In order to keep yourself secure you must understand your enemy. Prevention is the only protection from becoming the victim of a security exploit. The first step in doing this is to determine what services your servers offer, so you can secure them in the best manner possible. Network scanning can be used to determine potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus is quite useful for anyone wishing to explore their networked environment, including attackers.

Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful. Once these listeners are found, means to exploit the host can be developed. Unnecessarily offering a particular service to a hacker means another avenue to exploit the host.

Many different types of scanning are currently available. These range from a simple ping test to see if the host is alive, network broadcasts, and even performing a "stealth" attack by manipulating the ICMP, TCP, or UDP information in a data packet, intentionally violating the protocol definition in an attempt to trick a firewall.

Becoming familiar with the tools and techniques an attacker might use to probe a network is the only way to know what information is available if someone attempts to mount an attack against us. Among the things that can be determined from port scanning a machine include:

  • Services a host is offering which can then be used to construct the appropriate attack based on information gathered from this process
  • If there is in fact a host at the IP address that is being scanned
  • A topology map of our network, which can be used to determine where firewalls and other hosts are positioned, trusted relationships between those hosts, and routing and DNS information
  • Operating system identification, vendor release and version, as well as applications and their versions
  • Disclosure of the username and owner of any process connected via TCP, which can then be used to determine, for example, the username of which the web server is running

Depending on where the port scan is initiated from will determine what type of information can be gathered. A port scan run from the outside of a firewall will reveal less information than a port scan done right from the local network. Network scanning from the local network can be used to determine the 'worst case' scenerio which will allow us to have the same level of information as an intruder would, had she managed to subvert the firewall before doing the analysis. Scanning from outside the firewall can also be beneficial to determine what ports are available to the public Internet, at which point firewall rules can be adjusted accordingly.

Many different types of network scanners exist today, including freely available ones as well as commercial. The one that we will be using and most hackers use is called "nmap", and is a utility used for scanning large networks, although it works fine for single hosts. It supports the following types of attack/anaysis:

  • Vanilla TCP connect() scanning
  • TCP SYN (half open) scanning
  • TCP FIN, Xmas or NULL (stealth) scanning
  • TCP ftp proxy (bounce attack) scanning
  • SYN/FIN scanning using IP fragments (bypasses firewalls)
  • UDP raw ICMP port unreachable scanning
  • TCP Ping scanning
  • ICMP scanning
  • Direct (non portmapper) RPC scanning
  • Remote OS Identification by TCP/IP fingerprinting
  • Reverse-ident scanning

Nmap is highly configurable, and offers many services:

  • Flexible target and port specification, so an entire network or only a single host can be scanned at once
  • Decoy scanning, which can be used to confuse intrusion detection systems from finding the real host performing an attack
  • Determination of TCP sequence predictability, which can be used in man-in-the-middle attacks
  • Output to machine parseable or human readable log files for analysis

Graphical support, as well as command-line support, is available with nmap. Using the graphical front end, we will be able to determine:

  • Hosts that respond to ICMP
  • Version of Solaris that is reported
  • Services the servers are offering. This will be determined using SYN/FIN scanning.

The attacker community is investing an incredible amount of effort to scan the Internet. The single most important service for our site to block is ICMP echo requests. Many attacks originate from this type of service, not only pinging a host to see if it's reachable. Recon probes should be taken seriously; if attackers can learn where your hosts are, they can make fairly short work of determining what services these hosts run. If they can't determine which of the hosts in our network address space are active, they have a very sparse matrix to deal with.