Port Scanning

It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet. Each of these has ports 0 through 65535 available so essentially there are more than 65,000 doors to lock.

The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS. Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate on.

Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.

If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing the scan. By scanning the ports over a much longer period of time you reduce the chance that the target will trigger an alert.

By setting different TCP flags or sending different types of TCP packets the port scan can generate different results or locate open ports in different ways. A SYN scan will tell the port scanner which ports are listening and which are not depending on the type of response generated. A FIN scan will generate a response from closed ports- but ports that are open and listening will not send a response, so the port scanner will be able to determine which ports are open and which are not.

There are a number of different methods to perform the actual port scans as well as tricks to hide the true source of port scan. You can read more about some of these by visiting these web sites: Port Scanning or Network Probes Explained.

It is possible to monitor your network for port scans. The trick, as with most things in information security, is to find the right balance between network performance and network safety. You could monitor for SYN scans by logging any attempt to send a SYN packet to a port that isn't open or listening. However, rather than being alerted every time a single attempt occurs- and possibly being awakened in the middle of the night for an otherwise innocent mistake- you should decide on thresholds to trigger the alert. For instance you might say that if there are more than 10 SYN packet attempts to non-listening ports in a given minute that an alert should be triggered. You could design filters and traps to detect a variety of port scan methods- watching for a spike in FIN packets or just an anomylous number of connection attempts to a variety of ports and / or IP addresses from a single IP source.

To help ensure that your network is protected and secure you may wish to perform your own port scans. A MAJOR caveat here is to ensure you have the approval of all the powers that be before embarking on this project lest you find yourself on the wrong side of the law. To get accurate results it may be best to perform the port scan from a remote location using non-company equipment and a different ISP. Using software such as NMap you can scan a range of IP addresses and ports and find out what an attacker would see if they were to port scan your network. NMap in particular allows you to control almost every aspect of the scan and perform various types of port scans to fit your needs.

Once you find out what ports respond as being open by port scanning your own network you can begin to work on determining whether its actually necessary for those ports to be accessible from outside your network. If they're not necessary you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to by having these ports accessible and work to apply the appropriate patches or mitigation to protect your network as much as possible.

Freeware Port Scanners

• NMap
• Foundstone Vision
• Portscan 2000

NetBus

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.

NetBus was written in Delphi by Carl-Fredrik Neikter, a Swedish programmer in March 1998. It was in wide circulation before Back Orifice was released, in August 1998. The author claimed that the program was meant to be used for pranks, not for illegally breaking into computer systems. Translated from Swedish, the name means "NetPrank".

However, use of NetBus has had serious consequences. In 1999, NetBus was used to plant child pornography on the work computer of a law scholar at Lund University. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.^[1]

There are two components to the client–server architecture. The server must be installed and run on the computer that should be remotely controlled. It was a .exe file with a file size of almost 500 KB. The name and icon varied a lot from version to version. Common names were "Patch.exe" and "SysEdit.exe". When started for the first time, the server would install itself on the host computer, including modifying the Windows registry so that it starts automatically on each system startup. The server is a faceless process listening for connections on port 12345 (in some versions, the port number can be adjusted). Port 12346 is used for some tasks, as well as port 20034.

The client was a separate program presenting a graphical user interface that allowed the user to perform a number of activities on the remote computer. Examples of its capabilities:

• Keystroke logging
• Keystroke injection
• Screen captures
• Program launching
• File browsing
• Shutting down the system
• Opening / closing CD-tray
• Tunneling protocol (NetBus connections through a number of systems.)

The NetBus client was designed to support the following operating system versions:

• Windows 95
• Windows 98
• Windows ME
• Windows NT 4.0

Netbus client (v1.70) works fine in Windows 2000 and in Windows XP as well. Major parts of the protocol, used between the client and server interaction (in version 1.70) are textual. Thus the server can be controlled by typing human understandable commands over a raw TCP connection. It is more difficult than using the client application yet allows one to administrate computers with NetBus from operating environments other than Windows, or when original client is not available. Features (such as screen capture) require an application with ability of accepting binary data, such as netcat. Most of more common protocols (like the Internet Relay Chat protocol, POP3 SMTP, HTTP) can also be used over a raw connections in a similar way.

NetBus 2.0 Pro was released in February 1999. It was marketed commercially as a powerful remote administration tool. It was less stealthy, but special hacked versions exist that make it possible to use it for illegal purposes.

All versions of the program were widely used by "script kiddies" and was popularized by the release of Back Orifice. Because of its smaller size, Back Orifice can be used to gain some access to a machine. The attacker can then use Back Orifice to install the NetBus server on the target computer. Most anti-virus programs detect and remove NetBus.

Also existing is a tool called NetBuster. It pretends to be a running NetBus server, but causes connecting NetBus clients to crash. Additionally, a program called NetBusterBuster could be used to crash a remote NetBuster.

ping sweep (ICMP sweep)ping sweep (ICMP sweep)

A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts (computers). Whereas a single ping will tell you

whether one specified host computer exists on the network, a ping sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older and slower methods used to scan a network.

There are a number of tools that can be used to do a ping sweep, such as fping, gping, and nmap for UNIX systems, and the Pinger software from Rhino9 and Ping Sweep from SolarWinds for Windows systems. Both Pinger and Ping Sweep send multiple packets at the same time and allow the user to resolve host names and save output to a file.

To disable ping sweeps on a network, administrators can block ICMP ECHO requests from outside sources. However, ICMP TIMESTAMP and Address Mask Requests can be used in a similar manner.