Network Reconnaissance: The Hacker’s Pre-Attack

10 04 2012

by Jim Forystek

Perhaps the majority of computer attacks occur without the perpetrator gaining physical access to the victim’s PC.  In other words, the perpetrator or attacker gains access to the victim’s PC via network.  But how does an attacker access information on a victim’s PC in an environment that appears to be relatively secure?  An attempt to gather unauthorized information on a network PC is not automatic.  The events leading up to the attack are usually subtle, requiring the perpetrator to snoop around a network until he or she finds something on interest.  The attacker usually sizes up his victim by utilizing several techniques to identify where a destination host PC may be vulnerable.  Andrew Landsman has identified five common phases of a hacker’s approach [LAN09]:

  • Business Reconnaissance
  • Network & System Scanning
  • Gain Access to Networks and Applications
  • Maintain Access
  • Cover Tracks

The focus of this blog is on the second of Landsman’s five phases; Network and System Scanning.  Network & System Scanning, also known as ‘port scanning’, is a fundamental feature to the TCP/IP protocol – a query that returns services running on a PC.  All that is required for one to start scanning ports is port scanning software installed on a PC that is connected to the Internet.  For example, Nmap is a free software utility which can quickly scan broad ranges of devices and provide valuable information about the devices on a network.  It can be used for IT auditing and asset discovery as well as for security profiling of the network [BRA12].  For a particular IP address, the port scan software will identify which ports respond to messages (packets) and which of several known vulnerabilities seem to be present.  According to Pfleeger, port scanning will reveal three things to an attacker [PFL11]:

  • Which standard ports or services are running and responding on the target system
  • What operating system is installed on the target system
  • What applications and versions of applications are present

How does one scan ports?  There are several different port scanning techniques available.  These techniques range from rudimentary to expert/complex.  The latter may include a combination of port scanning techniques to achieve information.  It should go without saying that the port scan technique used is proportional to the scanner’s level of knowledge about the subject.  A commonly used command within the Nmap port scanning software is ‘TCP connect()’.  The TCP connect scan is named after the connect() call that’s used by the operating system to initiate a TCP connection to a remote device [MES11].  The TCP connect() scan uses a normal TCP connection to determine if a port is available.  According to Messer, this scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.  In a TCP connect() scan operation, a source host sends a packet to a destination host and awaits a response.  If the response is ‘RST’ (reset) from the destination port, then the destination port is closed and the port scan will yield very little information to the inquirer.  However, if the response from the destination port is ‘SYN/ACK’, then the destination port is open and more willing to communicate potentially valuable information to the inquirer.

What can open ports reveal to a hacker?  Probing the network can reveal vulnerabilities.  The intent is to gain information and services that the hacker should not have access to.  This is where hackers learn more about firewalls, routers, IDS systems and other network components.  This ultimately leads to information about know vulnerabilities of network devices.  Open ports can lead to a hacker gaining direct access to services and possibly internal network connections [LAN09], which is phase three of Landsman’s definition of the hacker’s approach.  Port scanning is one of the most popular reconnaissance techniques attackers use to discover services that they can break into.  All machines connected to a network may run many services that listen and well-known, and not-so-well-known ports.  A port scan helps an attacker find which ports are available, i.e., what service might be listening to a port.  The type of response received from a port scan indicates whether the port is used and can therefore be probed further for weakness [MAT10].

Scanning ports within a network to determine available services is not illegal, so how does one prevent unwanted port scanning?  One cannot fully prevent port scanning without compromising their ability to communicate over a network.  However, there are a couple of things one can do to reduce their vulnerability during an unwanted port scan.  First, one can disable all unused services on your PC.  This can be accomplished by installing Nmap and scanning one’s own PC to see if there is anything of interest, then turning off what is not necessary.  Second, one can leverage a firewall to filter scan requests.  Your firewall can reply to a port scan in three ways; open, closed or no response [COB06].  Open ports are the most vulnerable, for obvious reasons.  If vulnerabilities exist on open ports, then one can patch the weakness, which will reduce the risk of being attacked.  A closed port will respond with a message indicating that it is closed, and ‘genuine’ requests will stop making attempts to query the port.  If repeated attempts are made, the firewall can log these unnecessary attempts and block the source IP from future scans.  ‘No response’ is similar to closed, but the destination IP will not respond to the source.

In summary, understanding port scanning and how it can reveal vulnerabilities is much like controlling the doors to your house.  Completely blocking off all traffic to your house may increase the safety of your home, but it does not provide an efficient method to enter and exit.  A more effective method is to install reliable locks and distribute keys to trusted members so they can freely enter and exit under controlled circumstances.  Whether one is controlling the doors to their house or ports within their PC, a disciplined and well-informed approach must be taken to ensure assets remain safe.

________________

[BRA12] Bradley, Tony.  Nmap Network Mapping Utility.  2012.  Can be found at: http://netsecurity.about.com/od/securitytoolprofiles/p/aaprnmap.htm

[COB06] Cobb, Michael.  How to Protect Against Port Scans.  2006.  Can be found at:  http://searchsecurity.techtarget.com/answer/How-to-protect-against-port-scans

[LAN09] Landsman, Andrew.  The Five Phase Approach of Malicious Hackers.  May 8th, 2009.  Can be found at: http://blog.emagined.com/2009/05/08/the-five-phase-approach-of-malicious-hackers/

[MAT10] Mateti, Prabhaker.  Port Scanning.  2010.  Can be found at: http://www.auditmypc.com/port-scanning.asp

[MES11] Messer, James.  Secrets of Network Cartography: A Comprehensive Guide to Nmap.  2011.  Can be found at: http://www.networkuptime.com/nmap/page3-3.shtml

[MIT12]  Mitchell, Bradley.  What is a Port Number?   2012.  Can be found at: http://compnetworking.about.com/od/networkprotocols/f/port-numbers.htm

[PFL11] Pfleeger, Charles P. and Lawrence Pfleeger, Shari.  Security in Computing, Fourth Edition.  Prentice Hall, 2011.

 

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: