June 2001 ( Information Security Magazine) http://www.infosecuritymag.com/articles/june01/columns_tech_talk.shtml PLUGGING LEAKY HOLES Port scanners provide an efficient means for finding soft spots on a network's digital perimeter. BY GARY C. KESSLER Sysadmins are constantly being advised to check their systems for services that might be unintentionally or unnecessarily running. In some cases, these services might be Trojans just waiting to be exploited. The most common host-based tool for checking ports on Windows or Unix systems is the netstat command. But this command requires remotely accessing each and every server, creating the potential for missing other host systems that might be listening on improper ports. This is where port scanners come in--tools that sysadmins can use to simultaneously check a group of hosts from a central location. Initially written for Unix/Linux platforms, the first port scanners were freeware scripts designed to help hackers in their reconnaissance of potential victims by identifying systems' open ports and vulnerable services. With the advent of commercial Windows port scanners, primarily intended to test security policy compliance, the longtime fixture in the hacker's arsenal is gaining mainstream acceptance as a bona fide defensive infosec tool. Just as a hacker might use a port scanner to find soft spots on a host or a network's digital perimeter, sysadmins are discovering the utility of the hacker-developed tool in determining whether they've sufficiently locked down their Internet-accessible systems. Even though they're being used in more and more organizations, port scanners remain largely misunderstood in the "white hat" community. The reason is that many sysadmins don't understand the fundamentals of TCP/IP and ports, and, thus, don't understand the power of a port scanner. Starting With the Basics [Image -- nmap, probably the best-known port scaner, was originally developed for Unix platformsto find open ports and the services they're running. Newer versions are available for Linux and Windows ] In the TCP/IP protocol stack, messages associated with the common application protocols--HTTP for the Web; SMTP, POP and IMAP for e-mail; telnet and SSH for remote logon; and FTP for file transfers--are carried inside either Transmission Control Protocol (TCP) packets or User Datagram Protocol (UDP) datagrams. In turn, these protocols are transported across the Internet in IP packets. TCP and UDP are responsible for host-to-host communication. The primary functional difference between the two is that TCP is connection oriented and UDP is connectionless. What this means is that two hosts that need to exchange data using a TCP-based application must first establish some sort of logical connection (analogous to establishing a telephone connection before two parties can speak to each other). With UDP, no such logical connection is needed (analogous to one person sending another person a letter by conventional post). Both TCP and UDP employ port numbers to identify the high-layer application that resides at the communicating hosts. End-to-end data communications on the Internet, in fact, are uniquely identified by the combination of source and destination IP addresses, and TCP/UDP port numbers. TCP/IP applications generally employ a client/server model, exemplified by the relationship between a user's browser and a Web server. Users point their browsers at the Web server, which is usually listening on port 80. Port numbers are valued between 1 and 65,535, with server applications generally being assigned a value below 1,024. There are a large number of well-known ports, including TCP 20 and 21 (FTP), TCP 22 (SSH), TCP 23 (telnet), TCP 25 (SMTP), TCP and UDP 53 (DNS), TCP 79 (finger), TCP 80 (HTTP), TCP 110 (POP3), TCP 119 (NNTP), UDP 161 and 162 (SNMP) and UDP 443 (HTTPS).1 Besides these well-known ports, admins should be familiar with the ports commonly used by hackers to plant Trojan horses, distributed denial-of-service (DDoS) tools and malicious services. These ports include TCP 1,243, 6,667 and 27,374 (SubSeven server defaults); TCP 6,346 (Gnutella); TCP 12,345, 12,346 and 20,034 (NetBus); TCP 16,660 and UDP 18,753 and 20,433 (Shaft DDoS); and TCP 31,337 (BackOrifice). Port scanners are an invaluable tool in finding and determining the status of these often exploited ports. Port Scanner Operation Systems running TCP/IP allow other hosts to use their services through the TCP and UDP ports. While a certain number of open ports are necessary for basic Internet operations, most systems have more open ports than needed. Conventional wisdom holds that only necessary services should be left running. For example, a system whose only [Image]function is as a Web server doesn't need its SMTP and Gopher [Image] [Image] ports open. [Image] Ports open and listening for TCP and UDP connections are an open invitation for hackers to "explore" a system and, possibly, exploit some vulnerability. This isn't merely theoretical fear mongering. For instance, most might not consider it a big deal if their operating system automatically keeps the daytime port (TCP 13) open. However, what happens when a vulnerability is found in the daytime port? An admin must individually screen every host and lock down the ones with unneeded ports open. After identifying open ports and available services, hackers will attempt to connect to those services to determine what software is in operation and check for known vulnerabilities. Most port scanners also identify the host's operating system. Port scanners are particularly effective in finding unadvertised servers, since many sites fail to adequately protect experimental, non-production systems. Port scanners can identify systems running Web or DNS services, allowing a hacker to target those hosts for vulnerable software, such as IIS and BIND flaws. Sysadmins can use these same tools to find ports inadvertently left open. By periodically scanning internal systems, a sysadmin can see what services are being advertised by the network and lock down any that are unnecessary or insecure. Available Scanners A number of commercial and freeware port scanners are available. Each provides the same basic functions, but has different features and configurations. Here's a sample of some of the better-known scanners. nmap. Probably the best-known port scanner is nmap, which finds all open ports and detects the OS on hosts within an IP address range. Available for Unix/ Linux platforms (www.insecure.org/nmap) and Windows platforms (www.eeye.com/html/Research/Tools/nmapnt.html), nmap is useful in uncovering critical information that an attacker may use, such as the likelihood of successfully guessing the TCP initial sequence number (a common attack mechanism) and the host's OS (essential when searching for vulnerabilities). For those who prefer a GUI-based application, there's a graphical front end available for nmap. Security managers are constantly told that networks need security policies written and enforced. This process includes configuring firewalls to allow and deny certain traffic. nmap can play an important role in firewall auditing by determining what TCP/UDP ports can pass through the firewall. This is different than determining what ports are open at the firewall, which yields possible ways to attack the firewall itself. Testing to see what ports are allowed to pass through the firewall allows the sysadmin to ensure that the firewall's packet filtering is performing as desired. hping. Often described as a port scanner on steroids, hping (www.kyuzz.org/antirez/hping.html) is a Unix-based command-line tool that can perform many functions, including basic port scanning and OS detection, TCP/IP packet testing assembly and analysis, and firewall and IDS functions. Network Toolbox. The J. River Network Toolbox (www.jriver.com) is a Windows-based application that provides functions such as ping, traceroute, IP address scanning, finger and whois. It also includes a port scanner that can, in some cases, identify the software listening at a particular port. Although Network Toolbox can identify open TCP ports, it doesn't find open UDP ports. SuperScan. Distributed by Foundstone (www.foundstone.com), SuperScan is a Windows-based application that boasts a large array of features, including the ability to define the type of port scan to be performed. iNetTools. Made by WildPacket, iNetTools (www.wildpackets.com/products/inettools) is an add-on to WildPacket's commercial EtherPeek packet-sniffer software. It includes DNS lookup, finger, name lookup and scanning, ping, port scanning, traceroute and whois functions. The reason for employing port scanners as a security tool should be obvious. Hackers use port scanners to gain valuable information about a target network; sysadmins should use the same tools to learn about and correct their network's vulnerabilities. In doing so, port scanners provide an excellent means for auditing the effectiveness of a network's security policies and defenses. The bottom line is that port scanners, like any weapon, have both offensive and defensive applications. What makes a port scanner good or evil is how it's used. In the right hands, a port scanner is a powerful tool in protecting a network against attacks by those using it as a weapon. GARY C. KESSLER ([email protected]) is an assistant professor and coordinator of the computer networking program at Champlain College in Burlington, Vt., as well as an independent consultant and contributing writer for Information Security.