Common Network Attack Strategies: Network Scanning
Network scanning is a useful tool for administrators to conduct internal audits; it's also useful for a network attack. Network scanning enables you to identify the systems on your network, the services they may be offering — and the services with known vulnerabilities or systems that the IT staff thought were removed from the network years ago.
One of the most common general purpose network scanners is Nmap, or network map, with its Windows-based Zenmap. From the attack perspective, this tool is part of most attacker’s information-gathering arsenal. With a list of systems, operating systems, and running services, she can pick the weakest members of your network herd.
As an internal auditing tool, use Zenmap to verify available IP addresses on a network. By providing Zenmap a network ID and few seconds, it can provide you with a list of used IP addresses, matching MAC addresses, DNS names for those systems, open ports on those systems, and even the OS type for the hosts that it has found.
The following code is an example of the type of information you can see from a Zenmap or an Nmap scan of a system. It discovered the following:
This is an Ubuntu Linux computer.
This machine shares files out to Windows-based computers.
This machine hosts a website.
This machine is running VMware Server.
This host supports SSH and VNC as remote access methods.
This host is running a mail server and an FTP server.
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-15 02:01 Atlantic Daylight Time NSE: Loaded 36 scripts for scanning. Initiating ARP Ping Scan at 02:01 Scanning 192.168.1.5 [1 port] Completed ARP Ping Scan at 02:01, 0.30s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:01 Completed Parallel DNS resolution of 1 host. at 02:01, 0.00s elapsed Initiating SYN Stealth Scan at 02:01 Scanning 192.168.1.5 [1000 ports] Discovered open port 445/tcp on 192.168.1.5 Discovered open port 111/tcp on 192.168.1.5 Discovered open port 5900/tcp on 192.168.1.5 Discovered open port 53/tcp on 192.168.1.5 Discovered open port 21/tcp on 192.168.1.5 Discovered open port 80/tcp on 192.168.1.5 Discovered open port 22/tcp on 192.168.1.5 Discovered open port 25/tcp on 192.168.1.5 Discovered open port 443/tcp on 192.168.1.5 Discovered open port 139/tcp on 192.168.1.5 Discovered open port 8222/tcp on 192.168.1.5 Discovered open port 902/tcp on 192.168.1.5 Discovered open port 8009/tcp on 192.168.1.5 Discovered open port 8333/tcp on 192.168.1.5 Discovered open port 1984/tcp on 192.168.1.5 Discovered open port 2049/tcp on 192.168.1.5 Completed SYN Stealth Scan at 02:01, 1.53s elapsed (1000 total ports) Initiating Service scan at 02:01 Scanning 16 services on 192.168.1.5 Completed Service scan at 02:03, 116.14s elapsed (16 services on 1 host) Initiating RPCGrind Scan against 192.168.1.5 at 02:03 Completed RPCGrind Scan against 192.168.1.5 at 02:03, 0.03s elapsed (2 ports) Initiating OS detection (try #1) against 192.168.1.5 NSE: Script scanning 192.168.1.5. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 02:03 Completed NSE at 02:03, 25.06s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.1.5 Host is up (0.0014s latency). Not shown: 984 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.2.2 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0) | ssh-hostkey: 1024 5b:6d:35:57:65:42:7f:8a:73:7e:00:e3:89:f9:15:bf (DSA) |_2048 4d:6e:be:c4:3b:0c:55:f5:46:dd:b8:05:05:1c:94:ea (RSA) 25/tcp open smtp Exim smtpd 4.71 | smtp-commands: EHLO linux Hello isc-l0065.local [192.168.1.137], SIZE 52428800, PIPELINING, HELP |_HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 53/tcp open tcpwrapped 80/tcp open http Apache httpd 2.2.14 ((Ubuntu)) |_html-title: Ed's Web Page Test Zone 111/tcp open rpcbind 2 (rpc #100000) | rpcinfo: | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 43439/udp mountd | 100021 1,3,4 52866/udp nlockmgr | 100024 1 57570/udp status | 100000 2 111/tcp rpcbind | 100003 2,3,4 2049/tcp nfs | 100024 1 35177/tcp status | 100005 1,2,3 41859/tcp mountd |_100021 1,3,4 41980/tcp nlockmgr 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: NET) 443/tcp open ssl/http Apache httpd 2.2.14 ((Ubuntu)) |_html-title: Ed's Web Page Test Zone 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: NET) 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) 1984/tcp open bigbrother? 2049/tcp open nfs 2-4 (rpc #100003) 5900/tcp open vnc VNC (protocol 3.7) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8222/tcp open http VMware Server 2 http config |_html-title: VMware Server 2 8333/tcp open ssl/http VMware Server 2 http config |_html-title: VMware Server 2 MAC Address: 00:22:15:BA:93:1C (Asustek Computer) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.19 - 2.6.31 Uptime guess: 11.438 days (since Sun Apr 03 15:32:20 2011) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=203 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: linux; OSs: Unix, Linux Host script results: | nbstat: | NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | Names | LINUX<00> Flags: <unique><active> | LINUX<03> Flags: <unique><active> | LINUX<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | EDTETZ.NET<1d> Flags: <unique><active> | EDTETZ.NET<1e> Flags: <group><active> |_ EDTETZ.NET<00> Flags: <group><active> |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Unix (Samba 3.4.7) | Name: Unknown\Unknown |_ System time: 2011-04-15 01:59:48 UTC-3 HOP RTT ADDRESS 1 1.41 ms 192.168.1.5 Read data files from: C:\Program Files\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 147.66 seconds Raw packets sent: 1021 (45.684KB) | Rcvd: 1016 (41.416KB)
What does this information allow an attacker to do? Well, it gives an attacker a fairly complete list of services that are offered by this network device, and if he wants to find a way onto a network, he can examine this list of services offered for a service that is known to be weak and use that as a method or path to gain access to the system.
For example, if an attacker has found a Windows computer telling him that TCP port 3389 is available, he can run Remote Desktop Connection (mstsc.exe) to connect to that computer and try a number of common passwords for the Administrator account, or he can run some tools or exploit some known weaknesses in the Windows OS.