Prevent Network Hacking with Port Scanners
A port scanner prevents hacks by showing you what’s what on your network by scanning the network to see what’s alive and working. Port scanners provide basic views of how the network is laid out. They can help identify unauthorized hosts or applications and network host configuration errors that can cause serious security vulnerabilities.
The trick to assessing your overall network security is interpreting the results you get from a port scan. You can get false positives on open ports, and you might have to dig deeper. For example, User Datagram Protocol (UDP) scans are less reliable than Transmission Control Protocol (TCP) scans and often produce false positives because many applications don’t know how to respond to random incoming UDP requests.
A feature-rich scanner such as QualysGuard often can identify ports and see what’s running in one step.
An important tenet to remember is that you need to scan more than just the important hosts. Also, perform the same tests with different utilities to see whether you get different results. If your results don’t match after you run the tests using different tools, you might want to explore the issue further.
If possible, you should scan all 65,534 TCP ports on each network host that your scanner finds. If you find questionable ports, look for documentation that the application is known and authorized. It’s not a bad idea to scan all 65,534 UDP ports as well.
A ping sweep of all your network subnets and hosts is a good way to find out which hosts are alive and kicking on the network. A ping sweep is when you ping a range of addresses using Internet Control Message Protocol (ICMP) packets.
Dozens of Nmap command line options exist, which can be overwhelming when you want only a basic scan. Nonetheless, you can enter nmap on the command line to see all the options available.
The following command line options can be used for an Nmap ping sweep:
-sP tells Nmap to perform a ping scan.
-n tells Nmap not to perform name resolution.
-T 4 tells Nmap to perform an aggressive (faster) scan.
192.168.1.1-254 tells Nmap to scan the entire 192.168.1.x subnet.
Using port scanning tools
Most port scanners operate in three steps:
The port scanner sends TCP SYN requests to the host or range of hosts you set it to scan.
Some port scanners perform ping sweeps to determine which hosts are available before starting the TCP port scans.
The port scanner waits for replies from the available hosts.
The port scanner probes these available hosts for up to 65,534 possible TCP and UDP ports — based on which ports you tell it to scan — to see which ones have available services on them.
The port scans provide the following information about the live hosts on your network:
Hosts that are active and reachable through the network
Network addresses of the hosts found
Services or applications that the hosts may be running
After performing a generic sweep of the network, you can dig deeper into specific hosts you find.
After you have a general idea of what hosts are available and what ports are open, you can perform fancier scans to verify that the ports are actually open and not returning a false positive. Nmap allows you to run the following additional scans:
Connect: This basic TCP scan looks for any open TCP ports on the host. You can use this scan to see what’s running and determine whether intrusion prevention systems (IPSs), firewalls, or other logging devices log the connections.
UDP scan: This basic UDP scan looks for any open UDP ports on the host. You can use this scan to see what’s running and determine whether IPSs, firewalls, or other logging devices log the connections.
SYN Stealth: This scan creates a half-open TCP connection with the host, possibly evading IPS systems and logging. This is a good scan for testing IPSs, firewalls, and other logging devices.
FIN Stealth, Xmas Tree, and Null: These scans let you mix things up by sending strangely formed packets to your network hosts so you can see how they respond. These scans change around the flags in the TCP headers of each packet, which allows you to test how each host handles them to point out weak TCP/IP implementations as well as patches that might need to be applied.
You can create your own DoS attack and potentially crash applications or entire systems. Unfortunately, if you have a host with a weak TCP/IP stack, there’s no good way to prevent your scan from creating a DoS attack. To help reduce the chance of this, slow Nmap timing options when running your scans.
If you’re a command line fan, you see the command line parameters displayed in the lower-left corner of the NMapWin screen. This helps when you know what you want to do and the command line help isn’t enough.
NetScanTools Pro is a very nice all-in-one commercial tool for gathering general network information, such as the number of unique IP addresses, NetBIOS names, and MAC addresses. It also has a neat feature that allows you to fingerprint the operating systems of various hosts.
Countermeasures against ping sweeping and port scanning
Enable only the traffic you need to access internal hosts — preferably as far as possible from the hosts you’re trying to protect — and deny everything else. This goes for standard ports, such as TCP 80 for HTTP and ICMP for ping requests.
Configure firewalls to look for potentially malicious behavior over time and have rules in place to cut off attacks if a certain threshold is reached, such as 10 port scans in one minute or 100 consecutive ping (ICMP) requests.
Most firewalls and IPSs can detect such scanning and cut it off in real time.