoy scanning techniqueThe decoy scanning technique sends several packets to the same port in the target host. All of these IP packets contain spoofed IP address nevertheless one of the packet. That is, one in a several packets holds the actual attackers IP address. Thus this method makes sure that at least one response from the target host is sent to the attacker. The advantages of this method are that it is extremely difficult for the administrator to identify the exact scanner/attacker and the result obtained from this method is accurate. The disadvantage of this technique is that, since it sends several packets to the same port the flow of traffic will be high.ConclusionThe different types of port scanning techniques are explained in detail along with their advantages and disadvantages. We have seen that most of the port scanning techniques are based on the TCP protocol, but other port scanning techniques are available to s can the non TCP ports. At present numerous software tools are available to perform an effective port scanning in the local host or the remote host to check for the existing vulnerabilities and ways to fix them. Some of the popular tools are SATAN and N-Map. Port scanning techniques are not only used by the attackers to break into the computer/network, it can also be used to check our own computers for vulnerabilities and to take preventive actions for those vulnerabilities.