|This document is available in: English Castellano Deutsch Francais Nederlands Portugues Russian Turkce|
by Danilo Lujambio
Why are scanners so important for the security of networks? Basically because they are essential tools for those who want to attack a system. The preparation of an attack by a cracker could look as follows:
For a system administrator who is aware of system security, it is important to carry out a scanning of their own network, and look for vulnerabilities before others do it with not so good intentions.
There are several scanning tools for this purpose, but the article will only look at nmap. Nmap is among the most complete scanners and security tools.
Nmap allows the system administrator to scan the networks in order to know which servers are active and which services they offer. For this purpose, nmap offers several scanning techniques. This article will work on a limited number of them, reviewing (maybe teaching?) some aspects of TCP protocol
The strategy in this article will be to show some of the more common ways to use nmap, to obtain information about systems and, in parallel, show how to find traces of scanning on the target side.
The nmap can be obtained from www.insecure.org. After downloading run:
tar zxvf nmap-2.30BETA17.tgz cd ...../nmap-2.30BETA17/ ./configure make make installand it is installed.
The nmap output is usually a list of "interesting" (active) ports on the scanned target machine. These ports provide you with the name of the service, the state and the protocol.
The simpler form of nmap scanning is done with option -sT. It is based on the method of establishing a connection in the TCP protocol, known as a three way handshake. The sequence  is roughly described below
This way of scanning has two advantages:
We will follow the procedure used by nmap option -sT, running tcpdump in the target machine. nmap is executed on machine 192.168.255.20 and points toward machine house2.xxx.xxx.xxx, through an Ethernet network.
192.168.255.20.1024 house2.xxx.xxx.xxx.653: S
2632227152:2632227152(0) win 16060 < mss
1460,sackOK,timestamp 232602[|tcp] (DF)
2) 08:24:18.393167 house2.xxx.xxx.xxx.653 192.168.255.20.1024: R 0:0(0) ack 2632227153 win 0
3) 08:24:18.393227 192.168.255.20.1025 house2.xxx.xxx.xxx.6141: S 2644226118:2644226118(0) win 16060 < mss 1460,sackOK,timestamp 232602[|tcp] (DF)
4) 08:24:18.393258 house2.xxx.xxx.xxx.6141 192.168.255.20.1025: R 0:0(0) ack 2644226119 win 0
5) 08:24:18.453343 192.168.255.20.1298 house2.xxx.xxx.xxx.pop3: S 2640612362:2640612362(0) win 16060 < mss 1460,sackOK,timestamp 232608[|tcp] (DF)
6) 08:24:18.453542 house2.xxx.xxx.xxx.pop3 192.168.255.20.1298: S 1658259980:1658259980(0) ack 2640612363 win 16060 < mss 1460,sackOK,timestamp 243353[|tcp] (DF)
7) 08:24:18.458667 192.168.255.20.1298 house2.xxx.xxx.xxx.pop3:. ack 1 win16060<nop,nop,timestamp 232609 243353 (DF)
8) 08:24:18.461280 192.168.255.20.1298 house2.xxx.xxx.xxx.pop3: F 1:1(0) ack 1 win 16060 < nop,nop,timestamp 232609 243353 (DF)
This run allowed nmap to detect that port 110 (pop3) of house2 is an active one on this machine.
As stated above, this way of scanning is easy to detect, using the prints left in file /var/log/messages (although this depends on the way that syslog.conf was configured) the connection seen in lines 5 to 8 produced:
May 6 08:24:01 house2 in.pop3d: connect from email@example.com
This scanning type is performed by executing nmap with option -sS. The technique used is to open a "half connection": we send a SYN segment and, if an ACK is received then we have detected an active port on the target machine, and we sent a RESET to close the connection promptly. If we receive an RST instead of an ACK, then the scanned port is not active. This scanning procedure has the drawback that root privileges are needed to execute it. But it has the advantage that is difficult to detect in the scanned machine.
Let's see a similar analysis of the actions done by nmap with this option, analyzing it with tcpdump (with lines numbered again for easier description)
1) 22:25:45.856936 192.168.255.20.40175
house2.tau.org.ar.946: S 1292785825:1292785825(0) win
192.168.255.20.40175 house2.tau.org.ar.pop3: S
1292785825:1292785825(0) win 3072
4) 22:25:45.976022 house2.tau.org.ar.pop3 192.168.255.20.40175: S 185944428:185944428(0) ack 1292785826 win 16080 < mss 536 (DF)
5) 22:25:45.979578 192.168.255.20.40175 house2.tau.org.ar.pop3: R 1292785826:1292785826(0) win 0
This scanning over house2 didn't leave any trace in the file /var/log/messages, as stated earlier.
This scanning is based on the fact that inactive ports on the target machine respond to a FIN package with a RST package. On the other hand, active ports simply ignore those packets. Therefore the list of interesting active ports is obtained by observing which are those that have not answered. Hosts running Microsoft operating systems can not be scanned with this method since they have a non standards-conforming implementation of the TCP protocol.
There are three forms of operation of nmap using similar techniques, achieved through options -sF, -sX and -sN. We will further analyze the behavior of option -sF, performing an analysis similar to the one for the previous sections.
1) 06:50:45.643718 192.168.255.20.35600
casahouse.tau.org.ar.864: F 0:0(0) win 2048
In lines 1 and 2 the FIN segment delivery (notice the F after the 864 in line 1) is observed on the target host, which answers with a RST packet (notice the R in line 2 after the 35600). nmap concludes that the 864 in house2 is not active.
3) 06:50:47.933227 192.168.255.20.35600 >
house2.tau.org.ar.pop3: F 0:0(0) win 2048
Lines 3 and 4 take the pop3 port on house2 as an example. In line 3 we see a FIN segment sent, which doesn't get an answer from house2. Line 4 was a surprise, being probably a measure taken by nmap to check the status of that port, sending another FIN segment to ensure that port is not answering. In both cases, house2 ignored the packets, showing to nmap that port pop3 is active.
In the section about "the three way handshake scanning" you saw the traces that a scan can leave behind, and in the later sections, you saw the scanning with options -sS and -sF that don't leave any footprints. We can use tcpdump to detect this type of scanning on a host connected to a network which could be a target of attacks. The drawback of tcpdump is that it generates an enormous amount of information and raises difficulties with regards to storage and analysis. Some expressions are shown here that act like filters, such that the information obtained is smaller and simpler to analyze.
To make it easier to understand the expressions, we show below the format of a TCP packet .
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgement Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Offset | Reserver |U|A|P|R|S|F| Window | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
We see that the 13th byte is the one where the flags resides
which identifies the kind of packet (SYN, FIN, etc.). With this
knowledge and the and (&) operator we can construct masks to
detect the active bits, building expressions such as
tcpdump ' tcp & 7 != 0 and dst 192.168.255.20 ' > /tmp/out7
which filters the input leaving the packets with bits R, S or F active (the mask is 00000111) with 192.168.255.20 as destination host (obviously this number IP will be looked at by the machine)
tcpdump ' tcp & 1 != 0 and dst 192.168.255.20 ' > /tmp/out1
we will obtain the packets with an active FIN bit (the mask is 00000001). It can be useful to detect the nmap scanning with option -sF. And with
tcpdump ' tcp & 2 != 0 and dst 192.168.255.20 ' > /tmp/out2
we will get only the packets with an active SYN bit, being useful to detect scans with option -sS
For the last type described (with option -sS) there are specific detection programs available .
Programs such as nmap are very useful to improve the system security by looking at networks through the eyes of a potential cracker. We have shown the operation of a rather small part of the options, but hope it helps you to understand the idea of network scanners a bit more.
 W. Richard Stevens Unix Network Programming Volume 1
 RFC 793
 to see nmap documentation
Webpages maintained by the LinuxFocus Editor team
© Danilo Lujambio, FDL
Click here to report a fault or send a comment to LinuxFocus
2001-06-29, generated by lfparser version 2.16