Dynamic Port Scanning

Who am I ? IT Security Engineer at CCC Company, Athens, Greece. Independent Security Researcher, leader of SECUREBITS Security Group (www.securebits.org)

AGENDA 0x10 Introduction to the Idea of DPS 0x20 Overview of Current Spoofing Techniques 0x30 Integrating ARP Poisoning into Port Scanning 0x40 1-Packet-Based TCP Stealth Scans and Their Uses. 0x50 Putting It into Practice [The Tool of Trade] 0x60 DEMO 0x70 Preventing DPS in Private LANs 0x80 Conclusion 0x90 References 0xa0 Thanks & Greetings – Questions & Answers

0x10 Introduction to the Idea of DPS 0x11 Definition: Dynamic Port Scanner [DPS] integrates ARP-Poisoning and Spoofing into Port Scanning to dynamically spoof the source IP of TCP or UDP scan packets. The "dynamic spoofing" means that for each TCP or UDP scan packet, there is a dynamically and randomly generated IP used as the source IP address for the scan packet. DPS can be considered as " Virtual " Distributed Scan, where the scan appears as coming from many scanning machines. DPS is best suited for " inside " penetration-testing or attack.

0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 2] The Use of Decoys # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 3] Distributed Port Scanning

1] Normal Source-IP Spoofing (1) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300 0x20 Overview of Current Spoofing Techniques This is the simplest among all other technique. All the attacker needs to do is to spoof the source IP of the scanning machine to any other IP without worrying about anything else. That spoofed IP is used for all scan packets. Also, that spoofed IP can by any valid IP address and does not have to be within the subnet IP range of the scanning machine .

Advantages: 1- Freedom of Spoofing 2- No wasted initiated packets 3- No tracing of the original scanner Disadvantages: 1- No replies !! 2- No results !! 0x20 Overview of Current Spoofing Techniques 1] Normal Source-IP Spoofing (2) # nmap –sS –S 10.1.11.200 –p 1-100 20.2.22.300

2] The Use of Decoys (1) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 0x20 Overview of Current Spoofing Techniques Decoy scan works by sending more than one packet per port. All of these packets carry spoofed source IPs except one packet, which carries the original scanner IP address. By doing so, the attacker guarantees at least one reply packet which is the reply to the scan packet carrying the correct IP address. All other replies will not reach the scanning machine.

2] The Use of Decoys (2) # nmap –sS –D10.1.11.200,10.1.11.210 –p 1-90 20.2.22.300 Advantages: 1- Results are guaranteed 2- Freedom of spoofing Disadvantages: 1- Lots of wasted traffic 2- Original scanner is logged (Detection is not impossible) 0x20 Overview of Current Spoofing Techniques

3] Distributed Port Scanning (1) 0x20 Overview of Current Spoofing Techniques Distributed scan works by dividing the scanning scope among multiple attack platforms. In such case, each attack platform performs a normal scan for a small range of port numbers. Although this is not 100% spoofing mechanism, it increases the overhead of the system administrator on the other side to trace back the attacker [e.g. there could be hundreds of originating IPs.] Furthermore, those originating IPs could be compromised hosts of innocent people

3] Distributed Port Scanning (2) Advantages: 1- No useless traffic 2- Results are guaranteed 3- minimized scan time Disadvantages: 1- All scanners are logged/traced 2- Scanners must be under control 0x20 Overview of Current Spoofing Techniques

0x30 Integrating ARP Poisoning into Port Scanning 0x31 The Basic Idea 0x32 ARP-Cache Poisoning 0x33 ARP-Poisoning with Scanning 0x34 Advantages 0x35 Limitations

0x31 The Basic Idea The basic idea behind Dynamic Port Scanning is the integration of ARP-Poisoning into the scanning process. The aim is to poison the ARP-Cache of the remote scanned host or the gateway so that scan replies are delivered to the scanning machine regardless of the (spoofed) destination IP address. 0x30 Integrating ARP Poisoning into Port Scanning

0x32 ARP-Cache Poisoning (Quick Lesson) In the old days, one Fake ARP-REPLY would poison the cache. It works perfectly on WIN95/98/ME AND Cisco Routers Nowadays, a normal fake packet needs to be sent before the fake ARP-REPLY. That packet can be ICMP ECHO Request or even an ARP-REQUEST. It works on WINNT/2K/XP, LINUX. 2.2.2.2 AA:AA:AA:AA:AA:AA 5.5.5.5 BB:BB:BB:BB:BB:BB ARP Cache: 10.10.10.10 is at AA:AA:AA:AA:AA:AA ARPOP_REQUEST Src 10.10.10.10 (AA:AA:AA:AA:AA:AA) Dst 5.5.5.5 (BB:BB:BB:BB:BB:BB) ARPOP_REPLY Src 10.10.10.10 (AA:AA:AA:AA:AA:AA) Dst 5.5.5.5 (BB:BB:BB:BB:BB:BB) 0x30 Integrating ARP Poisoning into Port Scanning

0x33 ARP-Poisoning with Scanning 10.1.0.74 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.1 1] 10.1.0.74 is NOT within the local net 2] Get the gateway IP and ARP for its MAC 3] Generate random IP (10.1.11.15) 4] Poison the gateway (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.1 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678  10.1.0.74:80 [SYN] 10.1.0.74:80  10.1.11.15:5678 [SYN/ACK] Target is outside local net 0x30 Integrating ARP Poisoning into Port Scanning

0x33 ARP-Poisoning with Scanning 10.1.11.5 10.1.11.10 10.1.11.15 10.1.11.20 10.1.11.30 1] 10.1.11.30 is within the local net 3] Generate random IP (10.1.11.15) 4] Poison the host (2 fake ARP packets) 5] Send the scan packet 6] Wait for the response ARPOP_REQUEST src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) ARPOP_REPLY src: 10.1.11.15 (AA:AA:AA:AA:AA:AA) dst: 10.1.11.30 (BB:BB:BB:BB:BB:BB) 10.1.11.15:5678  10.1.11.30:80 [SYN] 10.1.11.30:80  10.1.11.15:5678 [SYN/ACK] Target is within local net 0x30 Integrating ARP Poisoning into Port Scanning

0x33 ARP-Poisoning with Scanning (Mechanism Flowchart) 0x30 Integrating ARP Poisoning into Port Scanning Generate random source IP “ randomly-generated fake IP ” “ Gateway IP ” = “ ARP-Poisoning IP ” “ Target IP ” = “ ARP-Poisoning IP ” NO YES Prepare “ ARP REQ ” and “ ARP REP ” with following data: S_IP: “ randomly-generated fake IP ” D_IP: “ ARP-Poisoning IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Send the two ARP packets to “ ARP-Poisoning IP ” Send the TCP/UDP Scan packet with following data: S_PORT: random port number D_PORT: scanned port S_IP: “ randomly-generated fake IP ” D_IP: “ target IP ” S_MAC: MAC of “ Attack IP ” D_MAC: MAC of “ ARP-Poisoning IP ” Wait for the reply Is the “ Target IP ” within the local subnet?

0x33 ARP-Poisoning with Scanning ( Graphical Representation ) 0x30 Integrating ARP Poisoning into Port Scanning

0x34 Advantages No wasted TCP/UDP packets All replies are delivered to the scanning machine Original scanner IP address is never logged (even at the ARP level) Detection is IMPOSIBLE at the IP layer. 0x30 Integrating ARP Poisoning into Port Scanning

0x35 Limitations Spoofed IP must fall within the local net. Number of spoofed IPs is bounded by the subnet range (i.e. Class B Subnet has higher number of spoofed IPs than Class C subnet) Detection can happen on the MAC layer 0x30 Integrating ARP Poisoning into Port Scanning

0x40 1-Packet Based Stealth Scanning Techniques SYN Scan ACK Scan NULL Scan FIN Scan PSH Scan URG Scan XMAS Scan XMAS1 Scan XMAS2 Scan XMAS3 Scan NMAP DPS Group #1: SYN Group #2: ACK Group #2: NULL FIN PSH URG XMAS XMAS1 XMAS2 XMAS3

3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 3.3.3.3 [_ A __ S _] 3.3.3.5 Linux Windows Group #1: TCP SYN Scan (0X02) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN OPEN 0x40 1-Packet Based Stealth Scanning Techniques

3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [____ S _] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #1: TCP SYN Scan (0X02)

3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 3.3.3.3 [___ R __] 3.3.3.5 Linux Windows Group #2 TCP ACK Scan (0X10) 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT UNFILTERED UNFILTERED 0x40 1-Packet Based Stealth Scanning Techniques

3.3.3.3 [_ A ____] 3.3.3.5 3.3.3.3 [_ A ____] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN/ CLOSED PORT FILTERED FILTERED 0x40 1-Packet Based Stealth Scanning Techniques Group #2 TCP ACK Scan (0X10)

3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 OPEN PORT OPEN | FILTERED OPEN | CLOSED 0x40 1-Packet Based Stealth Scanning Techniques NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___] Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3

3.3.3.3 [______] 3.3.3.5 3.3.3.3 [______] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 3.3.3.3 [_ A _ R __] 3.3.3.5 Linux Windows 3.3.3.3 3.3.3.3 3.3.3.5 3.3.3.5 CLOSED PORT OPEN | CLOSED CLOSED 0x40 1-Packet Based Stealth Scanning Techniques Group #3: NULL FIN URG PSH XMAS XMAS1 XMAS2 XMAS3 NULL [______] FIN [_____ F ] URG [ U _____] PSH [__ P ___] XMAS [ U _ P __ F ] XMAS1 [__ P __ F ] XMAS2 [ U ____ F ] XMAS3 [ U _ P ___]

0x40 1-Packet Based Stealth Scanning Techniques Example #1: ACK Scan: ACK NULL Scan: No Reply Example #3: ACK Scan: ACK URG Scan: RST_ACK SYN: RST_ACK Example #2: ACK Scan: ACK PSH Scan: RST_ACK SYN Scan: SYN_ACK Operating System: Linux Port Status: Open Operating System: Windows Port Status: Open Operating System: ------ Port Status: Closed Example #4: ACK Scan: No Reply XMAS Scan: No Reply Operating System: ------ Port Status: Filtered

0x50 Putting it into Practice [The Tool of Trade] Dynamic Port Scanner [DPS v1.0] is basic port scanner that integrates ARP-Poisoning to dynamically spoof source IP while scanning. It has the following features: Source IP is randomly generated. It is not necessary that the IP exists in the network. DPS Tool distinguishes between targets within local net and those beyond the local net. Thus, Poisoned host could be the scan target or the gateway. It supports 10 one-packet TCP scanning techniques. Which are: SYN, ACK, PSH, URG, FIN, NULL, XMAS, XMAS1, XMAS2, XMAS3 Open Source [GPL’d]

Tool Usage 0x50 Putting it into Practice [The Tool of Trade]

Simple Network… Scanning Machine: OS : Linux IP : 10.1.11.20 MAC: 00:03:FF:A1:A0:89 Target Machine: OS : Linux IP : 10.1.11.81 Open Port: 80 0x50 Putting it into Practice [The Tool of Trade]

Scanning… 0x50 Putting it into Practice [The Tool of Trade]

The Victim… 0x50 Putting it into Practice [The Tool of Trade]

TODO List… Make the program multi-threaded to speed up the scanning process. Current implementation scans each port at a time, which is a time-consuming process for long list of ports. Make the ARP poisoning more reliable. Sometimes, when scanning huge number of ports, the program cannot effectively poison the host/gateway which will cause loss in replies. Did someone say an “Nmap Patch” ?!!! 0x50 Putting it into Practice [The Tool of Trade]

0x70 Preventing DPS in Private LANs Recent switches come with “Port-Disabling” option in case of detecting any malicious activities on that port. Among those activities is the change of IP Address of the machine attached to that port. Since DPS requires that packets are sent with “fake” IP addresses, a switch can detect this behavior and disable the switch port immediately. The only way to bypass such measure is to increase time-gap between packets sent with different IP addresses. If the time-gap is long enough so that the switch cache is timed-out, it could lead to a situation where that attacker can still use DPS, but, it will take longer time. 0x71 The deployment of Port-Disabling feature on switches

0x70 Preventing DPS in Private LANs “ arpwatch” is a software package that monitors MAC/IP pairs in the network and reports any suspicious behavior. It is always recommended that the sys admin installs it on different subnets to monitor MAC/IP pair changes on the network. 0x72 Installing ARPWatch package on the server(s)

0x70 Preventing DPS in Private LANs Static ARP entries can be the best measure to protect against ARP-Poisoning. However, it can be a nightmare. However, if the network is almost stable (i.e. changes of IPs and machines are minimal), the sys admin can maintain a small perl or shell script that runs once a day and probe the IP/MAC combination of live systems and add static entries for them on the servers, located on that subnet, as well as on the gateway [i.e. router]. Although DPS can use unallocated IPs in subnet, “arpwatch” should take care of reporting them in such case. 0x73 Configuring static ARP entries on the machines

0x08 References 0x01 Nmap Port Scanner tool, by Fyodor http://www.insecure.org/map 0x02 Libnet Packet Creation/Injection Platform, by Mike Schiffman http://www.packetfactory.net/projects/libnet/ 0x03 Building Open Source Network Security Tools , by Mike Schiffman . 0x04 The Art of Scanning, by Fyodor Phrack Magazine - Volume 7, Issue 51 September 01, 1997 - article 11 0x05 libpcap: the packet capturing library http://www.tcpdump.org/ 0x06 arpwatch tool http://ee.lbl.gov/ 0x07 EtherApe: a graphical network monitor http:// etherape.sourceforge.net /

THANKS & GREETINGS SECUREBITS Group: HK , NASSER , HUS , NTUFAR CCC InfoSec Group: NAFEZ , GHASSAN , SALEM , WAFA RUXCON Organizers All of the attendees

Dynamic Port Scanning

More Related Content

What's hot

Viewers also liked

Similar to Dynamic Port Scanning

More from amiable_indian

Recently uploaded

Dynamic Port Scanning