Analysing Port Scanning Tools and Security Techniques

Transcription

1 Analysing Port Scanning Tools and Security Techniques Rajwinder Kaur 1, Gurjot Singh 2 1 Post Graduate, Department of Computer Science and Applications, KMV, Jalandhar, Punjab, India 2 Assistant Professor, Department of Computer Science and Applications, KMV, Jalandhar, Punjab, India 1 [email protected], 2 [email protected] Abstract: The port scanning is a process of scanning ports of a computer system. A port is a spot where information goes into and out from a computer. The port scanning identifies open doors/ports of a system. Port scanning helps in managing the networks, but it can also be destructive in nature as if someone is sniffing for a weakened access point to breach into the computer system with different critical attacks like DOS, Botnet and DDOS. An attacker performs port scanning of IP addresses to find vulnerable hosts to compromise. In this paper we analyze various port scanning tools and the security techniques to prevent port attacking. Keywords: Nmap, port scan, Superscan, Angry ip scan, Uniconscan, Networkactiv Port Scanner, Ultrascan. I. INTRODUCTION Port scanning is one of the most important step in gathering the information(reconnaissance phase) about the victim against whom you want to launch attack or simply gathering loop holes of your own system to prevent from hackers. This technique composed of sending a message to a port and listening for an answer. Port scanning is done to get the current state of the port means weather Port is open, close, filtered or prevented. Port Scan is the act of systematically scanning a computer's ports [1,2]. Since a port is a spot where information goes into and out of a computer, port scanning identifies open doors/ports to a computer system. Port scanning is basically like ringing a door bell of someone s home, if somebody responds to ringing door bell it results in existence of someone at home. If no one respond then there will be two situations, First members of house are busy or no one is at home. Similarly in case of Hacking, you send a request to host`s system for checking that particular port is live or not. If it responds back that means it is alive otherwise it is closed or inactive. Hackers utilize port scanning because it is an easy way in which they can quickly discover services they can break into. Hackers can even open the ports themselves in order to access the targeted systems [3]. Types of Port Scanning: (A) Vanilla: The scanner attempts to connect to all 65,535 ports. Vanilla port scanning is a very accurate way to determine which TCP services are accessible on a given target host. (B) Strobe: a more focused scan looking only for known services to exploit (C) Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall. (D) Udp: the scanner looks for open udp ports. (E) Sweep: the scanner connects to the same port on more than one machine. (F) Ftp bounce: the scanner goes through an ftp server in order to disguise the source of the scan. (G) Stealth scan: the scanner blocks the scanned computer from recording the port scan [3]. II. PORT SCANNING TOOLS A. NMAP: This tool developed by Fyodor is one of the best unix and windows based port scanners also used as command-line program. The advanced port scanner tool has a number of useful aspects that gives user a lot of control over the process. Nmap NETWORK MAPPER is capable of doing many types of scans and OS identification it also has the ability to blind scan and zombie scan, and it enables to control the speed of the scan from slow to very fast. It can be used for security scans, simply to identify which services a host is running, to "fingerprint" the operating system and applications on a host and the type of firewall a host is using, or to do a quick inventory of a local network [4]. It is, in short, a very good tool to know. Nmap can be used for discovering, monitoring, and troubleshooting.tcp and UDP based systems. Nmap is a general purpose network scanner. It supports most of the known operating systems including Windows, Linux, UNIX, and Mac OS X. B. 1st Ip Port Scanner: 1st Ip Port Scanner is a very efficient Ip Scanner and Port Scanner. It is intended for both system administrators and general users to monitor and manage their networks. Powered with multi-thread scan technology, this program can scan hundreds computers per second. It simply pings each IP address to check if it's alive, then optionally it is resolving its hostname, scans ports, etc. Free IP scanner can also display NetBIOS information: host name, workgroup, currently logged user and MAC address and it can also find port, search port and scan port. Its speed of scanning is very fast.1st Ip Port Scanner tests whether a remote computer is alive with three types: ICMP, SYN and UDP and testing whether a TCP port is being listened with two types: CONNECT and SYN. It reverses lookup IP address into 58

2 hostname and read responses from connected TCP Port. It checks the UDP port's status based on "ICMP Destination Port Unreachable" message [16]. 1st Ip Port Scanner Features: 1. It can find ip address, ip relay; trace ip address, ip check, ip scan. 2. It performs port scanning, port finder/search. 3. Fast and multi-threaded IP scanning. 4. It can scan hundreds of systems per second which is ideal for administrators. 5. Fully configurable Port Scan. 6. It Saves obtained information into text file. 7. A simple, user-friendly interface makes operation easy for users Spy ware free, not contain any Ad ware or Viruses C. Atelier Web Security Port Scanner: AWSPS can provide extremely useful information about other networked Machines user. It provides first rate listing of port set up on the local machine detailing which ports are open. It shows traffic detail for TCP, UDP as well as for control packets ICMP including ping. Atelier Web Security Port Scanner is an innovative network diagnostic tool that adds a new dimension of abilities to the network administrators, security professionals and all people concerned with safety of systems. It provides TCP scanning functionality and UDP port scanning, local network enumeration and a highlevel of detail on the local network set-up for a machine on a local area network [18]. D. NetworkActiv Port Scanner: It is a network exploration and administration tool that allows you to scan internal LANs and external WANs. The versatility and closable operating mode nature available in NetworkActiv Port Scanner makes it useable by experienced network administrators. It provides all the basic functionality that you should expect in an advanced network scanner, but also provides many additional features and technologies, some of which being completely unique to this scanner. It provides scanning performance simply not found in other Windows based network scanners [17]. Features of networkactiv port scanner 1. Tcp subnet port scanner, for finding web servers and other servers. 2. High performance trace-route. 3. Remote OS detection ability to make an educated guess about the OS of a remote host, this is done by TCP/IP stack fingerprinting Perform Networks scanning, trace route. 5. Ability to perform WHOIS, queries, user may either specify a WHOIS server or have the program attempt to determine a WHOIS server automatically 6. Performs DNS dig queries, user may choice between TCP/UDP. E. ANGRY IP SCAN: Angry Ip scanner is a tool that scans network for open Ip addresses designed for network administrator to check the network security. Angry IP Scanner is a cross-platform port and IP scanner. The application is developed in java, so it is cross platforms compatible with different OS. It is a great program for doing a network audit or for just finding out more information about your network. It can locate in any network device that responds to the scan. It can locate on any device in the network that has an IP address and that doesn't have any firewall. It performs basic host discovery and port scans on Windows. The size of its binary file is very small as compared to other scanners and other pieces of information about the target hosts that can be extended with plug-in [5, 6] Features of Angry Ip scanner Tool: 1. It is Open source software, means free to use. 2. The fastest Ip scanner. 3. Cross-platform tool (supporting Linux, Windows, Mac OS.) 4. Light weighted tool so its CPU utilization is less. 5. No installation is required 6. It can get the Host name 7. Design for multiple host 8. Number of routers per trip and distance between source and destination 9. Cross-Platform application F. SUPERSCAN: It detect open TCP/UDP ports determine which services are running on those ports. It also run queries like whois, ping etc. It operates the whole surface of the physical device searching for all possible logical drives and partitions. It checks that they are live, damaged or deleted. If a partition cannot be found, it keeps searching. It reads each disk sector and looks for not only the boot sector, but also rebuilt the drive structure, based on residual clues that remain on the disk surface. This is a very slow process and it usually gives much more results than QuickScan. It provides three main tools: TCP port scanner, Ping tool, and Resolver tool [15]. G. UNICONSCAN: Unicornscan is an open source (GPL) tool designed to assist with information gathering and security auditing. It is an attempt at a User-end Distributed TCP/IP stack for information gathering and their 59

3 interrelation. It provides a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled devices. The various features of this scanner includes asynchronous stateless TCP scanning with all variations of TCP flags, asynchronous stateless banner grabbing, and active/passive remote OS and component identification by analysing responses [7]. It provides Scalable, Accurate, and Efficient system scan. It is released for the community to use under the terms of the GPL license [13, 14]. Features of Uniconscan 1. Asynchronous stateless TCP scanning with all variations of TCP Flags. 2. Asynchronous stateless TCP banner grabbing 3. Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response). 4. Active and Passive remote OS, application, and component identification by analysing responses. 5. PCAP file logging and filtering 6. Relational database output 7. Custom module support 8. Customized data-set views H. SCANRAND: Scanrand is a tool that is used to discover hosts on the network i.e whether the host is alive or not. It is reliable for efficient fast speeds. It uses best cryptographic techniques to prevent users from attackers. This scan is similar to unicorn scan. I. ULTRASCAN: UltraScan is a powerful port scanning tool that can provide you the ability to seek out unauthorized web servers, FTP servers, and any other service which may be running on your network without your knowledge. This tool is a necessity for any network attached to the Internet or large corporate Intranet [8]. J. GFILANguard: GFILANguard is employed for Patch Management, Vulnerability Checking and Network Auditing. This tool can scan networks and ports to detect, identify and correct security loopholes It manually or on scheduled basis scans and then analyzes the services running in the open ports. It installs fingerprint technology to check whether the service is secure or not. It helps to maintain the network. GFILANguard requires 102 MB memory to execute. GFILANguard supports Patch Management, Vulnerability Management, Network and Software Auditing, Change Management, and Risk Analysis and Compliance [6]. List of vulnerable ports 21: FTP 22: SSH 23: Telnet 53: Domain Name System 80: World Wide Web HTTP 119: Network News Transfer Protocol 43: HTTP over Transport Layer Security/Secure Sockets Layer If these ports are not secure a hacker can communicate with these ports and cause havoc. III. BASIC SECURITY TECHNIQUES The useful security methods to secure the network such as implementing antivirus, scanning, network sniffing/ scanning tools, internet access policies and other security preventive measures. Network security is the most essential aspect of information security because it is responsible for securing all information passed through networked computers [10, 11]. Minor security vulnerability can result in a heavy loss of the critical data of the server and other client computers. Insuring the computer system and network secured, is the main responsibility of the network administrator and the security specialists. Typically a computer network is threatened by a number of ways like virus, worm attacks, unauthorized access, cryptography related attacks etc. So to prevent from these, regular scan of entire network devices, s, open ports, server and client computer systems is mandatory. It is the prior responsibility of the network administrators to check and deploy the missing security patches and install advanced security software in all the network computers. They should also destroy the unnecessary network sharing documents, user s accounts; wireless access points and restricts the access to the network users [3, 8]. A. Turn off Ping Service: The main purpose of a ping request is to identifying the hosts that are presently active. It is employed as part of reconnaissance activity preceding a more coordinated attack. By removing a remote user's ability to receive an acknowledgement from a ping request, you are more convenient to be passed over by unattended scans or from "script kiddies," that usually looks for an easier target. Remind that this does not actually protect you from threat, but will make you far less likely to become a target [8]. For disable ping outside from your public IP: for that, the icmp-config would be the following: icmp deny any echo outside icmp permit any outside echo requests get dropped, but all the other icmp types are still allowed. 60

4 B. Close unused ports: A port allows the systems of outside world communicate with your computer system. Think of a port as a door: when the door is open, anyone can get inside and use your system. A closed port keeps your computer safe from unwanted outside communication or attackers. In security parlance, the term open port is used to mean a TCP or UDP port number that is configured to accept packets. There are various ports and maximum are by default open in our computer like FTP, TELNET, UDP, SMTP, FTP etc. In general we need port like FTP, HTTP etc. If someone wants to enter in our system they used these types of open ports. So if not necessary then close unused ports. Malicious hackers commonly use port scanning software to find which ports are "open" (unfiltered) in a particular computer, and whether or not an actual service is listening on that particular port. In contrast, a port which rejects or ignores all packets directed at it is called a "closed port"[12]. Ports can be "closed" through the use of a firewall. C. Bind IP to MAC Address: The MAC address is unique number which cannot be changed. We can make a list of IP address used in our network and then bind those IP addresses to the particular systems MAC address. After doing this activity no one can use out-side system in your system [8]. D. Use Intrusion Detection Systems and Intrusion Prevention Systems: An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack by someone attempting to break into or compromise a system. IDSs use traffic analysis and advanced algorithms to determine if a probe has been conducted. Many IDSs are designed to address increased requirements for security visibility, denial-of-service protection, anti-hacking detection, and e-commerce business defences. An Intrusion Prevention System (IPS) can take the work of the IDS one step further, by taking immediate action that does not require human intervention, as IDS alarms are generated based on a predefined set of rules [8]. Fig.1. Port scanning Network active port scanner represents various network ports from 1 to It scans open and close ports and their information. It also Checks for different threads running on the system. We see port scanning on our system named (accer12) and its Ip address IV. ANALYZING AND DISCUSSION In this section, we analyse different port scanning tools, how they scan the open and closed ports in a system and IP scanning also. These are given as follow: NetworkActiv Port Scanner: Fig. 2. IP scanning The above fig.2, shows scans for Ip address for a particular site. It shows the results for different ports through which system is communicating with other systems here we are scanning port number 80 that is used for http. You should also scan for other ports as well. 61

5 A. AWSPS Fig 3. Connections and listening ports The fig. 3, represents the functioning of AWSPS tool. It shows connections and ports. It presents local address, remote address and state of a port. Fig 5. Active route information The fig. 5, represents active routes through which the system communicates with others systems. It shows the information about the gateway address and type of routes i.e. direct and Indirect routes,interfaces and registry. Fig 4 Protocol statistics The above fig. 4, presents the TCP, UDP and ICMP statistics. TCP shows the retransmission time out, number of connections i.e active, passive and failed connections.udp shows datagram received and receiving errors. ICMP shows messages and destination unreachable. Fig 6 IP statistics/ setting 62

6 The fig. 6, shows the information about TTL values,installed protocols and their details. It also give information about packet header and address errors. It also shows information of particular system IP address and subnet mask. This fig. 8 shows the information of the particular LAN computer/ host like which operating system and workstations it uses it also gives the NETBIOS information. Fig. 9. Time synchronizer Fig 7. Interface statistics The fig. 7, shows the interface statistics through which the system communicates with others. It shows the type of interface like loopback, tunnel, and tunnel-encapsulation interface. It represents the Time synchronization of system like time stamp are use to synchronize the system with clock V. CONCLUSION In this paper we studied about different port scanning tools and security techniques. We analyse how they scan for open and closed ports in the computer system. These open ports in particular system leads to security breaches. The attackers analyses the open ports on the system by using these port scanning tools and launch critical attacks on that particular system and further use that system to destroy other computers making bots of interconnected computers in network. So we have to analyses these open port in our system and see which type of traffic is transmitted through our system and implied security against them. VI. REFERENCES [1] De Vivo, M., Carrasco, E., Isern, G., and de Vivo,G. O. (1999) A review of port scanning techniques, SIGCOMM Comput. Commun. Rev., 29, [2] Monowar H Bhuyan, D K Bhattacharyya and J K Kalita, Surveying Port Scans and Their Detection Methodologies, In press. Fig. 8. LAN computer [3] Tariq Ahamad Ahanger, Port Scan - A Security Concern, International Journal of Engineering and 63

7 Innovative Technology (IJEIT) Volume 3, Issue 10, April [4] Avi Kak, Port and Vulnerability Scanning, Packet Sniffing, Intrusion Detection, and Penetration Testing Lecture April 15, [5] Aileen G. Bacudio, Xiaohong Yuan, Bei-Tseng Bill Chu, Monique Jones, AN OVERVIEW OF PENETRATION TESTING, International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November [6] Nazar El-Nazeer and Kevin Daimi, Evaluation of Network Port Scanning Tools, University of Detroit Mercy, 4001 McNichols Road, Detroit, MI [7] Cynthia Bailey Lee,Chris Roedel, Elena Silenok, Detection and Characterization of Port Scan Attacks, University of California, San Diego. [8] Siddharth Ghansela, Network Security: Attacks, Tools and Techniques International Journal of Advanced Research in Computer Science and Software Engineering, Volume 3, Issue 6, June [9] T.Siva#1, E.S.Phalguna Krishna, Controlling various network based ADoS Attacks in cloud computing environment: By Using Port Hopping Technique, International Journal of Engineering Trends and Technology (IJETT) - Volume4Issue5- May [10] Chen S., Iyer R., and Whisnant K., Evaluating the Security Threat of Firewall Data Corruption Caused by Instruction Transient Errors," In Proceedings of the 2002 International Conference on Dependable Systems & Network, Washington, D.C., [11] Kim H., "Design and Implementation of a Private and Public Key Crypto Processor and Its Application to a Security System," IEEE Transactions on Consumer Electronics, vol. 50, no. 1, February