Port Scanning Techniques

Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories. Port 0-1023 is "well known ports", 1024 - 49151 are "registered ports" and 49152 - 65535 is "dynamic or private ports".
One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports. This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log.
To scan UDP ports, an empty UDP datagram is sent to the port. If the port is listening, the services will send back an error message or ignore the incoming datagram. If the port is closed, the operating system send back "ICMP Port Unreachable" (Type 3) message.
Port scanning can be broadly classified into:

• Open scan
  
• Half-open scan
  
• Stealth scan
  
• Sweeps
  
• Misc

How does an attacker decide to use which scan? It depends on the information gathering during reconnaissance regarding the type of network topology, IDS and other logging feature present on the system.

Open Scan

Open scan / TCP connect scan also known as vanilla scan where a full connection is opened to the target system by a three-way TCP/IP handshake. Therefore, it is easiest to be detected and blocked on the network. However the information gathering using open scan is usually the most.
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port.
When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.

Half-Open Scan

In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.

However, some sophisticated IDS and firewall can detect a SYN packet from the void and prevent such scan. Besides, this scan require attacker to make a customer IP packet which in turn requires access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires priviliege access.

Stealth Scan

Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.

• SYN|ACK Scan
  Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.


• FIN Scan
  Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question (see RFC 793 pp 64). This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
  
  
• ACK Scan
  This scan was first described by Uriel Maimon in this article "TCP Port Stealth Scanning". The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
  
  
• NULL Scan
  In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
  
  
• Xmas Scan
  In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
  
  
• TCP Fragmenting
  This approach is evolved from the need to avoid false positive arising from other scans due to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the next, which allows the remote host to reassemble the packet upon receipt through an internet protocol module that identifies the fragmented packets by the field equivalent values of source, destination, protocol and identification.
  The scan works by splitting the TCP header into small fragments and transmitting it over the network. However, there is a possibility that IP reassembly on the server-side may result in unpredictable and abnormal results - such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even network device monitoring dumps.
  Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) - though this is not widely implemented due to the adverse affect on performance. Since several intrusion detection systems use signature-based mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often able to evade this type of packet filtering and detection. There is a high possibility of causing network problems on the target network.

Sweep

This scan is discussed in previous post "Ping Sweep".

Miscellaneous

• FTP bounce
  This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
  If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
  Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
  This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.
• UDP scan
  The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS and can scan non-TCP ports.

Ethical Hacker and Scanning Tools
The most important is knowledge itself. The result of a scanner can be misleading if the ethical hacker does not have good knowledge of common vulnerabilities. Relying solely on the scanning tool to all threats is not practical as the author of the vulnerability check may have written it incorrectly. It is also likely that it was created in a controlled environment and might not work as well in the open.
Besides, performing exhaustive scan against the system in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems. Another view point is that scanner does not have an internal view of the host audited and can miss critical misconfiguration that result in an insecure setup, but appear "secure" from the outside with automation.

Discover Services Running on Target

Once an attacker detect open ports, he will attempt to discover the nature of the services running on the ports. This give him indication of any vulnerability that can be exploited to gain access to the target. Also an attacker will try to discover details of the operating system running on the target. The category of tools used for this are port scanners. While IDS or firewall can check port scanning to a great extent - if properly configured.
The popular type of firewall deployment are the application proxies and the packet filtering gateways. The possible vulnerability in any firewall is mis-configuration.
Scanning and banner grabbing allow attacker to take advantage of this identification. They may even be able to identify the version, type and maybe even certain rules.
To understand port scanning better, it is essential to understand how TCP connection is established between two systems as most scanners take advantage of this "three-way handshake".

1. SYN sent from Client
2. SYN/ACK sent from Server
3. ACK sent from Client

Once the three-way handshake has been completed, there is bi-directional communication over the connection. TCP supports packet re-ordering, repeat transmission of lost packet, acknowledges packet arrival and flow control, which is important for message based application.
The three-way handshake synchronize the connection and use sequence and acknowledgment number to indicate data transmission and reception. The TCP flag control the flow of the session and it is technically what a part scanner take advantage of. These flag can be used to collect port information.
Port numbers unlike IP numbers are not unique - though, they are unique to the system. They form the communication end points between systems. While the client use arbitrarily assigned port numbers, the server uses fixed port numbers to facilitate communication. Readers are encouraged to read RFC 1700 to familiarize themselves with assigned port number. In UNIX, there is file /etc/services and on Windows, there is file %windir%\system32\drivers\etc\services show the mapping of service to the assigned port number. An attacker getting access to this file to get entire communication mapping of the system.

Ping Sweep Detection

An intrusion detection system is one way of detecting ping sweep. There are several solution such as snort. Snort is an open source IDS that is resourceful and lightweight.
Snort
Snort can be downloaded from http://www.snort.org. Authored by Martin Roesch.
Snort is a cross-platform, lightweight network intrusion detection tool that can be deployed to monitor small TCP/IP network and capable of detecting a range of suspicious network traffic. Snort features rules based logging to perform content pattern matching and detect a variety of attack and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes etc.
Snort has three primary uses. It can be used as packet sniffer or packet logger. It can also be used as a complete network intrusion detection.
Genius
Genius is efficient in helping user to use several popular Internet protocols. Written by Coda Hale. Can be downloaded under GNU Public license from http://www.indiesoft.com.
BlackICE
BlackICE Defender is not just a firewall, it is also an IDS. In reality, it is a "hybrid" between firewall and IDS. BlackICE Defender combine firewall technology with intrusion detection technology. That means it uses more than one method to protect the system.
Scanlogd
Scanlogd detect port scans and writes one line per scan via syslog(3) mechanism. Written by Solar Designer and Steffen Dettmer.

Ping Sweep

Ping Sweep is to query multiple hosts using ICMP ECHO request. It differs from a single ping in that while as single ping will indicate the availability of one specified host, a ping sweep detects multiple hosts.
There are a number of ping sweep tools for UNIX : gping, nmap; for Windows: Pinger from Rhino9, fping and Ping Sweep from SolarWinds
ICMP does not use ports and hence does not fall under port scanning. Ping sweeps are a small part of network scanning which has to be done before any port scanning.
What is a firewall has blocked ICMP ECHO request? The attacker can still gain information by using ICMP type 13 (TIMESTAMP) and type 17 (Address Mask Requests). Reader interested in learning more can refer to Ofir Arkin's paper on "ICMP Usage in Scanning or Understanding some of the ICMP protocol's Hazards". He also has a tool called Xprobe that use ICMP to scan the network.
WS_Ping ProPack
WS_Ping ProPack implement 32 bit graphic PING client for Windows replacing the old WSPING32. Additional functionalities include: Traceroute, Domain Name Services lookup, Finger, Whois, LDAP, SNMP and SCAN IP.
NetScan Tools
NetScan Tools Pro 2003 has added feature to the standard ping utility such as subnet masking where the tool send an ICMP Address Mask request to the target and reports result. Traceroute and Ping now include graphing capacity which means it show packet verses the response time. The data gathered during a sweepcan be viewed in report form by double clicking on a target. The custom ICMP Generator can generate any ICMP packet type 0-31 including the usual codes.
Hexdump of ping packet can reveal MAC address and IP of the machine. If we can obtain the subnet mask, we can decipher the network address.
hping
hping is a command-line TCP/IP packet assembler/analyzer. It can be downloaded from http://www.hping.org/download.html.
This tool can used for firewall scanning, advanced port scanning, network testing, using different protocol, TOS, fragmentation, man ual path MTU discovery, advanced traceroute, under all the supported protocols, remote OS fingerprinting, remote uptime guessing and TCP/IP stacks auditing.
icmpenum
icampenum not only use ICMP ECHO to probe network, but also ICMP Timestamp, ICMP Information packet as well. It is particular helpful for probing system that failed to block Timestamp or Information packet. It also support trusted addresses.

Detect "Live" Machine on Target System

The first step in mapping a target network will be to find the limits of the network and determine the defense. The attack will look for means of entry by building an inventory of the target network. This will give an indication of any vulnerability that can exploited and how well network perimeters are guarded. The attack will intrude with minimal footprint and lie low to access what measures are being taken by the target system to detect intrusion.
Two types of tool can be used for this purpose - War dialers and Ping utilities.
War Dialer

A war dialer is a tool used to scan a large pool of telephone numbers to detect vulnerable modems to provide access to the target. A more aggressive version might attempt to determine the operating system and a very aggressive version might attempt to perform some automated break-in attempts. A real scanner will attempt to analyze the carrier information, the negotiation and presence of protocols and banners to attempt to analyze the operating system. It will then attempt to use default username/password combination for the system.

• THC Scan - is a free war dialer released by "van Hauser" of the Hacker's Choice (THC), a European hacker/phreaker group. What set THC Scan apart from commercial dialer is the flexibility of its internal configuration. An attacker can use THC Scan with THC Login Hacker to brute force system that have been discovered.
• ToneLoc
• TBA

A demon dialer is tool used to monitor a specific phone number and target its modem to gain access to the system.

Ping

Ping send out an ICMP echo request packet and wait for an ICMP echo reply from an active system. Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked. ICMP is for error reporting, gathering network information, flow control and packet rerouting.

• Pinger - is one of the fastest ICMP sweep scanner
• WS_Ping ProPack
• NetScan Tools
• HPing
• icmpenum

From a security point of view, Ping can help deduce if packet are being dropped, duplicated or rehashed. However, it cannot determine exactly where in the network this has occurred or by who or sometimes even why. This functionality is achieved by placing a unique sequence number on each packet transmitted. Ping allows detection of malformed or damaged packets as it performs a checksum on every packet exchanged. Ping helps in accessing network traffic by time stamping each packet. The Round Trip Time (RTT) indicates the time taken for the packet exchanged between the two systems. Ping can be used to echo other ICMP messages that are otherwise not reported by the system software. Readers are encouraged to refer to RFC 792 to understand the ICMP better.
ICMP packets can be used to determine whether a target IP address is alive or not, by simply sending ICMP ECHO (ICMP type 8) packet to the target and waiting for ICMP ECHO reply (ICMP type 0) . If ICMP ECHO reply is received, it means the target is alive. No response could mean one of four scenario: target is down, query was lost in transit, the traffic is being filtered or the system is configured not to repsond.
It is worth noticed that while UNIX and Linux follow the RFC suggestions in their deployment of ping utility, Windows shows a variation. Windows systems keep the ICMP identifier as constant and use the sequence number filed to differentiate between machine in their ping utility. For each ICMP ECHO request the ICMP sequence number is a unique number. The gap between one ICMP sequence number filed value to another is 100 hex/256 decimal.
The implementation of the ping utility in Windows system sees the ICMP datagram field as signed values based on the OS system used. This is in constant with UNIX systems which uses the value of the utility instead. Therefore whenver an ICMP query datagram with an ICMP identifier field value of 256/512/768 isgenerated, it indicates that the underlying operating system is Windows based. This assumes significance as all security are operating system dependent and identifying which operating system runs on the target host can shorten the attack phase.
UNIX and related system set sequence number to 0 on its first query to a host and will increase this number only if sequential queries are sent to the system. In other words, each time the ping command is used, the value 0 will be returned to the first query sent.

Footprinting Tools

There are many tools for footprinting. Following lists out a few popular tools:

• NeoTrace - diagnostic and investigative tool. It traces network path access internet
• VisualRoute - graphical tool that determines where and how traffic is flowing on the route between desired destination and the user trying to access, by providing a geographical map of the route and the performance on each portion of that route.
• SmartWhois - network information utility that allows user to find all the information available about an IP address, host or domain name. (www.tamos.com)
  
• VisualLookout - real time TCP/IP monitor that can help detect intrusions that have crosed the firewall. It is basically an IDS tools
  
• VisualRoute Mail Tracker - part of VisualRoute that can track a spoofed mail or even ordinary mail.
• eMailTrackerPro - analyzes email header and provides the IP address of the machine that sent the email.
  

Locate Network Range

To find the network range, attacker can get more detailed information from the appropriate regional registry database. They can also trace the route between his system and the target system.
There are many traceroute tools and two of the popular tools are NeoTrace and Visual Route. Some other tools are based on POC input of the various ISP/NSP router and thus it is possible that the information shown on these tools may not be entirely correct. It is always a good practice to check more than on registry.
IF the DNS servers are not set up correctly, the attack may be able to obtaining the list of internal machine. And if attacker traceroute to a machine, he can also get internal IP of the gateway which can be of use.
ARIN allows search on the whois database to locate information on network autonomous system numbers (ASNs), network related handles and other related point of contact. ARIN also has a set of additional tools and links to other sites such as RWhois.net.
Up to this moment the information gathering activities are completely passive (with exception of traceroute which can be detected) and undetectable by the target organization. Doing footprinting help administrator know what information lies outside the organization and potential threat it can pose to the organization.

Traceroute
Traceroute works by exploited a feature in Internet Protocol called Time To Live (TTL). TTL is interpreted to indicate the maximum number of routers a packet may transit. Each router handle a packet will decrement TTL count in ICMP header by 1. When the count reach zero, the packet will be discarded and an error message will be transmitted to the originator.
Traceroute send out a packet destined for the target. It sets the TTL to 1. The first router receives the packet, decrement TTL by 1 and if the result is 0, it discards the packet and send a message back to the originator to inform it that the packet is discarded. Traceroute record the IP address and DNS name, if any, of the router, then send out packet with TTL = 2. This packet make it through first router and then is discarded by second router. The second router send a message back to the originator. Traceroute repeatly do this and record the IP address as the packet route through the network to reach the destination, or until the host is unreachable. Traceroute also record the time it took for each packet to travel round trip to each router.

NsLookup

Nslookup is a valuable tool for query DNS information for host name resolution. It is bundled with both UNIX and windows operating systems and can be run at command prompt.
Nslookup allows query DNS other than the default one by type "server" (where is the host name of the server you want to use for future lookups). A zone transfer can be done if the security is lax. Following is an example:
> nslookup Default Server: ntsysa06.corp.root Address: 10.87.122.146
> server 10.2.202.1
Default Server: dns-286-cns-02.corp.com
Address: 10.2.202.1
> set type=any
> ls -d target.com
systemA 1DINA 10.12.133.147
geekL 1DINA 10.12.133.151
Nslookup employs the domain name delegation method when used on the local domain. That means, making query for "systemA.targetcompany.com" failed will go one level up to find "targetcompany.com". To query host outside domain, a fully qualified domain name (FQDN) must be typed.
Nslookup interface at http://www.zoneedit.com/lookup.html provide an interactive mode.
In addition, the attacker can use dig and host command to obtain more information on UNIX system.
The DNS namespaces is divided into zones. For each DNS domain name included in a zone, the zone becomes a storage database for a single DNS domain name and is the authoritative source.
At basic level, an attacker can try to obtain more information by using various Nslookup switch.
At higher level, an attacker can attempt a zone transfer at DNS level, which can have drastic implication.
To defense the target, inappropriate queries must be refused by the system.
To check zone transfer, specify exact IP addresses from where zone transfers may be allowed. The firewall must be configured to check TCP port 53 (which unlike UDP port 53 is used for zone transfers instead of DNS queries) access. Another best practice is to use more than one DNS or the split DNS approach where one DNS caters to the external interface and the other to the internal interface. This will let the internal DNS act like a proxy server and check leaking of information from external queries.
Check out DNS concept from RFC 1912 Common DNS Operational and Configuration Errors, RFC 2182 Section and Operation of Secondary DNS Server, RFC 2219 Use of DNS Aliases for Network Services.

Education on Ethical Hacking

There are formal education training for ethical hacking. University of Abertay offers BSc (Hons) Ethical Hacking & Countermeasures, MSc/PGDip Ethical Hacking & Countermeasures.

WHOIS

Several operating system provide a WHOIS utility. To conduct query from the command line the format is:
whois -h hostname identifier (e.g. whois -h whois.aim.net )
Command flag can be added to obtain more specific information. Flags can be categorized under query type and only one flag may be used from a query type.

• Query-by-record-type
• n Network address space
• a Autonomous systems
• p Point of contact
• o Organizations
• c End-user customers
• Query-by-attribute
• @ Search for matches by the domain-portion of an email address
• ! Search for matches by handle or id
• . Search for matches by name
• Display flags
• + Show details (aka "full") but cannot be used with the record hierarchy sub query
  
• - Show summary (aka "list")
• Record hierarchy
• <>
• > Display record related down the hierarchy. For network, display subdelegation or subnet, below the network
• Wild card queries
• WHOIS supports wild card queries. Append the query with *. This can be used in combination with any flag define above

There are five types of queries that can be carried out on a WHOIS database.

• Registrar - This gives information on potential domains matching the target.
• Organizational - This lists all known instances associated with the particular target and the number of domain associated with the organization.
• Domain - This can be used to find the company address, domain name, administrator and his/her phone number, and the system's domain servers.
• Network - This gives all information related to a particular network of a single IP address. Network enumeration can help ascertain the network block assigned or allotted to the domain.
• Point of Contact (POC) - Display all information related to a specific person, typically administrative contacts. Also known as query by "handle".

If the organization is a high security company, it can opt to register a domain in the name of a third party, as long as they agree to accept responsibility.

SmartWhois
SmartWhois is a network information utility that allow available information about an IP address, hostname or domain name, including country, state or province etc.
SmartWhois is available for download at www.tamos.com.

Unearthing Initial Information

Open source footprinting
Perform whois request, searching thorough DNS tables are other forms of open source footprinting. Most of the information is fairly easy to get and within legal limits. One easy way to check for sensitive information is to check the HTML source code of the website to look for links comments, Meta tags etc.
The attack can choose to source information from:

• A web page (save it offline, e.g. using offline browser such as Teleport pro at http://www.tenmax.com/teleprot/pro/home.htm )
• Yahoo or other directories (Tifny is a comprehensive search tool for USENET newsgrops)
• Multiple search engines (All-in-one, Dogpile), groups.google.com is a great resource for searching large number of news groups archives without having to use a tool
• Using advanced search (e.g. AltaVista where revers links can be unearthed to vulnerabile sites)
• Search on publicly trade companies (e.g. EDGAR)
• Dumpster diving (to retrieve document that is carelessly disposed)
• Physical access (False ID, temporary/contract employee etc)

Apart from surfing the site, the attacker can use whois or nslookup to collect information. http://www.allwhois.com/ is considered a comprehensive whois interface.
There are tools available to aid whois:

• Sam Spade
• Smart Whois
• Netscan

Reader is encouraged to read RFC 1034, 1035 and standards std/std13 - Internet standard for Domain Name.

Footprinting

Footprinting is the blueprinting of the security profile of an organization undertaken in methodological manner.
The information unveil at various network level can include details of domain name, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP address, access control mechanisms and related lists, phone numbers, contract addresses, authentication mechanisms and system enumeration.
Information gathering activity can be broadly divided into seven phases:

1. Unearth initial information
2. Locate network information
3. Ascertain active machine
4. Discover open ports /access ports
5. Detect operating system
6. Uncover services on ports
7. Map the networks

Footprinting includes the first two phases listed above. Footprinting is required to ensure that isolated information repositories that are critical are not overlook or left undiscovered.

Deliverables

In the final phase of evaluation the ethical hacking report with the results of hacking activities, vulnerabilities found and recommendation given to avoid exploit. The objective should be to bring into effect of permanent security solution rather than temporary patch. If social engineering testing has exposed problems report should address this issue with specific recommendation to raise awareness of the people concerned. The report must include specific recommendation on how to close the vulnerability and keep them closed.
Usually, the ethical hacking report is delivered in hard copy and soft copy destroyed for security reason. For instance, if this report is accessed by the wrong people or people with wrong intension, it can have catastrophic consequence. One of common example is that the report is use by corporate espionage, the cracker can use the information to break into the system. However for long term client, the ethical hacker might need the information for further investigation. In this case the organization can stored it in encrypted form in an offline system with very limited access. Hard copy should be stored in a safe with all copy numbered.
There are certain issues to be considered in delivering report, such as who would receive the report, and how the sensitive report would be conveyed. The ethical hacker would have ongoing responsibility to ensure the safety of all information they retain, so in some cases all information is destroyed at the end of the contract.

Security Test

Security test can be conducted in two approaches:

• Black-box
  This means the ethical hacker has no prior knowledge or information about the system. This simulate a true web-hacking, beginning with nothing but the company name. From here the ethical hacker gathers information about the network and the business from as many outside source as possible.
  
• White-box
  This means the ethical hacker has complete knowledge of the network infrastructure to be tested. This help ethical hacker adopt a structured and formal approach. However, a good ethical hacker will also test the validity of the information provided initially, rather than work under the assumption that it is true.

It is considered by some security expert that the black-box testing is closely intimate a real web hacking. However, this need not hold good as script kiddies can easily know detail of the network and operating system and run scripts to exploit vulnerabilities. More often that not, the attacker is no total stranger to the system. He as access to insider information or may be he is an insider. Many organizations are subject to attack from internal sources where full system knowledge can be assumed.
If monetary resource and time are constraint, black box testing may not be the best option. This is where the organization may consider internal testing.
All forms of security testing can be of value to the organization; however it is up to the organization to decide what work in best of its interest under the given circumstance. A black-box test may highlight how supposedly confidential information is leaked. A white-box test is likely toe dedicate more time to probing for vulnerabilities and will address security of all external connection.

Modes of Ethical Hacking

There are several ways to conduct security evaluation.

• Remote network
  This simulates the intruder launching an attack across the internet. The primary defense that must be defeated here are border firewall, filtering routers etc.
• Remote dial-up network
  This simulates the intruder launching an attack against the organization's modem pools. The primary defense that must be defeated here are user authentication scheme.
  
• Local network
  This simulates an employee or other authorized person who have legal/authorized connection to the organization network. The primary defense must be defeated here are intranet firewall, intranet web server and server security measures.
  
• Stolen equipment
  This is to test how user protection their information assets. For example, if a stolen laptop has stored password or critical information that can be easily accessed, this can a security breach. Attacker may remote dial up to the main server of the organization with proper authentication.
• Social engineering
  This test evaluate the integrity and awareness of the target organization's personnel. A typical quoted example of social engineering is that of an intruder calling the computer help line and asking for the external telephone number of the modem pool. Defense against this kind of attack is the hardest because people and personalities are involved. To be of assistance come naturally in organizations gearing more toward a service orientation and this may inadvertently lead to security compromise. Often see scenario include telling someone who appears to be lost where the computer room located, or let someone into the building who does not have proper identification credentials. The only defense against this is to raise the security awareness.
• Physical entry
  This test acts out the physical penetration of the organization's building. The primary defense here are strong security policy, security guard, access control and monitoring and security awareness.
  
  

How do Ethical Hacker go about the evaluation?

Any security evaluation involves three phases: preparation, conduct and conclusion.

1. Preparation
   In this phase, a formal contract is signed that contains a non-disclosure clause as well as a legal clause to protect the ethical hacker against any protection that he may possibly attract during the conduct phase. The contract also outlines infrastructure perimeter, evaluation activities, time schedules and resources available to him.
   During this phase, the ethical hacker should discuss with the organization about what the organization is trying to protect, against whom and at what cost. After discussion, a security plan is prepared which will identify the systems that are to be tested for vulnerabilities, how the testing would be carried out (methodology) and what restriction may be applied (limitation faced).
   While it is theoretically possible to say that the testing strategy should follow a "no-holds-barred" approach, practically this not usually the case. This approach is encouraged so that the ethical hacker is given the chance to gain maximum access.
   
2. Conduct
   In this phase, the evaluation technical report is prepared based on testing potential vulnerabilities.
   There are several methods for carrying out ethical hacking, but the two most used approaches are the limited vulnerability analysis and attack and penetration testing. Limited vulnerability analysis deals with enumerating the specific entry points to the organization's information system over the internet, as well as the visibility of mission critical systems and data from a connection on the internal network. On detection, the potential entry point and mission critical systems are scanned for known vulnerabilities. The scanning is done using standard connection techniques and not solely based on vulnerability scanners.
   In an attack and penetration testing, discovery scans are conducted to gain as much information as possible about the target system. Similar to limited vulnerability analysis, the penetration scan can be conducted from both the internet and internal network perspective. This approach differs from the limited vulnerability analysis is that the testing is not limited to scanning alone. It goes a step further and tries to exploit the vulnerabilities. This is said to simulate the real threat to data security.
   Clients usually prefer a limited vulnerability analysis because they do not want to risk loss of data or any other damage.
   It should be communicate with the organization that there are inherent risks in undertaking an ethical hack. These can include alarmed staff and unintentional system crashes, degraded network and system performance, denial of service, and log file size explosions. A possible way of minimizing this risk is to conduct the test after office hours or holidays. The organization should provide contact within, who can respond to calls from the ethical hackers if a system or network appears to be adversely affected by the evaluation or if an extremely dangerous vulnerability is found that should be immediately corrected. While conducting an evaluation, ethical hackers may come across security holes that cannot be fixed within the predetermined time frame. Therefore, the ethical hacker must communicate to his client the urgency for corrective action that can extend even after evaluation is completed. If the system administrator delays the evaluation of his system until a few days or weeks before this computer need to go online again, no ethical hacker can provide a really complete evaluation or implement the correction for potentially immense security problems. Therefore, such aspect must be considered during the preparation phase.
   
3. Conclusion
   In this phase, the result of evaluation is communicated to the organization and corrective action/advise is taken if needed.
   
   

Skill Profile of an Ethical Hacker

Ethical hacker should have strong computer knowledge including programming and networking. They should be proficient at installing and maintaining system that use popular operating system (e.g. Unix, Windows or Linux) usually used on target system. Detailed knowledge of hardware and software provided by popular computer and networking hardware vendors complement this basic knowledge. It is not always necessary that ethical hacker to be a security professional. However, it is an advantage to know how various systems maintain their security. These system management knowledge are necessary for actually vulnerability testing and preparing the report after the testing is carried out.

An ethical hacker should be one step ahead of the malicious hacker and possess immense patience and the capability of persistent concentration. A typical evaluation may require several days, perhaps even several weeks of analysis that the actual testing itself.

Finally, keeping up with the ever-changing world of computer and network security requires continuous education and review on part of the ethical hacker. An ethical hacker should use constructive method as opposed to destructive methods adopted by the malicious hacker. The intent behind an ethical hacker's actions is to protect and rectify the system of its vulnerabilities. An ethical hacker is convinced that he can change something by means of constructively using his skills. He is reliable and trustworthy since he might discover information about the organization that should remain secret.

Hacktivism

Hacktivism refers to hacking with / for a cause. It is a kind of electronic civil disobedience in which activists take direct action by breaking into or protesting with government or corporate computer system. It can also considered as a kind of information warfare, and it is on the rise. The hacktivists consider their obligation to bring an offline issue close to their agenda into the online world. The apparent increase in hacktivism may be due in part to the growing importance of the internet as a means of communication.

Internet hacktivists believe that the "state sponsored censorship of the internet erodes peaceful and civilized coexistence, affects the exercise of democracy, and endangers the socioeconomic development of nations". For instance, they may have agendas that consider "state-sponsored censorship of the internet as a serious form of organized and systematic violence against citizens, intended to generate confusion and xeonophobia, and a reprehensible violation of trust". For instance, the Cult of the Dead Cow, an older security group states that their objective is to "study ways and means of circumventing state sponsored censorship of the internet and implementing technologies to challenge information right violations".

Most hacktivists aim at sending across a message through their hacking activity and gaining visibility for their cause and themselves. Common targets include government agancies, MNCs, or any other entity perceived as "bad" or "wrong" by these group / individuals. It remains a fact however, that gaining unauthorized access is a crime, no matter what the intents.

What do Ethical Hacker do?

To evaluate the security of an information system, an ethical hacker seek answer to the three basic questions:

1. What can an attacker see on the target system?
   This require an ethical hacker to think "out of the box" and to be "creative". An attacker can exploited those vulnerabilities that can be overlooked in the normal and route security check by the system administrator. This correspond to the reconnaissance and scanning phase.
   
2. What can an attacker do with the available information?
   An ethical hacker tries to understand the intent and purpose of the potential exploit, so as to do appropriate countermeasures. This correspond to the gaining access and maintaining access phase. An ethical hacker need to think one step ahead of the attacker in order to provide sufficient protection.
3. Are the attacker's attempts being noticed on the target system?
   Usually attackers lurk around the system before they actually wreck havoc. If the activities of an attacker cannot be noticed, the attacker can still spend weeks or month trying to break-in. In order not be noticed, the attackers may clear their track by modifying log files or installing trojan horse or back-doors. An ethical hacker need to investigate if these activities has been recorded and what preventive measures were taken if any. This not only gives him an indirect assessment of the attacker's proficiency, but also gives him an insight into the security related activities of the enterprise / system he is evaluating.
   

The entire process of ethical hacking and subsequent patching of discovered vulnerabilities would depend on questions such as:

• What is the organization trying to protect, against whom or what and how much resources the organization is willing to expend in order to gain protection

Sometimes when such exercises are taken without proper framework, the organization may call off the evaluation at the first instance of vulnerability reporting. These may be to ward off further discovery or save resource. Therefore it is imperative that the ethical hacker and the organization work out a suitable framework.

The organization must be convinced about the need for the exercise. Usually the concerned personnel have to be guide to concisely describe all of the critical information asset whose loss could adversely affect the organization or its clients.

Last, but not the least, the ethical hacker must remember that it is not possible to guard systems completely.

Hacker Classes

Hackers can be classified into various categories based on their activity profiles.

• Black hats
• Individuals with extraordinary computing skill who use their skill with malicious intent for illegal purpose. This category of hacker are often associated with criminal activities and sought by law enforcement agencies.
• White hats
• Individuals professing hacker skill and using them for defensive purpose. Also known as "Security Analysis".
• Grey hats
• Individuals who work both offensively and defensively at various times. They believe in full disclosure that other people who come across information disclosed are able to make a judicious use of the information.

Ethical hacker are information security professional who are engaged in evaluating the threats to an organization from attackers. Ethical hackers can be classified into following categoris:

• Former black hats
• This groups comprises of former cracker who have taken to the defensive side. They are better informed about security related matters as they have no dearth of experience and have access to the right information through hacker network. However they do not earn credibility for the very same reason as they may pass along sensitive information knowingly or inadvertently to the hacker network, thereby putting the enterprise at risk.
  
• White hats
• They profess to have skill on par with the black hats. However, it remains to be seen if they can be as efficient in information gathering as black hats.
• Consulting firm
• This is a new trend being seen in ICT consulting services with the increasing demand for third party security evaluations. These firms boast of impressive talent and credentials. However a word of caution is necessary with regard to background checks of these individuals as they may include former black hats and even script kiddies, who take up assignment for the thrill it gives them.

Anatomy of Attack

Now we come to some real fun. What does an hacker do?

In general, a hacker attack can be dissected into five phases.

1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks

Reconnaissance
Reconnaissance refers to the very initial stage where the hacker try to collect as much information as possible about the target before start any attack. The hacker will use both technical knowledge and social skill to learn more about the target. Social skill or social engineering can be surprisingly efficient in collect internal information.

Technical skill can be categorized into Active and Passive reconnaissance. Active reconnaissance involve using tools to interact with the target, while passive reconnaissance will collect the publicly available information, social engineering, dumpster diving etc. Active reconnaissance is usually used by newbie who discern a low threat to his reconnaissance activity to be detected.

As an ethical hacker, you must be able to identify different reconnaissance methods and able to advise preventive measure in respect of the potential threat.

Scanning

Scanning refers to pre-attacking stage when the attack scans the target with specific information gathered during reconnaissance. Scanning can be considered as an extension of active reconnaissance which involve automated tools such as network/host scanners, war dialer to discover any vulnerability. Attack can gather information such as mapping of system, router and firewall by using simple tool such as traceroute or Cheops to add sweeping functionality along with that rendered by traceroute.

Port scanner can be used to detect listening port to find information of the services running on the target machine. The primary defense is to shut down services that are not needed. Vulnerability scanner can be used to detect vulnerabilities on the target network. This gives attack advantage of time become he has to find just one vulnerability to enter while the system professional need to apply several patches.

Organizations that deploy intrusion detection system still have to worry as attacker can use evasion techniques at both application and network level. However a probably configured NIDS cannot be detected and all the better ones do anomaly detection, making to difficult for evasion.

Gaining Access

Gaining access refers to the true attack stage. Attacker can exploit the target over LAN, locally, internet, offline as deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking etc.

Spoofing is a technique to exploit the system by pretending to be someone else or a different system. The attack can use this technique to send malformed packet containing bug to the target system to exploit the vulnerability. Packet flooding can b used to remotely stop the availability of essential services. Smurf attacks try to elicit the available user on the network and the use their legitimate address of services.

The perceived risk involved when attacker gains access is high; as attacker can gain access at operating system level, application level or even network level.

Maintaining Access
Maintaining access refer to the phase when the hacker try to retain his "ownership" of the system. Once gaining access to the target system, the attacker can choose to use the system and resources to launch another attack to other system, or keep a low profile and continue exploit the system. Both are damaging to the organization. For instance the attack can install a sniffer to capture all the network traffic.

Sometimes, attackers harden the system from other hacker to secure their exclusive access with Backdoor, RootKits, Trojans and Trojan horse backdoors.

Attackers try to remain undetected by removing evidence of their entry and use backdoor or other Trojan to gain repeat access.

Covering Tracks
Covering Tracks refer to the activities to remove evidence of his presence and activities so that he can maintain access or evading criminal punishment. This normally entail removing log files and replacing system binaries with trojan, such as ps or netstate, so that system administrator cannot detect the intruder on the attacked system. Just as there are automated scripts for hacking, there are also automatic script for hiding intruders, often called rootkits.

Other techniques including Steganography, tunneling etc. Steganography is the process of hiding data. Tunneling take advantage of transmission protocol by carrying one over the other. Even extra space in TCP and IP header can be used for hiding information.