SCANNING

 

In the world of Information Security, scanners are the most common utilities employed by crackers. These programs, which automatically detect weaknesses within a server's security structure, are fast, versatile, and accurate. More importantly, they are freely available on the Internet. For these reasons, many sources insist that the scanner is the most dangerous tool in the cracking suite.  In this paper, it is my goal to inform you on the following topics: what a scanner is, how scanners work, and today’s most popular scanners.

Scanners

First of all, what is a scanner?  A scanner is program used to determine what doors are open on a system.  Also, crackers or administrators may use scanners to check for security weaknesses in a remote or local host system.  No matter what the target is, before a cracker goes after it, he has to gather as much information as possible. This way the cracker knows  that his chances of success are very high.  Once a cracker has a good map of the network, he can begin to test how vulnerable the machines are.  One of the most commonly used technique to check a system is called port scanning.  Each machine with Transmission Control Protocol (TCP) has 65,535 ports.  Every port that has a listening service is a potential doorway for a cracker, who may be on the remote end taken complete inventory of your machine’s open ports.  Nevertheless, one of the cool things about ports is that any service can be configured to listen on any port; however the major services listen on what are called “well-known” port numbers. Example, web servers commonly run on port 80 and telnet on port 23.  Most port scanning tools can scan a list of specific ports or all possible TCP ports.  In an attempt to avoid detection, a cracker may scan only a limited set of ports focusing on the ones used by common services like FTP, Email, or Web traffic.  One of the most widely used port scanner in the underground world today is called Network Mapper (Nmap).  Nmap is a tool that can run on either the UNIX or Windows NT platform.  Nmap offers a variety of different scan packets that when activated could cause the targeted system to become flooded or even crash. 

The most promising thing about Nmap is its ability to provide basic IP packet fragmentation, a technique that can be used to evade some network based Intrusion Detection System (IDS).  This process begins when the cracker discovers that the targeted system uses a simple packet filtering device as the primary firewall.  The cracker then applies the Nmap with the –f option (UNIX), causing the TCP packet headers to split allowing the scan to evade the IDS.  The Intrusion Detection System is a program that monitors and captures all the data on a network. IDS gather all packets associated with normal use of the network and attacks alike.  Today, the majority of IDS have a database of attack signatures that they try to match against network traffic.  When an attack is discovered, the IDS will warn the administrator by sending email, ringing bells, or calling a pager. 

Firewalk

Additional port scanning techniques such as Firewalk, can give a cracker even more information about the targeted network.  Firwewalk is a tool that allows a cracker to determine which packets are allowed through a packet filtering device, such as a router or firewall.  It works by having the cracker inputting two IP addresses to start the scan.  The first IP is the actual packet filtering device, which could be either a firewall or router.  The second IP is the address of the destination machine on the other side of the firewall or router.  Based on the two inputs, the Firewalk will gather the data by conducting two phases: network discovery and scanning.  During the network discovery phase, Firewalk sends a series of packets using Time To Live (TTL) determining how many network hops exist between itself and the firewall.  Once the number of hops is determined, Firewalk begins the scanning phase.  For the scanning phase, Firewalk creates a series of packets setting the TTL one greater than the total hop count to the firewall.  This is done so that when the packets are sent to the firewall, at least one will have a chance of getting through.  If the packet gets through the firewall, a message will be sent by the machine on the other side of the firewall to the cracker.  Once the message is received, Firewalk knows that a port is open through the firewall.  If nothing returns, one can then assume the port is filtered by the firewall.  One way to defend against Firewalk attacks is to strengthen your firewall configuring it with a minimum set of ports allowed through it.  Another way to defend your system is to replace your packet filtering device with a proxy based firewall.  This is beneficial because proxies do not transmit TTL information, therefore eliminating a cracker from using Firewalk.

Although you may have an IDS or firewall on your system, the best way to prevent a cracker from discovering open ports on your system is to close all unused ports.  If you are using a Unix flavor OS you can remove all unused services by editing the /etc/inetd.conf file.  Just open the file and comment out the unwanted services using the “#” symbol. For Windows NT you can disable all services by uninstalling them or shutting them off in the services control panel.  Any time you build a new system, you should check and make sure that you are familiar with the ports that are open and why they are required.  After you have disabled all unused ports on your system you should take an inventory, writing down all used and unused ports along with their services.

Phone Scanning

Another popular form of scanning used by crackers is called phone scanning.  This technique uses two programs known as war dialers and demon dialers.  A war dialer is a tool used to scan a large pool of numbers to find modems and other interesting lines.  While a demon dialer is a tool used to attack just one telephone number with a modem, guessing password after password trying to gain access.  So, the only real difference between the two is that a war dialer concentrates on a variety of telephone numbers, while the demon dialer focuses on scanning a single telephone number.  Often times, it has been discovered that unaware users will configure their systems without even changing many of the system default setting.  This carelessness is a cracker’s dream come true, simply because many of the system remote access packages are always turned on.  By default, many of the remote access packages include no password for authentication allowing anyone dialing into the system complete control without even providing a password.  One of the best war dialers a cracker will use is a well organized tool known as The Hackers Choice (THC)-Scan.  THC provides the cracker with information concerning what types of lines were discovered, the time of discovery, and other important messages about that particular system.  When THC is running it relies totally on the local host modem to determine if the dialed number has a modem or busy.  If someone answers the line dialed by THC, the person will hear nothing but a clear line.  The big advantage of THC is its ability to run manually or automatically.  When ran manually, a cracker is given the option of accelerating the scanning process by listening to the tones coming back over the modem speaker.  For example, if the busy tone is received the cracker can hit the ‘b’ key and the THC will record the dialed number and advance to the next one.  Also, if the cracker hears a female’s voice across the modem he can press ‘g’ and THC will record the number as girl on line, just in case he wants to call later for a date.  Many crackers use war dialers for the purpose of receiving free phone calls at someone else’s expense.  This is done by the war dialer discovering a line that is known as a Direct Inward System Access (DISA).  DISA is simply known as a number that provides second dial, so when a cracker calls this number he is given a another dial tone in which he can make a call anywhere in the world for free.

NetBIOS Scanning

Legion is a NetBIOS scanner that is used to show file shares across a large ranges of IP addresses.  Legion is a Windows flavor tool that operates in two phases.  In the first phase a simple port scan is done attempting to search and connect to systems.  During the second phase the process revisits the systems that responded to the first port scan and establishes a NetBIOS connection over TCP port 139.  When used on NT systems, Legion takes full advantage of the default value of allowing anonymous users to connect to the interprocess communication share (IPC$) without a password.  When crackers used Legion as a brute force password cracker on the Win9X platform, the operating system provides no capability of detecting the attack.  Once the cracker connects to the system, Legion displays all the shared files and devices of that system, leaving the cracker with total access.  By using the NET commands the cracker may use any device he chooses (i.e. to use the cd drive the cracker would enter: NET USE  p: \\201.22.1.12\CDROM).  However, you can defend against this by not sharing any device on your system or disabling your NetBIOS over TCP/IP.

Vulnerability Scanning

Before a cracker can hack into any system he must know how to get in.  This is when cracker’s vulnerability scanners come into play.  A vulnerability scanner are based on one simple idea, automate the process of connecting to a system and check to see if there is vulnerability present.  By doing this process a cracker can quickly check the targeted system for hundreds of vulnerabilities.  A vulnerability scanning tool knows what many systems vulnerabilities look like, and by having this information it goes out across the network checking to see if any of these vulnerabilities are present on the targeted system.  In today’s underworld, one of the most popular used vulnerability scanners is known as Nessus.  Many crackers choose Nessus because it is a free, open source vulnerability scanner that allows you to write your own vulnerability plug-ins.  Nessus includes a variety of vulnerability checks that are based on small programs called plug-ins.  Each plug-in is responsible for one vulnerability check when scanning the targeted system.  Example: backdoor plug-ins looks for signs of backdoor tools installed on the target system, and Denial of Service plug-ins, which look for vulnerable services that can be crashed across the network.  Once the cracker has a list of vulnerabilities on your system, he takes all the information and applies exploit code trying to gain access.  So, remember when it comes to your system ports, always close what you don’t use.

SUMMARY

 

 

Scanning is a powerful technique that often favors the crackers because they only have to find one way in order to accomplish their goal.  The use of unsecured modems is one of the easiest ways for a cracker to get into a network.  To find such a modem a cracker would use a war dialer or daemon dialer, a technique that dials telephone number after telephone number. The THC scan is one of the most popular war dialer used by crackers, it can dial any range of telephone numbers with the ability to provide cracker numerous options.  Defenses against war and daemon dialers are to simply change or check all modem dial-in settings before installation. 

 

Port scanners are used to determine which ports active or listening on the target system.  One of the most featured port scanners is Nmap.  Nmap provides basic IP packet fragmentation which allows the cracker to evade some system IDS.  The Intrusion Detection System is a program that monitors and captures all the data on a network. Nmap offers a variety of different scan packets that when activated could cause the targeted system to become flooded or even crash.  Firwewalk is a tool that allows a cracker to determine which packets are allowed through a packet filtering device, such as a router or firewall.  One way to defend against Firewalk attacks is to strengthen your firewall configuring it with a minimum set of ports allowed through it.  Legion is a NetBIOS scanner that is used to show file shares across a large ranges of IP addresses. 

Once the cracker connects to the system, Legion displays all the shared files and devices of that system, leaving the cracker with total access.  Before a cracker can hack into any system he must know how to get in.  A vulnerability scanning tool knows what many systems vulnerabilities look like, and by having this information it goes out across the network checking to see if any of these vulnerabilities are present on the targeted system.  Many crackers choose Nessus because it is a free, open source vulnerability scanner that allows you to write your own vulnerability plug-ins.

 

 

 

 

Ref:  “Hacking Exposed Second Edition” by Scambray, McClure, Kurtz., 2001