Network Security Spring 2021

The goals of this lab are to:

  1. Learn how portscans appear on the wire
  2. Practice the use of network trace analyzers like tcpdump and wireshark

Portscans are one tool to perform network reconnaissance. Aside from simply telling you the status of a port, they can also be used to:

  • Enumerate devices available on a network
  • Identify the OS a host is running
  • Grab service banners and versions
  • Map out a network’s topology
  • Probe for firewalls or other security middleboxes

Scan Types

The underlying techniques a portscanner uses mixes both direct queries – e.g., pinging a host to check if it is reachable, or engaging in a network protocol to capture a service banner – and fingerprinting to infer information – e.g., issuing a series of probes and matching features of the responses against an OS fingerprint database.

There are myriad ways in which determining a port’s status – i.e., OPEN, CLOSED, or FILTERED – can be performed. The most straightforward method for a TCP service scan is to simply try to connect to a host and port. Though this works and has the benefit that it does not require special privileges, it is unnecessarily resource-intensive. This is because connecting to a TCP server requires setting up a local TCB to track the connection state, which adds up if a scan is performed over many ports. In addition, if no server is listening on the target port and either the remote host or an intermediary is filtering TCP RSTs, the connection must time out before another connection can be attempted. (Can this be ameliorated to a degree with parallelization or async code? Yes, but it is still sub-optimal.)

Instead, a SYN scan is the most popular TCP portscan technique. To perform a SYN scan, a raw socket is used to inject a TCP SYN packet onto the wire without incurring the normal connection tracking overhead. These SYNs can be emitted all at once, and any responses processed en masse using the same raw socket.

However, there are many more scan types available that take advantage of ambiguities in the TCP standard. See man nmap for a thorough discussion.

A portscan against a particular host is often preceded by a network probe to determine whether that host is online at all. This usually takes the form of an ICMP PING, but can manifest in other ways. If a host does not respond, then it can be omitted from the portscan proper to save resources.

OS detection relies upon actively probing a target with respect to standards ambiguities, which are often handled differently by TCP/IP implementations. These probes include testing for initial window sizes, or sampling the entropy of initial sequence numbers or IP identifiers. The extracted features are then compared against a database of known operating systems.

Lab Objectives

A packet capture of an nmap scan is contained in scan.pcap in the current Canvas module. Analyze the trace to answer the following questions.

  1. What scan technique was used to identify open or filtered ports?
  2. Was this a vertical scan, a horizontal scan, or a combination?
  3. What network was targeted by the scan?
  4. What hosts were identified as online?
  5. What ports were scanned on online hosts?
  6. What ports were found to be open?
  7. What services were running on each open port?
  8. What ports were filtered?
  9. What operating system was found on each?

Submission Instructions

Submit your answers to the above questions to Canvas.