Active Stack Fingerprinting

The OS fingerprinting refer to any method used to determine what operating system is running on a remote computer. OS fingerprinting is an essential part of network reconnaissance, because the attacker has a greater possibility of succeeding in this attack if he can formulate his attack strategy based on operating system specific vulnerability.
Remote OS fingerprinting is carried out by noting the way the remote system responds to specifically crafted TCP packets. These can range from examining the default TCP window size in a packet, to measuring the amount of data in ICMP packets, and even gauging TCP initial sequence numbers. Similar to port scanning, there are several method to successfully fingerprint an OS. Querying the services running on a target machine is often the simplest way for OS fingerprinting.
Active stack fingerprint is based on the principle that an operating system's IP stack has its own unique way of responding to specially crafted TCP packets. This is due to the different interpretation that vendor abide with while implementing the TCP/IP stack on the particular OS. In active fingerprinting, a variety of malformed packets are sent to the remote host, and the responses compared to a database.
In Nmap, active stack fingerprint is done through eight tests:
  1. A TCP packet with the SYN and ECN -Echo flags enabled is sent to an open TCP port.
  2. A TCP packet with no flags enabled is sent to an open TCP port.
  3. A TCP packet with the URG, PSH, SYN and FIN flags enabled is sent to an open TCP port.
  4. A TCP packet with the ACK flag enabled is sent to an open TCP port.
  5. A TCP packet with the SYN flag enabled is sent to a closed TCP port.
  6. A TCP packet with the ACK flag enabled is sent to a closed TCP port.
  7. A TCP packet with the URG, PSH and FIN flag enabled is sent to a closed TCP port.
  8. A UDP packet is sent to a closed UDP port. The objective is to extract an ICMP port unreachable message back from the target machine.
One more test that Nmap performs is names TSeq for TCP sequenceability test. The test tries to determine the sequence generation patterns of the TCP initial sequence number also known as TCP ISN sampling , the IP identification numbers also known as IPID sampling and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port. The objective is to find partterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. THese can be categorized into many groups such as traditional 64K (many old UNIX), Random increment (newer version of Solaris, IRIX, FreeBSD, Digital Unix, Cray etc), True "random" (Linux 2.0.*, OpenVMS, newer AIX etc). Windows boxes use a "time dependent" model where the ISN is incremented by a fixed amount each time period.
Most operating system increment a system-wide IPID value for each packet they send. Others such as OpenBSD, use a random IPID and some system (like Linux) use an IPID of 0 in many cases where the "Don't Fragment" bit is not set. Windows does not put the IPID in network byte order, so it increments by 256 for each packet. Another number that can be sequenced for OS detection purposes is the TCP timestamp option values. Some system do not support the feature; others increment the value at frequencies of 2HZ, 100HZ or 1000HZ and still other return 0.


Port Scanning Tools (4) : Nmap

NMap or Network Mapper, written by Fyodor, is considered the best port scanning tool available currently. Nmap is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single host. Nmap uses raw IP packets in innovative ways to determine what host available on the network, what service (port) they are offering, what operating system (and OS version) they are running, what type of packet filters /firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL. Can be downloaded from http://nmap.org/
NMap does the remote OS detection in detail on Active Stack Fingerprinting.
Nmap support several way to spoof scan. One way is to give a different source IP. If you are on a broadcast Ethernet segment it is possible to specify a non-existent IP address and to sniff the network for the packets being sent as reply to the address.
Another way of keeping the identity obscure is to use the decoy option. Scans are spoofed as originating from decoy machine. The real scan from the user's machine is interspersed in-between. This is a slow scan and obscurity gets better with more number of decoys. The idea here is to confuse the target host's administrator regarding the real scan. The host used as decoys should be up or the scan might accidentally SYN flood the target.
The ident scan option can be used only if the target has the port 113/auth open. It only works with TCP connect scan. This will reveal the owner of the daemon which is listening on the port if the site is running identd. This scan requires the complete TCP three way handshake and will be registered on the target.
The fragmentation option allows the user to fragment the packet into small IP fragments. This makes it harder for packet filters to detect the scan unless they queue up all IP fragments (which are rare). However sometimes this can cause unexpected behavior in the target system.


Port Scanning Tools (3) : SuperScan

SuperScan is a powerful connect-based TCP port scanner, pinger and hostname resolver. Released by Foundstone . SuperScan 4 can be downloaded from http://www.foundstone.com/us/resources/proddesc/superscan4.htm
The visual interface allows the attacker to view response from connected hosts. The built in editor allows manipulation of port list and port descriptions. The advantage is that certain ports can be skipped as the ping results can be analyzed before hand to make the scan faster. The tool can be used to connect to any discovered open port using user-specified "helper" applications and then assign a custom helper application to any port. The attacker can also choose to save the scan list to a text file for future reference. The scan can be done slowly as well by controlling the transmission speed.
On the windows platform, SuperScan does a very good job of swiftly looking for open ports. However, it does not give additional information such as if the port is close, open, or filtered. Nmap is the better scanner for more detailed information, or when the attacker wants to use more advanced scanning techniques.

Port Scanning Tools (2) : NetScanTools

NetScanTools consist of many network function. Most of functions are designed to run in separate thread so several tabs can be used simultaneously. The communication is primarily based on TCP/IP protocol at the Winsock level. NetScanTools does not rely on remote agents to gather information. Instead, it use active probing and passive listening for gathering information.
Active probing means that NetScanTools initiate packet of information called datagram and listens for response to those packets. The response are normally formatted into specific response which are on a level above that of the transport level, such as a TCP or UDP. An excample would be a name server response containing the IP address of a host.
NetScanTools Pro has a scanner tab called Port Prober. Port Prober is an essential tool in determining the services or daemons running on a target machine. This prober is multithreaded, configurable and it allows running four different types of probing patterns. The user can build lists of target IP addresses and list of ports to probe, specifying timeout and the protocol to connect with. Besides, any data that is received from the target port upon connection is saved for viewing. The results are presented in a treeview and are colorcoded with different types of images for easy location of information at a glance.
The type of port connection supported are:
  • TCP Full Connection. This mode take full connection to the target, it is the most accurate way to determine TCP services, but it is also easily detected by IDS.
  • UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of the message imply either the port is used or the target does not return the ICMP message which can lead to false postive. This mode is easily recognized by IDS.
  • TCP Full/UDP ICMP Combined. This mode combine the previous two modes into one operation.
  • TCP SYN Half Open. For Windows XP/2000 only. This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with SYN|ACK and closed ports respond ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number and Window parameters in the SYN packet.
  • TCP Other. Windows XP/2000 only. This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. The attacker can have full control over TTL, Source Port, MTU, Sequence number and Window parameters in the custom TCP packet. Each operating system response differently to these special combination. The tool includes presets for XMAS, NULL, FIN and ACK flag setting.
Type of probe patterns are:
  • Sequential Probe. This method scan a linear set of ports as defined by the start/end port numbers over a linear set of IP addresses as defined by the IP address range settings
  • Probe Port List. This mode probes only the ports listed in the Port List. This mode probes either a signle host or a range of IP addresses based on the selection made in the Probe Single Host/Probe IP Rage radio button group. It probes each host sequentially, that is the first, then the second etc., using the list of port numbers show in the Port List.
  • Sequential Port Probe Using the Target List. This mode probes every port using the Starting through ending port range on every computer in the target list.
  • Probe a List of Ports on a List of Targets. This mode is the most stealthy mode and uses the least amount of CPU time and bandwidth because scanning is restricted to only the target ports on the target machines.


Port Scanning Tools (1) : ipEye, IPSecScan

ipEye is a command-line driven port scanner written by Arne Vidstrom. It is a lightweight powerful tool, but only Windows-based. It can be downloaded from http://www.ntsecurity.nu/toolbox/ipeye/

Usage for ipEye is:

ipEye -p [optional parameters]

where scantype can take value of: -syn = SCAN scan, -fin = FIN scan, -null = NULL scan, -xmas = Xmas scan

IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for system that are IPSec enabled. It can be downloaded from http://www.ntsecurity.nu/toolbox/ipsecscan/
IPSec is show for IP security. It is a set of protocol developed by the IETF to support secure exchange of packets at the IP layer.
IPSec = AH + ESP + IPcomp + IKE
  • Authentication Header (AH) provides authenticity guarantee for packets, by attaching strong crypto checksum to packets. If a packet is received with AH and the checksum operation is successful, it indicates that the packet was originated by the expected peer (the packet was not generated by impersonator) and that the packet was not modified in transit. Unlike other protocols, AH covers the whole packet, from the IP header to the end of the packet.
  • Encapsulating Security Payload (ESP) provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If a packet is received with ESP and successfully decrypted, it indicates that the packet was not known by third party other than the sender and receiver.
  • ESP provide encryption service to the packets. However, encryption tends to give negative impact to compression on the wire (such as ppp compression). IP Compression (IPcomp) provides a way to compress packet before encryption by ESP.
  • AH and ESP need to share secret key between peers. To negotiation keys in secrecy, Internet Key Exchange (IKE) make this possible.
IPSec has been deployed widely in VPN. IPSec support two encryption modes: Transport and Tunnel.
Transport mode encrypts only the data portion (payload) of each packet, but leaves the header unchanged. The more secure Tunnel mode encrypt both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.
For IPSec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Managment Protocol/Oakley (ISAKMP/Oakley), which allow the receiver to obtain a public key and authenticate the sender using digital certificates.
Security of IPSec protocols rely on the secrecy of secret keys. If secret keys are compromised, IPSec protocols is no longer be secure.
Reference for reader: Old IPSec suite - RFC1825, New IPSec suite - RFC2401.


Port Scanning Techniques

Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories. Port 0-1023 is "well known ports", 1024 - 49151 are "registered ports" and 49152 - 65535 is "dynamic or private ports".
One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports. This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log.
To scan UDP ports, an empty UDP datagram is sent to the port. If the port is listening, the services will send back an error message or ignore the incoming datagram. If the port is closed, the operating system send back "ICMP Port Unreachable" (Type 3) message.
Port scanning can be broadly classified into:
  • Open scan
  • Half-open scan
  • Stealth scan
  • Sweeps
  • Misc
How does an attacker decide to use which scan? It depends on the information gathering during reconnaissance regarding the type of network topology, IDS and other logging feature present on the system.

Open Scan

Open scan / TCP connect scan also known as vanilla scan where a full connection is opened to the target system by a three-way TCP/IP handshake. Therefore, it is easiest to be detected and blocked on the network. However the information gathering using open scan is usually the most.
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port.
When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.

Half-Open Scan

In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.

However, some sophisticated IDS and firewall can detect a SYN packet from the void and prevent such scan. Besides, this scan require attacker to make a customer IP packet which in turn requires access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires priviliege access.

Stealth Scan

Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.
  • SYN|ACK Scan
    Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.

  • FIN Scan
    Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question (see RFC 793 pp 64). This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.

  • ACK Scan
    This scan was first described by Uriel Maimon in this article "TCP Port Stealth Scanning". The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.

  • NULL Scan
    In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.

  • Xmas Scan
    In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.

  • TCP Fragmenting
    This approach is evolved from the need to avoid false positive arising from other scans due to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the next, which allows the remote host to reassemble the packet upon receipt through an internet protocol module that identifies the fragmented packets by the field equivalent values of source, destination, protocol and identification.
    The scan works by splitting the TCP header into small fragments and transmitting it over the network. However, there is a possibility that IP reassembly on the server-side may result in unpredictable and abnormal results - such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even network device monitoring dumps.
    Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) - though this is not widely implemented due to the adverse affect on performance. Since several intrusion detection systems use signature-based mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often able to evade this type of packet filtering and detection. There is a high possibility of causing network problems on the target network.

This scan is discussed in previous post "Ping Sweep".

  • FTP bounce
    This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
    If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
    Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
    This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.
  • UDP scan
    The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS and can scan non-TCP ports.
Ethical Hacker and Scanning Tools
The most important is knowledge itself. The result of a scanner can be misleading if the ethical hacker does not have good knowledge of common vulnerabilities. Relying solely on the scanning tool to all threats is not practical as the author of the vulnerability check may have written it incorrectly. It is also likely that it was created in a controlled environment and might not work as well in the open.
Besides, performing exhaustive scan against the system in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems. Another view point is that scanner does not have an internal view of the host audited and can miss critical misconfiguration that result in an insecure setup, but appear "secure" from the outside with automation.


Discover Services Running on Target

Once an attacker detect open ports, he will attempt to discover the nature of the services running on the ports. This give him indication of any vulnerability that can be exploited to gain access to the target. Also an attacker will try to discover details of the operating system running on the target. The category of tools used for this are port scanners. While IDS or firewall can check port scanning to a great extent - if properly configured.
The popular type of firewall deployment are the application proxies and the packet filtering gateways. The possible vulnerability in any firewall is mis-configuration.
Scanning and banner grabbing allow attacker to take advantage of this identification. They may even be able to identify the version, type and maybe even certain rules.
To understand port scanning better, it is essential to understand how TCP connection is established between two systems as most scanners take advantage of this "three-way handshake".
  1. SYN sent from Client
  2. SYN/ACK sent from Server
  3. ACK sent from Client
Once the three-way handshake has been completed, there is bi-directional communication over the connection. TCP supports packet re-ordering, repeat transmission of lost packet, acknowledges packet arrival and flow control, which is important for message based application.
The three-way handshake synchronize the connection and use sequence and acknowledgment number to indicate data transmission and reception. The TCP flag control the flow of the session and it is technically what a part scanner take advantage of. These flag can be used to collect port information.
Port numbers unlike IP numbers are not unique - though, they are unique to the system. They form the communication end points between systems. While the client use arbitrarily assigned port numbers, the server uses fixed port numbers to facilitate communication. Readers are encouraged to read RFC 1700 to familiarize themselves with assigned port number. In UNIX, there is file /etc/services and on Windows, there is file %windir%\system32\drivers\etc\services show the mapping of service to the assigned port number. An attacker getting access to this file to get entire communication mapping of the system.