COMPUTER ATTACKS: PROBING PORTS

PROBING PORTS

Port probes and scans are intrusive attacks against networks. On average these attacks are continuous in which a person or automated program seeks to discover and exploit the computer’s vulnerabilities. Computer attackers have developed an array of methods and means of probing ports which are becoming more advanced with time. Most methods tend to center around port scanning and still many other type of attacks exist. In order to maintain a strong information assurance front to combat attacks, you must learn the technology behind the attack methods. First, we need to define many terms and concepts for the not-so-computer savvy. 

The Basic Definitions and Concepts

Transmission Control Protocol (TCP) is a reliable connection oriented message delivery service. This protocol manages the assembly of messages or a file into smaller packets that are transmitted over telecommunications telemetry (wires, fiber optics, microwave, etc...) and received by a similar TCP layer in the destination machine where the packets are reassembled  into the original message.

Internet Protocol Address (IP address) is a numerical label assigned to a machine participating on a network such that it can be located electronically.  

Port: A logical connection point on a network device used in programming which allows originating devices or programs to communicate using TCP/IP across a network or the Internet to access a destination devices or program. Ports are managed by the operating system and TCP services resident on any network device. 

Port Numbers: The number assigned to a specific port corresponding to one of the 65,536 possible ports on any specific device. 

The three way handshake process is at the heart of computer communications and managed by TCP. The process begins with a request to synchronize (SYN) message to a destination machine. This is acknowledged by the destination with a synchronize-acknowledged (SYN-ACK) message. The originating machine then responds with an acknowledged (ACK) message and the connection between the two machines is complete. The two machine find each other using an IP address. The IP address is more detailed than a simple numerical label.

Media Access Control Address (MAC Address):   This is a unique numerical identifier assigned to hardware devices that facilitate connection to the network or Internet. MAC Addresses are in the hexadecimal format 00:00:00:00:00:00. The address identifies the manufacturer and provides a serialized device number at a minimum. 

Sockets: The combination of an IP address and a port number. Sockets are expressed in this manner: (IP Address):(Port Number).

In network architectures it is not uncommon for a single machine to have several network cards. Therefore,   a more identifiable addressing configuration the IP address is binded to a MAC address of a specific device. Thus, the port, IP Address, and MAC address ensure that the correct communication point is made. 

Other important definitions:

File Transfer Protocol (FTP): A method of file transfer used in TCP\IP protocol environments that allow complete transfer of files between systems.

Internet Assigned Numbers Authority (IANA): An organization that oversees the assignment of Internet Protocol (IP) addresses to Internet Service Providers (ISP).

Port Scan: One of the most popular reconnaissance techniques attackers use to discover services they can use to break into a system. This is the process of searching any number of or all the ports for an opportunity to enter a network, workstation, or server via the Internet using TCP/IP.

User Datagram Protocol (UDP): An unreliable connectionless delivery service that provides limited services across a network or the Internet.

TCP/IP Security and Exploitations

Most intrusive attacks on computers are currently proceeded with port probes and scans by attackers who are searching for vulnerabilities in computer systems to exploit. Port scanning is the most popular method of reconnaissance because victim computers run numerous services that listen on ports. By scanning these ports, attackers can locate a port that can be exploited.

The process of scanning a port is not complex. A client application desires to establish service with a server application across a network through the three way handshake process. Once the service is established then the data begins to pass through the port. An attacker will exploit this process to learn about the service, operating system, or if the port is listening through a variety of methods. There are many methods that computer attackers use while attempting to penetrate a computer network.

TCP/IP Methods of Exploitation

TCP Port Probing is the most common intrusion detected. It is so common because attackers do frequent widespread scans looking for one specific exploit they can use to break into systems. Some of the methods are listed below.

Network Mapper (also known as NMAP) is designed to allow system administrators to scan large networks to determine which hosts are up and what services they are offering. NMAP does three things: (1) ping a number of hosts to determine if they are alive, (2) portscan hosts to determine what services are listening, and (3) attempts to determine the OS of hosts. This type of scan always gives the port’s service name, number, state, and protocol. NMAP uses a lot of good ideas from its predecessors. Some useful features of NMAP are:

1. Dynamic delay time calculations: Some scanners require a delay time between packets. NMAP tries to determine the best delay time. It also tries to keep track of packet retransmissions, so that it can modify this delay time during the course of the scan.
2. Retransmission: Some scanners send out query packets and collect the responses. Doing this can lead to false positives and negatives when the packets are dropped. NMAP implements a configurable number of retransmissions for ports that don’t respond.
3. Detection of down hosts: NMAP pings each host to make sure it is up before wasting time on it. It also does thin in parallel, to speed things up. NMAP is capable of bailing on hosts that seem down based on port scanning errors, and it is meant to be tolerant of people who accidentally scan network addresses.
4. Detection of your IP address: NMAP tries to detect your address during the ping stage. It uses the address that the echo response is received on. If NMAP can’t do this, it will try to detect your primary interface and use that address.

Vanilla TCP scanning is an attempt to connect to all 65,536 ports. This is a frontal assault and the most basic type of TCP scanning. If the port is listening, the connect () command will succeed. If the port is not listening, it will not be reachable. One strong advantage to this technique is that you don’t need any special privileges. Another advantage is speed. Using non-blocking I/O allows you to set a low time-out period and watch all the sockets at once. This is the fastest scanning method supported by NMAP. The big downside is that this sort of scan is easily detectable and filterable. The target host logs will show a bunch of connection and error messages for the services. Defensive measures will take the connection and then have it immediately shutdown.

Half Open (also known as SYN scan or Stealth scan). This type of scan is known as the SYN scan because it only sends the SYN packet. This scan only partially opens a connection, but stops halfway through. As a result, the connection queue fills and service through the specified port is denied to legitimate users. This type of attack is difficult to trace because fake IP's are used and the SYN packet stops the service from being notified of an incoming connection to prevent logging of the scan.

Flags (also known as FIN, XMAS, and NULL scans) are attempts to close a connection that isn’t open. Some attackers try to use their scanners to “open” connections. Others may try to send error messages to “open” ports, hoping to get a message back from “closed” ports. The Flags scan attempts to close a connection that isn’t open. If no service is listening, the operating system will generate an error message. If a service is listening, the operating system will drop the incoming packet. Since packets can be dropped accidentally, this is not an effective scan.

UDP port probe is a method to scan for open UDP ports. The technique is to send UDP packets to each port on the target machine. Scanning this port is significantly more difficult. An open port will usually generate no response. A closed port will respond with an error. Most hosts do send an error when you send a packet to a closed UDP port. Most UDP scanners must also implement retransmission of packets that appear to be lost. If a firewall blocks access to ports, both open and closed ports produce the same results.

FTP Bounce attacks are attempts to imposter or disguise an attacker by passing through (bouncing off) an FTP server. FTP Bounce seems to be the most popular of the port scans. FTP Bounce uses the PORT command in FTP mode. This command can be misused to open a connection on a machine that an attacker could not have accessed directly. By using the PORT command, an attacker may be able to establish a connection and bypass access controls. Here is an example of how FTP Bounce works:

The attacker locates and finds an FTP server through a firewall. The server has an upload area that the attacker can use. The attacker sends a spoofed mail message to the server. The attacker then FTPs the server and sends a PORT command using the address of the victim’s computer. The FTP server opens a connection for the attacker. Once the connection is established, the attacker can send almost anything through the port, and the FTP server will dutifully transmit.

FTP Bouncing makes verifying of a address very difficult. The reason for that is because the attacker is able to make a connection between the FTP server and a port on another system.

Fragmented Packets is a method in which packet fragments are shot through simple packet filters on a firewall to determine vulnerable ports that may be exploited. This type of scan fragments the IP datagram within the TCP header. Attackers using this scan can bypass some firewalls by acting as “packet filters” because the victim can’t see a complete TCP header that matches their filter rules. Be careful of this method. Some programs have trouble handling these tiny packets. This method won’t get by packet filters and firewalls that queue all IP fragments.

Reverse Identification is a method of discovering the user of a port for exploitation. This type of scanner usually works on a UNIX-based computer to identify the user of a TCP connection. When a user connects to a server, it sends back a request to the identity service for verification. It can also work in the reverse way. When a user connects to a server, the user can query the server for identification.

Strobe is an attempt to connect to only known ports to exploit, typically 5 to 20 services such as FTP or Telnet ports.

Sweep is a type of scan that hits the same port across multiple machines, enabling an attacker to identify which hosts are offering a particular service.

Networks and Firewalls

When a network is young, it is strong and simple. As it matures, it becomes more complex. Eventually, the complexity gets to the point where the smallest change can upset the network. Firewalls are the same way. When they are new, they are strong and resistant. When new users come online or there are new needs to be met, the firewall becomes thinner. Holes can open up inside a firewall, and attackers will be free to do their damage.

No matter how secure a firewall is, nothing can stop an internal attack. The most successful scans come from people inside the network. Without a lot of centralized control, there is more opportunity for unhappy or criminal minded employees to exploit network weaknesses. They do this by planting a backdoor on the network, which they can access from home, plant malicious software that can destroy data or systems, or simply browse the network and obtain confidential information.

Attackers can easily exploit many other access points such as:

1. Dial-Up Connections. Dial-Up connections often allow users direct access to the internal network, without firewalls or proxies. Through some social engineering, an attacker can find the numbers for a dial-up connection and begin banging away on the modem.
2. Telecommuters. People with dial-up or ISDN access are especially prone to attacks at home. An attacker can break into a home computer, which is easier than breaking into a company’s server. Once an attacker has access, he can plant a worm or virus to infect the network or act as a probe and send network information back to the attacker.
3. Remote Sites. It is not uncommon for small companies to have remote offices connected together via the Internet. When one company acquires another, security is overlooked to keep employees productive.

Common Attacks

Most attackers use programs such as NMAP and strobe to scan for services with well-known vulnerabilities. Some attackers search the Internet for IMAP servers. The attackers will compile lists of IMAP servers and trade with other hackers. It is a challenge between hackers to see who can crack a system first. Keeping your operating system current with the latest patches and service packs will stop most of these attacks.

TCP SYN Attack: In this attack, the attacker sends a SYN packet, as if he were going to open a connection and wait for a response. A SYN ACK indicates the port is listening. A RST (Reset) is an indication of a non-listener. If a SYN ACK is received, the attacker sends a RST to stop down the connection. This is a form of a denial of service attack.

Telnet: This is a very powerful Internet tool. A computer using TCP/IP has many ports open. While the ports are open, an attacker can attempt to access your computer through those ports. When the attacker finds an open port, he may be able to retrieve files, place files, or watch Internet communications on the victim computer without anything showing up on the screen.

Social Intrusion: This attack is commonly known as “tricking the user into revealing sensitive information”. The attacker poses as an administrator from the Internet. The user may receive an email that they think came from an administrator. In this email, the attacker may request to verify the user’s password because there was problem with the account or gather other information.

Always-On Connections: More and more people are installing always-on, high-speed Internet connections in their homes. Cable modems and ISDN connections are “always-on”. These types of connections are easier for attackers to target, and they also have a fixed system-addressing scheme, which makes it easier for an attacker to target the user specifically.

Distributed Denial of Service (DDOS) Attack: This attack is designed to overwhelm a site with request for service using TCP SYN handshakes. The attacker makes use of thousands of computers on the Internet to target a victim site. The process involves infecting Agent computers (a PC that generates a stream of service request packets) with a virus-like software package that is controlled over the Internet or networks by a Client or Attacker. The virus-like software spreads in an automated 4-stage manner as follows:

1. Scan Phase: A large number of host machines probe target hosts machines for vulnerabilities using a variety of techniques including port probes and scans.
2. Compromise Phase: A target host is accessed through a discovered vulnerability.
3. Tooling Phase: The virus-like software is installed on the target or compromised host.
4. Regenerative Phase: The compromised host begins to scan and probe a number of new target host machines.

In hacker jargon the attacking machines are called Zombies and the machines controlling the collection of Zombies are Managers.  Managers can resource as many as 10,000 Zombies an hour then direct the Zombies to attack once they receive the attack telemetry data. 

Stopping Attackers

There are many different ways to combat port scans and probes. Here are just a few ways that networks can be protected against attackers:

Firewalls. Firewalls are a good initial for protection. A well configured, well-maintained, and regularly tested firewall can stop most attackers. To cover the remaining holes and remain effective, a good network needs a pervasive intrusion detection system, regular maintenance and testing.

Centralized Reporting. Most networks have excellent protection where attacks are expected. Once inside the network, there is virtually nothing to stop an attacker. Each workstation, server, and router becomes intrusion detection enabled. Reporting tools allow network administrators to spot ping sweeps and port scans. With multiple systems reporting information to one central location, even less protected sites can start protecting the larger network.

Pervasive Intrusion Detection Systems (IDS). Pervasive intrusion detection stops attackers on multiple fronts and at many levels. A pervasive intrusion detection places alarms and defenses everywhere in your network. Pervasive measures make your network a tangled mess for attackers to navigate.

Protect Vulnerable Network Areas. Some areas of the network are particularly vulnerable to attacks. Dial-up servers, web servers, and remote sites are very prone to attack from attackers. Thus, these areas need specialized protection such as VPNs, MAC address controlled access, etc...

Install Network Firewalls, Defenders, and Virus Checking. These services can not only detect suspicious behavior, but it can stop the attacker before they can access anything on the computer. Some tools can “backtrack” attackers and provide you with information about the person or origin of an attack.

Conclusion

Attackers today are more dedicated to causing trouble, conducting criminal activities, or terrorizing people. It costs billions of dollars to repair the damage that they do each year. The most powerful tool against attackers is knowledge. To make a network truly secure, intrusion detection and protection needs to be expanded from firewalls and routers to all devices on the network, especially user workstations.

Reference:

Englander, I. (2003). The Architecture of Computer Hardware and Systems Software: An information Technology Approach. (3rd ed.). New York: John Wiley &Sons Inc.

McClure, S, (2009). Hacking Exposed 6, Mcgraw-Hill Company, ISBN 9780071613743

Slade, R. (1994). Computer viruses: how to avoid them, how to get rid of them, and how to get help.New York.Springer-Verlag.

Other posts in this series

COMPUTER ATTACKS: HACKERS

COMPUTER ATTACKS: VIRUSES

COMPUTER ATTACKS: PROBING PORTS

COMPUTER ATTACKS: TCP/IP SECURITY