Variaciones en el cununo macho

SYN Stealth/Half-Open Scan Since a TCP connect() scan can be detected by an IDS, hackers started evading the detection by using a technique called half-open scanning—shown in Figure 3-3. It is called this because the attacker does not open a full TCP connection. The attacker sends a SYN packet, pretending to open a real connec-tion, and waits for a response. A SYN/ACK indicates the port is listening. An RST is indicative of a nonlistener. If a SYN/ACK is received, the attacker immediately sends an RST to tear down the connection (actually, the kernel does this for the attacker). The main advantage of this scanning technique is that fewer sites will log it.

However, the attacker needs root privileges to build this custom TCP packet sequence. Sophisticated IDS and firewall systems are now capable of detecting a SYN packet from the void and preventing such scans from taking place. This is because, like a TCP connect() system call, the half-open scan initiates with a SYN flag, which can be easily monitored. Another disadvantage is that the attacker has to make a custom IP packet to do this scan. Making a custom IP packet requires access to SOCK_RAW (getportbyname (“raw”); under most systems) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun “Network Interface Tap”). This generally requires privileged user access.

Even SYN scanning is not stealthy enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs such as Synlogger and Courtney are available to detect these scans. Some advanced scans, on the other hand, may be able to pass through undetected. The term stealth refers to a category of scans where the packets, appearing as normal traffic, are flagged with a particular set of flags other than SYN, or a combina-tion of flags, no flags set, or all flags set; fragmented packets are used; or filtering devices are avoided by other means. All these techniques resort to inverse mapping to determine open ports.

Figure 3-3 Attackers send SYN packets to initiate a stealth scan.

Copyright © by

All rights reserved. Reproduction is strictly prohibited

Figure 3-2 The three-way handshake establishes a connection between protocols.

Figure 3-4 SYN/ACK scans will receive an RST response if the port is closed.

SYN/ACK Scan It is known that a SYN/ACK flagged packet sent to a closed port elicits an RST response, while an open port will not reply (Figure 3-4). This is because the TCP protocol requires a SYN flag to initiate the connection.

This scan has a tendency to register a fairly large quantity of false positives. For instance, packets dropped by filtering devices, network traffic, and timeouts can give a wrong indication of an open port. However, this is a fast scan that avoids a three-way handshake.

Stealth Scan Three-way handshake methodology is also implemented by the stealth scan. The difference is that in the last stage (Figure 3-5), remote ports are identified by examining the packets entering the interface and terminating the connection before a new initialization is triggered.

A stealth scan is done by performing the following steps:

1. To start initialization, the client forwards a single SYN packet to the destination server on the correspond-ing port.

2. The server actually initiates the stealth scanning process, depending on the response sent.

3. If the server forwards a SYN/ACK response packet, then the port is supposed to be in an open state.

4. The client responds with a RST packet, closing the connection before it is fully opened.

Xmas Scan The Xmas scan is a method that is used to scan large networks and find out which host is up and what services it is offering. This method is based on BSD networking code and works only for UNIX hosts. It does not support Windows NT. The Xmas scan is a technique used to describe all TCP flag sets. It sends a TCP frame to a remote device with the ACK, RST, SYN, URG, PSH, and FIN flags set. When a message is sent to a closed port, the closed port replies to the Xmas scan with an RST flag, which indicates that the port is closed.

It filters the port that does not respond, and the host takes that port as being open or filtered when it does not get a response.

Figure 3-5 Stealth scans can determine if a port is open or closed from the type of returned packet.

Copyright © by

All rights reserved. Reproduction is strictly prohibited

Scanning Methodology 3-7

It initializes all the flags while transmitting this packet to a remote host. The kernel drops the packet if the port is open and the port receives it. If the port is closed, it returns the RST flag, which indicates it is a closed or nonlistening port.

The RST flag is sent to the client, and the server is marked that the client has a connection on that port without any condition.

Advantage:

It avoids the IDS and TCP three-way handshake.

Disadvantage:

It works for the UNIX platform only.

FIN Scan The FIN scan is similar to the SYN/ACK scan, with inverse mapping to determine open or closed ports. The difference is that closed ports are required to reply to the probe packet with an RST, while open ports must ignore the packets in question (Figure 3-6). The scan attempts to exploit vulnerabilities in BSD code.

Since many operating systems are based on or derived from BSD, this is a scan that returns fairly good results.

However, most operating systems have applied patches to correct the problem. Nevertheless, there remains a possibility that an attacker may come across a system where these patches have not been applied.

ACK Scan In this type of scanning, the IP routing function is used to deduce the state of the port from the TTL value (Figure 3-7). This is because the IP function is a routing function. Therefore, an interface will reduce the TTL value by one when the IP packet passes through it. However, this scan works on most UNIX-related operating systems.

Packet 1: server IP port 78: F: RST -> TTL: 68 win: 0 > unfiltered Packet 2: server IP port 79: F: RST -> TTL: 68 win: 0 > unfiltered

Figure 3-6 FIN scans attempt to exploit BSD vulnerabilities.

Figure 3-7 ACK scans use the IP routing function to deduce the state of a port.

The third sequential packet returns a window field with a nonzero value, indicating a filtered port. Also, the TTL value remains 64 and does not give away the filtered port. While this scan is fast and avoids most detec-tion systems, it is not compatible with all operating systems and relies more on the bug in the BSD code, which has been patched by most vendors.

Systems vulnerable to this include at least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, Mac OS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks.

Using this scan, attackers can map out firewall rule sets and determine whether the perimeter of the system is guarded by a stateful firewall or a simple packet-filtering device that blocks incoming ICMP and SYN packets.

Null Scan A null scan is a method that switches off all flags if an attacker sends TCP packets. In this scanning method, it is assumed that every closed port sends back an RST packet to the attacker. Packets received for open ports are ignored and dropped by the destination.

Null scans set all flags of TCP headers, such as ACK, FIN, RST, SYN, URG, and PSH, to NULL or unas-signed. When a packet arrives at the server, BSD networking code informs the kernel to drop the incoming packet if a port is open, or returns an RST flag if a port is closed. It works in reverse fashion from an Xmas scan, but gives the same output as FIN and Xmas scans. This method does not work for Microsoft operating systems.

Advantage: It avoids IDS and TCP three-way handshake.

Disadvantage: It works only for UNIX.

Idle Scan Idle scanning, also called zombie scanning, offers complete blind scanning of a remote host. Port scans are performed by sending packets with a spoofed source address to the computer that an attacker wants scanned, and a response is then sent to the spoofed source address. No packets with the attacker’s IP address will ever reach the victim system.

In most systems’ IP addresses, IDs are incremented by one after every transmission made. This makes it easy for an attacker to predict the transmissions made between the remote host and any other system it comes in contact with. Attackers can scan a target system by using a side-channel attack that allows for the scan to be bounced off a dumb zombie host instead of sending a single packet to the target from his or her own IP address.

Intrusion detection systems (IDS) detect the zombie as the attacker. This scan type permits the mapping out of IP-based trust relationships between machines.

ICMP Echo Scanning ICMP echo scanning is an investigation method that maps a subnetted network’s broadcast address. Irrespective of attack, ICMP contains only broadcast IP addresses. A network address of the subnet is mapped when a packet is sent to it. BSD-based stacks treat the network address as a broadcast address. It sends the ICMP echo request to a destination IP address. It sends in the default ICMP echo request and TCP ACK pings combination.

The ping program transmits ICMP echo request packets to a single host, specifically on the command line. A program transmits multiple echo request packets together and notes which machines receive an echo reply. The ICMP header carries type 8 (echo) and code 19. In a typical ICMP echo request, the type number must be 8, and the code must be 0.

By investigating the response to an invalid ICMP echo request, the attacker can conclude that the target sys-tem has examined the ICMP echo request’s code field. The response from the target with the ICMP echo reply packet shows that the target has not worked with the invalid code field. This way, the scanning provides a hint about which OS is running on the target.

Scanning Methodology 3-9

List Scan A list scan simply generates and prints a list of IPs/names without actually pinging or port scanning them. DNS name resolution is carried out.

TCP Connect() Scan A TCP connect()/full-open scan is one of the most reliable forms of TCP scanning.

The connect() system call, provided by the attacker’s operating system, is used to open a connection to every port of the attacker’s choice on the target machine. The connect() succeeds if the state of the port is listening, and fails if the port is unreachable. No special privileges are needed to conduct this type of scan, but it is also easy to detect.

SYN/FIN Scanning Using IP Fragments The need to avoid false positives arising from other scans, due to a packet-filtering device present on the target machine, gave rise to this method of scanning. In order to evade the packet filters, the TCP header is split into several packets. Every TCP header should include the source and destination port for the first packet during any transmission, and the initialized flags in the next. These allow the remote host to reassemble the packet upon receipt through an Internet protocol module that recog-nizes the fragmented data packets with the help of field-equivalent values of protocol, source, destination, and identification.

The TCP header is split into small fragments and transmitted over the network. However, there is a possibility that IP reassembly on the server side may result in unpredictable results, such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets, and thus may cause crashes, reboots, or even network device monitoring dumps.

Some firewalls may have rule sets that block IP fragmentation queues in the kernel (like the CONFIG_IP_

ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented due to the adverse effect on performance. Since several intrusion-detection systems employ signature-based methods to indicate scanning attempts based on IP and/or TCP headers, fragmentation is often able to evade this type of packet filtering and detection. There is a high probability of causing network problems on the target network.

UDP Scanning This scanning method uses the UDP protocol instead of TCP. Though the protocol is simpler, the actual scanning process is more difficult. This happens because open ports do not have to send an acknowl-edgement in response to a probe, and closed ports are not even required to send an error packet. However, most hosts do send an ICMP_PORT_UNREACH error when a user sends a packet to a closed UDP port. Thus, the user can find out if a port is not open. Neither UDP packets nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement the retransmission of packets that appear to be lost (or the user will get a large number of false positives). In addition, this scanning technique is slow because of compensation for machines that applied RFC 1812 section 4.3.2.8, limiting the ICMP error message rate. Also, the user needs to be a root user to have access to the raw ICMP socket necessary for reading the unreachable port.