Third Party IP Network Scanning Methods

Third-Party and Spoofed TCP Scanning Methods

Third-party port scanning methods allow for probes to be effectively bounced through vulnerable servers to hide the true source of the network scanning. An additional benefit of using a third-party technique in this way is that insight into firewall configuration can be gained by potentially bouncing scans through trusted hosts that are vulnerable.

FTP bounce scanning

Hosts running outdated FTP services can relay numerous TCP attacks, including port scanning. There is a flaw in the way many FTP servers handle connections using the PORT command (see RFC 959 or technical description) that allows data to be sent to user-specified hosts and ports. In their default configurations, the FTP services running on the following older Unix-based platforms are affected:

1. FreeBSD 2.1.7 and earlier
   
2. HP-UX 10.10 and earlier
   
3. Solaris 2.6 and earlier
   
4. SunOS 4.1.4 and earlier
   
5. SCO OpenServer 5.0.4 and earlier
   
6. SCO UnixWare 2.1 and earlier
   
7. IBM AIX 4.3 and earlier
   
8. Caldera Linux 1.2 and earlier
   
9. Red Hat Linux 4.2 and earlier
   
10. Slackware 3.3 and earlier
    
11. Any Linux distribution running WU-FTP 2.4.2-BETA-16 or earlier

The FTP bounce attack can have a far more devastating effect if a writable directory exists because a series of commands or other data can be entered into a file and then relayed via thePORTcommand to a specified port of a target host. For example, someone can upload a spam email message to a vulnerable FTP server and then send this email message to the SMTP port of a target mail server. Figure 4-9 shows the parties involved in FTP bounce scanning.

The following occurs when performing an FTP bounce scan:

Figure 4-9.  FTP bounce port scanning

1. The attacker connects to the FTP control port (TCP port 21) of the vulnerable FTP server that she is going to bounce her attack through and enters passive mode, forcing the FTP server to send data to a specific port of a specific host:
   
     QUOTE PASV
     227 Entering Passive Mode (64,12,168,246,56,185). 
   
2. APORTcommand is issued, with an argument passed to the FTP service telling it to attempt a connection to a specific TCP port on the target server; for example, TCP port 23 of144.51.17.230:
   
     PORT 144,51,17,230,0,23
     200 PORT command successful. 
   
3. After issuing thePORTcommand, aLISTcommand is sent. The FTP server then attempts to create a connection with the target host defined in thePORTcommand issued previously:
   
      LIST
     150 Opening ASCII mode data connection for file list
     226 Transfer complete.
   
   If a 226 response is seen, then the port on the target host is open. If, however, a 425response is seen, the connection has been refused:
   
     LIST
     425 Can't build data connection: Connection refused

Tools that perform FTP bounce port scanning. Nmap supports FTP bounce port scanning with the–P0and
–bflags used in the following manner:

  nmap –P0 –b username:password@ftp-server:port <target host>

The–P0flag must be used to suppress pinging of the target host, as it may not be accessible from your location (e.g., if you are bouncing through a multihomed FTP server). Also, you may not want your source IP address to appear in logs at the target site.

Proxy bounce scanning

Attackers bounce TCP attacks through open proxy servers. Depending on the level of poor configuration, the server will sometimes allow a full-blown TCP port scan to be relayed. Using proxy servers to perform bounce port scanning in this fashion is often time-consuming, so many attackers prefer to abuse open proxy servers more efficiently by bouncing actual attacks through to target networks.

ppscan.c, a publicly available Unix-based tool to bounce port scans, can be found in source form at:

  http://examples.oreilly.com/networksa/tools/ppscan.c
  http://www.phreak.org/archives/exploits/unix/network-scanners/ppscan.c

Sniffer-based spoofed scanning

An innovative half-open SYN TCP port scanning method was realized when jsbach published his Unix-based scanner, spoofscan, in 1998. The spoofscan tool is run as root on a given host to perform a stealthy port scan. The key feature that makes this scanner so innovative is that it places the host network card into promiscuous mode and then sniffs for responses on the local network segment.

The following unique benefits are immediately realized when using a sniffer-based spoofing port scanner:

1. If you have administrator access to a machine on the same physical network segment as the target host or a firewall protecting a target host, you can spoof TCP probes from other IP addresses to identify trusted hosts and to gain insight into the firewall policy (by spoofing scans from trusted office hosts, for example). Accurate results will be retrieved because of the background sniffing process, which monitors the local network segment for responses to your spoofed probes.
   
2. If you have access to a large shared network segment, you can spoof scans from hosts you don’t have access to or that don’t exist (such as unused IP addresses within your local network segment), to effectively port scan remote networks in a distributed and stealthy fashion.

The beauty of this method is that the attacker is abusing his access to the local network segment. Such techniques can even be carried out to good effect in switched network environments using ARP redirect spoofing and other techniques. spoofscan is available at http://examples.oreilly.com/networksa/tools/spoofscan.c.

Next: IP ID header scanning >>
 

More Server Administration Articles
More By O'Reilly Media

Comments On: Third Party IP Network Scanning Methods

· This article is an excerpt from the book "Network Security Assessment, Second...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter four of Network Security Assessment, Second Edition, written by Chris McNab (O'Reilly, 2007; ISBN: 0596510306). Check it out today at your favorite bookstore. Buy this book now.