shell.canterbury.lug.net.nz

Tutorial on portscanning for security testing

Portscanning is the process of connecting to ports on a remote machine, to find out which ports are open. That is - which ports have a running process bound to them.

Many standard ports exist - look in /etc/services on any unix box to list, but any good geek knows that 80 is http, 443 is https, 22 is ssh, 23 is telnet, 53 is DNS...

Start with an example - here's a scan of my work IP from horse. I'm using the open source scanner nmap which is available in any distro, as well as other OSs.

horse:~> nmap www.avonside.school.nz

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-05 09:45 NZDT
Interesting ports on smtp.avonside.school.nz (202.0.37.196):
(The 1634 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   filtered domain
80/tcp   open     http
111/tcp  filtered rpcbind
113/tcp  open     auth
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn

Nmap run completed -- 1 IP address (1 host up) scanned in 189.501 seconds

This shows that the ip 202.0.37.196 is listening on ports 22, 25, 80, and 113. Something is happening on ports 53, 111, and 137-9. To say the same another way, for each open port there is a program running which accepts connections on that port.

I know that the ports listed as filtered are in state "drop" which means that any connection to them is simply ignored. nmap is smart enough to know that it wasn't "deny" because that sends a "buggeroff" response back to the originator.

To make a distinction between port and application - it is quite possible to run an unexpected application on a port. For example - apache can be configured to listen on port 81 rather than the standard port 80. nmap offers to test for application version, as shown below. Note the -p parameter to just test port 80.

horse:~> nmap www.avonside.school.nz -A -p 80

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-05 09:49 NZDT
Interesting ports on smtp.avonside.school.nz (202.0.37.196):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.31 ((Debian GNU/Linux) PHP/4.3.8-12 mod_ssl/2.8.19 OpenSSL/0.9.7d)

Nmap run completed -- 1 IP address (1 host up) scanned in 6.249 seconds

What to do if something strange is running?

Lets say that your nmap has returned something like this:

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-10 22:33 NZST
Interesting ports on dodgybox (192.168.55.55):
(The 1643 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   open     smtp
80/tcp   open     http
110/tcp  open     pop3
111/tcp  open     rpcbind
143/tcp  open     imap
957/tcp  open     unknown
993/tcp  open     imaps
995/tcp  open     pop3s
3306/tcp open     mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 1.752 seconds

Its up to the system admin to know what should and shouldn't be running on the host. Thus the root user on dodgybox should know if its supposed to be running a mailserver or a web server.

Dodgybox is listening on the ports listed above. But some of these should not be open on the internet facing IP... specifically ports 111, 957, and 3306, and any of the other ports that don't have to be open.

Now the root user on that machine should be looking into whats running on those ports by using the fuser command.

dodgybox:~# fuser -n tcp 957
957/tcp:         441  7215

fuser returns a list of the PIDs (Process IDs) for processes which are bound to the given port. So lets find out what application is running with those pids

dodgybox:~# ps auxw | egrep "441|7215"
root       441  0.0  0.8  2784  412 ?        S    Feb04  37:42 /usr/sbin/sshd
root      7215  0.0  2.0  6344  960 ?        S    08:53   0:00 /usr/sbin/sshd
root      7429  0.0  0.9  1336  432 pts/2    S    10:27   0:00 egrep 441|7215

As you can see - this machine is running two ssh processes on port 957. You could have also used nmaps -A option to get similar info from outside the machine.

horse:~# nmap dodgybox -A -p 957

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-05 10:28 NZDT
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 3.4p1 (protocol 1.99)

Device type: general purpose
Running: Linux 2.0.X
OS details: Linux 2.0.0 - 2.0.35
Uptime 943.693 days (since Wed Feb  4 17:51:40 2002)

Nmap run completed -- 1 IP address (1 host up) scanned in 43.103 seconds

Nasty

nmap can be used for all sorts of probes and nasty stuff. Search google for more information, but remember from horse you may only scan hosts that you have either control over, or direct permission from the owner. We won't tolerate horse being used to scan random machines for fun or profit.

Other Useful Stuff

Other commands can be useful - the tcpdump command rewards careful reading of the man page. I use tcpdump to confirm whether or not something is happening.

For example - I'm testing a firewall's NAT function, to see if it sends requests to an internal IP. In this case I'll use a webserver running on port 80.

1. Get a connection to the webserver, and to horse.
2. On the webserver, run

    tcpdump host shell.canterbury.lug.net.nz 

3. From horse, try a telnet shell.canterbury.lug.net.nz 80
   Once connected, press enter twice.
4. Your tcpdump session should come alive with data like this:

   socks:/junk# tcpdump host shell.canterbury.lug.net.nz and port 80
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
   10:28:54.430768 IP criggie.dyndns.org.1674 > socks.avonside.school.nz.www: S 3652490072:3652490072(0) win 5840 
   10:28:54.430803 IP socks.avonside.school.nz.www > criggie.dyndns.org.1674: S 2581313709:2581313709(0) ack 3652490073 win 5792 
   10:28:54.537012 IP criggie.dyndns.org.1674 > socks.avonside.school.nz.www: . ack 1 win 46 
   10:29:00.131058 IP criggie.dyndns.org.1674 > socks.avonside.school.nz.www: P 1:18(17) ack 1 win 46 
   10:29:00.131083 IP socks.avonside.school.nz.www > criggie.dyndns.org.1674: . ack 18 win 46 
   10:29:04.690005 IP criggie.dyndns.org.1674 > socks.avonside.school.nz.www: P 18:20(2) ack 1 win 46 
   10:29:04.690028 IP socks.avonside.school.nz.www > criggie.dyndns.org.1674: . ack 20 win 46 
   10:29:04.770649 IP socks.avonside.school.nz.www > criggie.dyndns.org.1674: P 1:519(518) ack 20 win 46 
   10:29:04.771160 IP socks.avonside.school.nz.www > criggie.dyndns.org.1674: F 519:519(0) ack 20 win 46 
   10:29:04.894743 IP criggie.dyndns.org.1674 > socks.avonside.school.nz.www: . ack 519 win 54 
   10:29:04.897996 IP criggie.dyndns.org.1674 > socks.avonside.school.nz.www: F 20:20(0) ack 520 win 54 
   10:29:04.898030 IP socks.avonside.school.nz.www > criggie.dyndns.org.1674: . ack 21 win 46 
        
   12 packets captured
   18 packets received by filter
   0 packets dropped by kernel

   Now at the moment the trace shows criggie.dyndns.org because of the way the shellbox is ghettohosted.
5. This trace shows that a connection was made from port 1674 on horse to port 80 on socks.

man tcpdump for more information.