Using port scanning tools to test network security

This excerpt is from Chapter 9 - Network Infrastructure in "Hacking for Dummies, 2nd edition" written by Kevin Beaver and published by Wiley Publishing.

Most port scanners operate in three steps:

1. The port scanner sends TCP SYN requests to the host or range of hosts you set it to scan. Some port scanners, such as SuperScan, perform ping sweeps to determine which hosts are available before starting the TCP port scans. Most port scanners by default scan only TCP ports. Don't forget about UDP ports. You can scan UDP ports with a UDP port scanner such as Nmap.

2. The port scanner waits for replies from the available hosts.
3. The port scanner probes these available hosts for up to 65,535 possible TCP and UDP ports -- based on which ports you tell it to scan -- to see which ones have available services on them.

The port scans provide the following information about the live hosts on your network:

• Hosts that are active and reachable through the network
• Network addresses of the hosts found
• Services or applications that the hosts may be running

After performing a generic sweep of the network, you can dig deeper into specific hosts you've found.

SuperScan

Hacking for Dummies Hacking for Dummies, 2nd edition: Chapter 9 Check out more excerpts from this edition of Hacking for Dummies, written by Kevin Beaver and published by Wiley Publishing.

My favorite tool for performing generic TCP port scans is SuperScan version 3.0. Figure 9-2 shows the results of my scan and a few interesting ports open on several hosts, including Windows Terminal Server and SSH.

In Figure 9-2, I selected the Only Scan Responsive Pings and All Selected Ports in List options. However, you may want to select some other options:

• If you don't want to ping each host first, deselect the Only Scan Responsive Pings option. ICMP can be blocked, which can cause the scanner to not find certain hosts. This option can make the test run more efficiently.
• If you want to scan a certain range of well-known ports or ports specific to your systems, you can configure SuperScan to do so. I recommend these settings:
  • If you want to perform a scan on well-known ports, at least select the All Selected Ports in List option.
  • If this is your initial scan, scan all ports from 1 to 65,535.

Figure 9-2: A TCP port scan using SuperScan version 3.0.

Nmap

After you have a general idea of what hosts are available and what ports are open, you can perform fancier scans to verify that the ports are actually open and not being reported as a false positive. If you wish to do this, Nmap is the perfect tool to use. Nmap allows you to run the following additional scans:

• Connect: This basic TCP scan looks for any open TCP ports on the host. You can use this scan to see what's running and determine whether IDSes, firewalls or other logging devices log the connections.
• UDP scan: This basic UDP scan looks for any open UDP ports on the host. You can use this scan to see what's running and determine whether IDSes, firewalls or other logging devices log the connections.
• SYN Stealth: This scan creates a half-open TCP connection with the host possibly evading IDS systems and logging. This is a good scan for testing IDSes, firewalls and other logging devices.
• FIN Stealth, Xmas Tree and Null: These scans let you mix things up a bit by sending strangely formed packets to your network hosts so you can see how they respond. These scans basically change around the flags in the TCP headers of each packet, which allows you to test how each host handles them to point out weak TCP/IP implementations and patches that may need to be applied.

Be careful when performing these scans. You can create your own DoS attack and potentially crash applications or entire systems. Unfortunately, if you have a host with a weak TCP/IP stack (the software that controls TCP/IP communications on your hosts), there is no good way to prevent your scan from becoming a DoS attack. The best way to reduce the chance of this occurring is to use the slow Nmap timing options -- Paranoid, Sneaky or Polite -- when running your scans.

Figure 9-3 shows the NMapWin Scan tab, where you can select all these options. If you're a command-line fan, you see the command-line parameters displayed in the lower-left corner of the NMapWin screen. This helps when you know what you want to do and the command-line help isn't enough.

Figure 9-3: In-depth port scanning options in NmapWin.

If you connect to a single port carefully enough (as opposed to several all at once) without making too much noise, you may be able to evade your IDS/IPS system. This is a good test of your IDS and firewall systems, so assess your logs to see what they saw during this process.

Gathering network information

NetScanTools Pro is a great tool for gathering general network information, such as the number of unique IP addresses, NetBIOS names and MAC addresses.

The following report is an example of the NetScanner (network scanner) output of NetScanTools Pro 2000:

Output of NetScanTools Pro 2000.

NetScanTools Pro version 10 has a neat feature (although it's experimental) that allows you to fingerprint the operating systems of various hosts. Figure 9-4 shows the OS fingerprint results while scanning a Linksys router/firewall.

Figure 9-4: NetScan Tools Pro OS fingerprinting feature.