Security of a network

INTRODUCTION

Security of a network is completely dependent on the policies undertaken by the network administrator and upon continuously monitoring them. The most common terms we hear every time we come across the word security are Network Security and Information Security.

Network Security broadly speaks about furnishing the boundaries of the organization by restricting the intruders usually Hackers. This is usually handled with the help of Network Scanning techniques.

Information Security is all about protecting the data from different kinds of spyware and malware applications and human errors resulting in loss of data. These are usually handled by the Data Loss Prevention techniques.

Now we discuss in detail about the Network Scanning Techniques rather than Data Loss Prevention techniques.

NETWORK SCANNING TOOLS

The Network scanning tools are usually used to execute mass automated scanning of IP ranges to discover vulnerabilities in the network.

The two most common open source network scanners are :

• NMAP
• NESSUS – It is a vulnerability assessment package that performs several automated tests against the target network.

We will only be discussing about the Nmap scanning tool any further.

NMAP:

Nmap is also called as network mapper which is an open source tool for exploring the network.

Some of tasks that Nmap can handle

• Network Inventory.
• Managing the Service Upgrade schedule.
• Monitoring the host.

Nmap uses raw IP packets in a refreshing manner to ascertain which hosts are on the network including the services and Operating Systems they are running

Nmap can also determine the packet filters that are in use by the hosts and several other what type of packet filters/firewalls are in use and several other characteristics.

It is majorly used by organizations that have a large networks and this is why it has been designed. Nmap is a really fast technique to scan the entire network.

Nmap is highly compatible with several operating systems in both CLUI and GUI.

PHASES OF NMAP:

The Nmap scan procedure has several phases wherein every phase ends initiating the next phase. The phases of Nmap scan are as follows:

• Target Enumeration
• Host Discovery
• Reverse DNS Resolution
• Port Scanning
• Version Detection
• OS Detection
• Trace Route
• Script Scanning
• Output

PORT SCANNING USING NMAP

BASICS:

Using Nmap for the purpose of port scanning is the most efficient way of scanning the ports.

A mere command nmap can scan more than 1660 TCP ports on the target.

Nmap classified the ports into six different states which are not intrinsic properties of the port but depict how the nmap considers them.

So, the six states of the ports classified by Nmap are:

1. Open – An application is actively taking connections of TCP, datagrams of UDP and associations of SCTP is considered to be an open port. The elementary goal of port scanning is to find the open ports. Hackers find the open ports as boulevard for the attack. They also try to exploit the open ports while the administrators try to close it
2. Closed – A port that is accessible but none of the applications are listening to it. It is useful for host discovery.
3. Filtered – Nmap cannot ascertain whether the port is open because of the packet filtering.
4. Unfiltered – This means the port is accessible but nmap is unable to ascertain whether the port is closed or open. Scanning these ports with other scan types can resolve the problem.
5. Open/Filtered – This means Nmap is unable to determine whether the port is open or filtered. This occurs when the open ports give no response. A UDP, IP, FIN, NULL and Xmas scan can resolve these ports.
6. Closed/Filtered – This means the port is in a state where nmap is unable to ascertain whether the port is closed or filtered. It can be used for IP ID scan.

PORT SCANNING TECHNIQUES OF NMAP

There are several port scanning techniques of nmap wherein only one technique must be used at a time except a few.

Not all scan types are available for all the users. Users with the administrator privileges can use all the scan types.

Types of port scanning techniques using nmap :

• TCP SYN scan ( -sS)
• TCP connect scan ( -sT)
• UDP scan ( -sU)
• SCTP INIT scan ( -sY)
• TCP NULL scan ( -sN)
• TCP FIN scan ( -sF)
• TCP Xmas scan ( -sX)
• TCP Window scan ( -sW)
• Custom TCP scan ( — scanflags)
• SCTP COOKIE ECHO scan ( -sZ)
• Idle scan ( -sI)
• IP protocol scan ( -sO)
• FTP Bounce scan ( -b)
• TCP ACK scan ( -sA)
• TCP Maimon scan ( -sM)

NMAP TCP ACK SCAN

TCP ACK SCAN (-sA):

As we already discussed that certain scan techniques are available for privileged users only this is technique is one of them.

TCP ACK Scan required administrator privileges and the name itself defines that it can identify TCP ports but not UDP port

ACK scan is the unique scan of Nmap. It will never locate an open port. It only provides a filtered or unfiltered tendency because it never connects to an application to affirm that the state of the port is open.

It portrays the power of a packet to cut through the firewalls.

PURPOSE OF ACK SCAN:

Though the ACK scan doesn’t distinguish the open port it does a virtuoso job in identifying the ports that are filtered by a packet filter. The list of the filtered and unfiltered port numbers is quite useful especially to gain information on the detailed scan that focuses on specific numbers.

ACK SCAN OPERATION:

It operates by sending a TCP ACK frame to a remote port. If there is no reply or a message saying that ICMP destination unreachable is returned then the port is said to be in Filtered state.

ADVANTAGES:

As the ACK scan doesn’t open any of the application sessions, the conversation between nmap and the remote device is comparatively mere.

This kind of scan where a single port is primarily scanned is unnoticeable and nearly invisible when combined with the other traffic.

DISADVANTAGES:

The major disadvantage of Nmap’s ACK scan is can never identify an open port as it never tries to connect to a remote device.

The above is an example i have used 188.220.88.44 as the target and 188.220.88.44 is the loopback address which means that the scan is performed on the same system where nmap is run.

NMAP TCP MAIMON SCAN

TCP Maimon scan was released prior to the nmap. Uriel Maimon depicted this technique in phrack magazine in the issue #49 which was published in the year 1996.

A few weeks later Nmap was released and included the maimon technique.

In order to understand the TCP Maimon scan it is important to understand three other scan types such as NULL, FIN and Xmas Scans.

These three scan types exploit an elusive loophole in the TCP RFC to differentiate between open and closed ports.

If the destination port state is closed an incoming segment not containing a RST causes a RST to be sent in response.

When scanning systems compliant with the RFC text, any packet not containing SYN, RST or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.

As long as none of these three bits are included, any combination of the other three ( FIN, PSH and URG) are OK

All of these three scan types are exactly the same in behavior except for the TCP flags set in probe packets.

If a RST packet is received, the port is considered closed, while no reply means it is open/filtered. The port is marked filtered if an ICMp unreachable error is received.

ADVANTAGES:

• They can sneak through certain non stateful firewalls and packet filtering routers.
• Their scan types are stealthier when compared to SYN scan.

DISADVANTAGES

• Not all the systems follow RFC793 to the letter.
• They can’t differentiate open ports from certain filtered ports.

TCP MAIMON SCAN:

The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 which was published in 1996. Nmap, which included this technique, was released two issues later.

This technique is simply the same TCP NULL, TCP FIN, and TCP Xmas scans, except that the probe is FIN/ACK.

According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.

The above is an example i have used 188.220.88.44 as the target and 188.220.88.44 is the loopback address which means that the scan is performed on the same system where nmap is run.

DIFFERENCE BETWEEN MAIMON AND ACK SCAN:

A Maimon scan is generally based on the TCP packets with FIN and ACK flags enabled whereas an ACK scan is entirely based on TCP packets with only ACK flag enabled.