CIT251 – Computer Security Overview, Fall 2010
Lab #3: Port Scanning and Subnetting
Your name:
Announcements:
1. Work in a team of two for this lab or use two computers if you work on your own. Each team only has to submit one lab report.
2. Download the lab files from the course web site and unzip this file.
3. Submit a hard copy and an electronic copy at the end of the class. The electronic copy should be submitted to BlackBoard.
TCP/IP Fundamentals for Port Scanning Operations:
ICMP echo requests and their replies are a useful tool for the Internet. They allow servers to communicate with each other, enabling them to report errors and ensure that network paths are maintained. When the ICMP request is broadcast, any listening ports transmit an ICMP reply. However, it is a common practice for administrators to block ICMP requests at the firewall or gateway router.
UDP scans are used to detect UDP ports open on a target device. UDP packets don’t use flags that are set to identify listening ports—they operate in a slightly different manner. A UDP packet contains only three headers: a data-link header, an IP header, and the UDP header. The UDP header contains the target port number, which is changed during the scan in order to reach all ports on the target device. If the target isn’t listening for traffic on that UDP port, it replies with an ICMP “Destination Unreachable” packet. The UDP ports that are active do nothing, thus marking those port numbers as active for the user.
TCP Scans Types & Expected Results:
TCP NULL—A packet with none of the RST, FIN, SYN, or ACK flags set. If the ports of the target are closed, the target responds with a TCP RST packet. If the ports are open, the target sends no reply, effectively noting that port number as an open port to the user.
TCP SYN—Used to open a connection between a client and a server. First the client sends the server a TCP packet with the SYN flag set. The server responds to this with a SYN/ACK packet, acknowledging the SYN. The client then replies with an ACK of its own, completing the connection.
TCP FIN—Similar to TCP SYN. Normally, a TCP packet with the FIN flag set is sent to a client when the server is ready to terminate the connection. The client responds with an ACK which acknowledges the disconnect. This only closes half of the connection as the client still must indicate to the server that it has transmitted all data and is ready to disconnect. This is referred to as the “half-close.”
TCP ACK—A TCP packet with the ACK flag set. Scans of the TCP ACK type are used to identify Web sites that are active, which are normally set not to respond to ICMP pings. Active Web sites respond to the TCP ACK with a TCP RST, giving the user confirmation of the status of a site.
TCP Connect—The “three-way handshake” process described under TCP SYN above. When one system sends a packet with the SYN flag set, the target device responds with SYN and ACK flags set, and the initiator completes the connection with a packet containing a set ACK flag.
[Exercise I: Determine CIDR of the subnet in the lab]
1. Open a DOS command prompt.
2. Under DOS command prompt, type “ipconfig/all”. Look at the settings for Ethernet adapter Local Area Connection.
Write down your IP address for the Ethernet adapter ______
Write the IP address of your default gateway. ______
Write down the subnet mask.______
3. With this subnet mask, how many unique IP addresses can this subnet have? ______
Show your calculation here______
4. Represent this subnet using CIDR representation. ______
[Exercise II: Running NMap on Windows]
We will be doing some network port scanning using NMAP (Network MAPper), the best-of-breed solution for host and network scans.
1. Install Windows Open Command Window. Click on
/lab3/tools/CmdHerePowertoySetup.exe.
Alternatively, you can go to Microsoft PowerToys website and look for this utility called “Open Command Window Here” the right-hand side. Download and install it.
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
2. Install NMAP from /lab3/tools/nmap-4.20-setup.exe.
Alternatively, you can download and install the latest Window’s version of NMAP from
http://www.insecure.org/
3. After you finished installing NMAP, its files should be in the “C:\Program Files\Nmap”
directory. Now use your Windows Explorer, right-click the “C:\Program Files\Namp” folder,
and choose the “Open Command Window Here” option. After that,
you should be getting a DOS/Command window with a prompt which looks like:
C:\Program Files\Nmap>
4. Turn off your firewall and Anti-virus software temporarily if they are installed on the computer. Alternatively, you can allow the Nmap traffic to go through when your firewall prompts you by setting firewall rules (we will discuss these next week).
5. See Nmap’s command options/switch and read a couple “man pages” of nmap:
C:\Program Files\Nmap>nmap
C:\Program Files\Nmap>nmap | more
6. Run a “default” scan with NO switches (same as using “–sS”, the TCP SYN Scan) and paste the output below. This scan might take one minute or so to complete. SYN Scan is relatively unobtrusive and stealthy, since it never completes the TCP handshake.
C:\Program Files\Nmap>nmap Your_Lab_Partner’s_IP_Address
Ans:
7. Get the “Version” (i.e., “Service Banner” information) of the application running on various ports. Note: This “–sV” scan may take 30 seconds or more to complete.
C:\Program Files\Nmap>nmap –sV Your_Lab_Partner’s_IP_Address
Ans:
8. Run Ping Scan (using the “–sP” switch) on a small subnet and paste the output below. Now you get to see WHY you need to know the CIDR/Slash notation! We also use CIDR notation in firewall ACL’s such that we can allow/block traffic from or to certain subnets. More information on http://www.insecure.org/nmap/man/man-target-specification.html
C:\Program Files\Nmap>nmap –sP Your_IP_Address/28
Show the results here:
How many IP addresses did you scan using the command above? ______
How many of them responded based on your results? ______
9. Run TCP Connect Scan using “normal” timing (i.e., short time wait between successive scans/probes) and paste the output below. You can replace “normal” with “paranoid” or “sneaky” to sometimes evade IDS, but these scans might take HOURS to finish. See the “Nmap Cheat Sheet” (especially the Timing section) at the end of the document for more information.
C:\Program Files\Nmap>nmap -sT -T normal Your_Lab_Partner’s_IP_Address
Ans:
*** NOTE: UDP scan should finish in about 1-2 minutes, while the OS Fingerprinting might take up to 20 minutes on Windows (Nmap on Linux/Unix is more powerful and runs fasters than the windows version, because Microsoft intentionally crippled raw sockets in WinXP SP2). If you are feeling impatient, just hit ENTER in the DOS command prompt window while Nmap is running and you should get back some scanning progress report.
10. Now Try UDP Scan (using the “-sU” switch). What does Nmap tell you?
C:\Program Files\Nmap>nmap –sU –T normal Your_Lab_Partner’s_IP_Address
Ans:
11. Now try to nmap your own machine. What does Nmap tell you?
C:\Program Files\Nmap>nmap localhost
Ans:
[Exercise III: More on Subnetting]
Do this exercise as a homework assignment if you cannot finish it in class.
1. In classful IP address scheme, which class does 222.13.122.0 fall into?
ANS: Class ______.
2. What is the network prefix when a subnet mask is 255.255.255.0 and the IP address is 64.222.144.2.
ANS: ______
3. Based on CIDR addressing scheme, answer the following questions. Please also explain the steps to obtain your answers.
3.1 A subnet is 128.12.0.17/29. What is the maximum number of unique host addresses this subnet can assign?
ANS: ______
3.2 With a subnet mask 255.255.240.0, what is the CIDR for the subnet with an address 210.240.10.0?
ANS:______
3.3 What is the subnet mask for 125.124.0.12/21?
ANS:______
Comments: Write down your comments on this lab below (this part will also be graded).
Ans:
PS1: Do NOT “nmap” any hosts or networks that will get you into trouble (e.g., the three-letter agencies, including CIA, NSA, FBI, DOD, DOE, etc). Use it with caution!!! People can and will really track you down. It’s best to practice Nmap in your home network. For example, if your wired/wireless router at home is using the standard private class C network (e.g., 192.168.*.*), you can usually get some good results by doing the following scan:
> nmap -sP 192.168.1.1/24
PS2: A couple web pages of interest on Nmap’s website -
1. Nmap’s homepage at http://www.insecure.org/ is a gold mine for security professionals
2. Nmap’s man pages are available at http://www.insecure.org/nmap/man/
3. Namp’s author kept a list of Top 100 Security Tools (http://sectools.org/). Check it out!
PS3: Nmap Cheat Sheet from Secguru.com is attached below for those who do systems and/or network security for a living. Please pay special attention to all the Timing flags, as well as the selective Scan Options listed in this document. Enjoy!
NMAP Cheat Sheet
nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
Scan Options
-sT (TcpConnect) -sS (SYN scan) -sF (Fin Scan)
-sX (Xmas Scan) -sN (Null Scan) -sP (Ping Scan)
-sU (UDP scans) -sO (Protocol Scan) -sI (Idle Scan)
-sA (Ack Scan) -sW (Window Scan) -sR (RPC scan)
-sL (List/Dns Scan) -sV (service Version info)
Ping detection
-P0 (don’t ping) -PT (TCP ping) -PS (SYN ping)
-PI (ICMP ping) -PP (ICMP Timestamp) -PS (SYN ping)
-PB (=PT+PI) -PM (ICMP netmask)
Output format
-oN(ormal) -oX(ml) -oG(repable) -oA(ll)
Timing
-T Paranoid – serial scan & 300 sec wait
-T Sneaky – serialize scans & 15 sec wait
-T Polite – serialize scans & 0.4 sec wait
-T Normal – parallel scan
-T Aggressive – parallel scan & 300 sec timeout & 1.25 sec/probe
-T Insane – parallel scan & 75 sec timeout & 0.3 sec/probe
--host_timeout --max_rtt_timeout (default -9000) --min_rtt_timeout --initial_rtt_timeout (default – 6000) --max_parallelism --scan_delay (between probes)
--resume (scan) --append_output
-iL <targets_filename -p<port ranges
-F (Fast scan mode) -D <decoy1 [,decoy2][,ME],
-S <SRC_IP_Address> -e <interface
-g <portnumber> --data_length <number
--randomize_hosts -O (OS fingerprinting) -I (dent-scan)
-f (fragmentation) -v (verbose) -h (help)
-n (no reverse lookup) -R (do reverse lookup)
-r (dont randomize port scan) -b <ftp relay host> (FTP bounce)
2