CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [26]
Scanning Ports and Identifying Services
Checking for open ports is the second step in the CEH scanning methodology. Port scanning is the method used to check for open ports. The process of port scanning involves probing each port on a host to determine which ports are open. Port scanning generally yields more valuable information than a ping sweep about the host and vulnerabilities on the system.
Service identification is the third step in the CEH scanning methodology; it's usually performed using the same tools as port scanning. By identifying open ports, a hacker can usually also identify the services associated with that port number.
Port-Scan Countermeasures
Countermeasures are processes or tool sets used by security administrators to detect and possibly thwart port scanning of hosts on their network. The following list of countermeasures should be implemented to prevent a hacker from acquiring information during a port scan:
■ Proper security architecture, such as implementation of IDS and firewalls, should be followed.
■ Ethical hackers use their tool set to test the scanning countermeasures that have been implemented. Once a firewall is in place, a port-scanning tool should be run against hosts on the network to determine whether the firewall correctly detects and stops the portscanning activity.
■ The firewall should be able to detect the probes sent by port-scanning tools. The firewall should carry out stateful inspections, which means it examines the data of the packet and not just the TCP header to determine whether the traffic is allowed to pass through the firewall.
■ Network IDS should be used to identify the OS-detection method used by some common hackers tools, such as Nmap.
■ Only needed ports should be kept open. The rest should be filtered or blocked.
■ The staff of the organization using the systems should be given appropriate training on security awareness. They should also know the various security policies they're required to follow.
Understand Nmap Command Switches
Nmap is a free open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning of large number of machines in a single session. It's supported by many operating systems, including Unix, Windows, and Linux.
The state of the port as determined by an Nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filtered means a firewall or network filter is screening the port and preventing Nmap from discovering whether it's open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the Nmap requests.
Nmap support several types of scans. Table 3.2 details some of the common scan methods.
Nmap has numerous command switches to perform different types of scans. The common command switches are listed in Table 3.3.
To perform an Nmap scan, at the Windows command prompt, type Nmap IPaddress followed by any command switches used to perform specific type of scans. For example, to scan the host with the IP address 192.168.0.1 using a TCP connect scan type, enter this command:
Nmap 192.168.0.1 -sT
Understand SYN, Stealth, XMAS, NULL, IDLE,
and FIN Scans
As a CEH, you need to be familiar with the following scans:
Make sure you're familiar with the different types of Nmap scans, the syntax to run Nmap, and how to analyze Nmap results.
SYN A SYN or stealth scan is also called a half-open scan because it doesn't complete the TCP three-way handshake. The TCP/IP three-way handshake will be covered in the next section. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it's assumed the target would