Network scanning is an art! Sure there are skills involved and software that makes it easier for us to profile a target and one can go about it in various ways. BUT before we discuss that we need to understand a little something about TCP. Transmission Control Protocol (or TCP) is the protocol that drives the Internet. Sure one could say that without DNS (which for the most part uses UDP) the Internet would be unusable. BUT it is the passing of content that motivates us all to get on the Internet and search for our heart’s desire! TCP is a connection based protocol. It uses what is often referred to a three-way handshake. Simple put…
- Host A sends a TCP synchronize (SYN) packet to Host B.
- Host B then sends a synchronize-acknowledgement (SYN-ACK) packet back to Host A acknowledging the SYN packet setting up the connection.
- Host A sends acknowledge (ACK) packet back to Host B and TCP socket connection is ESTABLISHED.
We can gather a lot of information based on how these connections are set up. The more information you have, the better you can profile/attack a host! Let’s explore 3 different methods a bit…
TCP connect is like using a sledge-hammer to drive a nail. It will certainly get the job done BUT it isn’t the most stealthy way of foot-printing a target. It does however provide a lot of useful information about which services are actually running on the host. For example using telnet to open a connection on port 25…
billheese@corusant:~$ telnet 10.0.1.15 25
Trying 10.0.1.15...
Connected to 10.0.1.15.
Escape character is '^]'.
220 mail.somedomain.net ESMTP Postfix
We now know exactly what server somedomain.net is using for it’s SMTP server.
Next… is the Half-Open Scan. With this particular method of scanning, an SYN packet is sent from Host A to Host B. As is expected with the use of TCP, host B then sends a SYN-ACK packet back to Host A. In reality, if a SYN-ACK packet is returned then Host A now knows a service is running on that port. It does not however know which service is running. Some of the well known ports are next to impossible to change if the service is going to function correctly, SMTP being on example… but other such as HTTP can run on virtually any port. Very often system administrators will deliberately change the port on which a well know service is running merely to hide it from the casual network snooper. There particular method of scanning can be put to even more devious uses… The DDOS (or Distributed Denial of Service). This is where multiple hosts send multiple SYN packets to a host forcing the host to use resources setting up a connection that will never be completed. There is a down side to this method of scanning… it requires root access on the scanning host… but that shouldn’t be too hard to get!
Lastly, there’s the IP Protocol scanning method. This method to scanning for active host is pretty basic. It uses the ICMP (or Internet Control Message Protocol). It’s often used to send control/error messages indicating whether a host or router could be reached (or not)! Many operating systems have a known signature of how they react to an IP Protocol scan. This allows an attacker to know which OS a host is running. In our example above, we can see that the host is running Postfix… it does not tell us what OS it’s running on. Knowing the OS (and in many cases the version) would allow a hacker to try their hand at other known vulnerabilities for a particular version of OS. Sure Postfix may be secure on that host but it’s running OSX 10.4 and that OS shipped with a bug in APACHE that allows for a buffer overflow condition.
These are just a few example of methods to footprint a host. There are others but the point I’m trying to make is that just as a carpenter uses many tools to build a house, so too does the hacker use many tools to accurately profile a host.
