Cyber Security(203105346)

Kapil Sharma, Assistant Professor

Computer Science and Engineering
 Chapter-2
System Vulnerability Scanning
System Vulnerability Scanning

Figure 2.1
System
Vulnerability
TCP Connections / Sockets
“In computer networking, an Internet socket or network socket is an endpoint of
a bidirectional inter-process communication flow across an Internet Protocol-
based computer network, such as the Internet.”

Process Internet Process

Figure 2.2 TCP

Connection
TCP Port Numbers
• A port is an application-specific or process-specific software
communications endpoint.
• It allows multiple networked applications to coexist on the same
server.
• There is a list of well-known TCP port numbers.

http://en.wikipedia.org/wiki/TCP_and_UDP_port
TCP
TCP Port Numbers
Port Numbers
TCP Port Numbers

Figure 2.3 TCP

Connection
Common TCP Ports
Table 2.1
Common TCP
PORT
 System Vulnerability Scanning
• Overview of vulnerability scanning
• Networks Vulnerability Scanning
• Network Reconnaissance
• Network Sniffers and Injection tools
Need for Vulnerability Management
• Vulnerabilities on a network are GOLD to cyber criminals:

• Provide unauthorized entry to networks

• Can expose confidential information, fuel stolen identities,

violate privacy laws, or paralyses operations

• Exposure is extreme for networks with vulnerable devices

connected by IP
Common TCP Ports

• Despite utilization of basic defenses, network security breaches abound

• Automation is Crucial Manual detection and remediation workflow is

too slow, too expensive and ineffective
Overview of Vulnerability Scanning

Scanners use predefined tests to identify vulnerabilities

– false negative
• Vulnerability exist on a system but the scanner does not
reports it as vulnerable
– false positive
• vulnerability does not exist on a system but the scanner reports it
as vulnerable
Vulnerability Scanning cont….

• A vulnerability scan progresses through a series of steps

– Network scan → Identify “live” hosts that respond to traffic

– Network probes → determine the host’s operating system

– Then enumerate services available on the host
– Then identify details about each service
 Behind the scenes…

• A single connection is established with the TCP 3 way handshake.

• This involves a SYN sent to an TCP open port that has a service bound
to it.
• Typical examples are HTTP (port 80), SMTP (port 25), POP3 (port 110)
or SSH (port 22).
Behind the scenes…

• The server side will see

the SYN and respond
with SYN ACK, with the client
answering the SYN ACK with an ACK.

• This completes the set

up and the
data of the
service protocol can now be
communicated Figure 2.4
Vulnerability
Scanning
 Filtered ports or when the Firewall drops a packet
• The job of a firewall is to protect a
system from unwanted packets that
could harm the system
• The port scan is conducted against
port 81, there is no service running
on this port using a firewall to block
access to it is best practice.
• In the case of a filtered port result
from Nmap it indicates that the port
has not responded at all the SYN
packet has simply been dropped by
the firewall.

Figure 2.5
Filtered Firewall
 An Open Port (service) is found

• Open Ports are usually what

you are looking for
when kicking off Nmap scans.
• The open service could be a publicly
accessible service that is by its nature
supposed to be accessible.

• It could also be a back-end service that

does not need to be publicly
accessible and therefore should be
blocked by a firewall.
Figure 2.6
Example of
Behind the scenes…
Behind the scenes…
continued
Behind the scenes…
Behind the scenes…
Behind the scenes…
Behind the scene…
Behind the scenes…
 Open Port/Service Identification
• Some services are inherently insecure
- Telnet (port 23) is notorious for its lack of encryption that exposes passwords

• Services do not always run on default ports; hence the scanner must rely on
banners and “nudges” to elicit a response from a listening port

• N-map port number

 Banner/Version Check
• Some services announce information about themselves without being
prompted by any data from a client

• If you possess an exploit for this version of SSH and know the target
operating system, then you’re a few steps away from compromising the
host

• N-map –O hostname
Behind the scenes…
 Traffic Probe
• Invalid messages produce verbose errors from a service where valid messages
produce uninformative ones
$ echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -v
localhost 80 Connection to localhost 80 port
[tcp/http] succeeded!
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2012 21:15:58 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/1.0.1c DAV/2
PHP/5.3.14 Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "eb879f-2c-
3e9564c23b600" Accept-Ranges: bytes
Content-Length: 44 Connection: close
Content-Type: text/html; charset=utf-8
Vulnerability Probe

• Some security bugs can’t be identified without sending a payload that exploits a
suspected vulnerability

• They rely on direct observation as opposed to inferring problems based on port

numbers or service Banners

• Example of a vulnerability probe is an HTML injection

Vulnerability Examples
• Squirrel mail vulnerability
http://web.site/mail/src/redirect.php?plugins[]=../../../../../../etc/passw
d%00
– URL’s plugging[] →PHP global variable

– The variable is interpreted as an array due to the square brackets

– The value of the array containing the /etc/password reference is passed to a

function

– The variable is used to name a file on the operating system.

Vulnerability Examples Cont..

– The %00 represents a NULL character

– In PHP the NULL may be part of a string, but it serves as a string terminator in the
system function that underlies PHP’s include once directive.

– This exploit took advantage of a lack of input validation and a mismatch between
string handling in programming languages
Open VAS
The Open Vulnerability Assessment System (Open VAS)

• Collects and manages security information for networks, devices, and systems

• Sweeps through a network to identify known network misconfigurations and known

vulnerabilities associated with common services and software

• Vulnerability detections are defined in scripts called Network Vulnerability Tests

(NVTs).
Metasploit
Vulnerability scanners rely on:

– service banners
– version numbers
– network responses

To guess whether a particular application or service has a vulnerability that’s been

publicly reported.
Metasploit Cont..

Metasploit (www.metasploit.com) expands on the

detection phase by

– Actively exploiting a vulnerability to verify its existence

– Compose a larger framework that abstracts the hacking process into a sequence of
menu options
– It’s basically a hacking group at your beck and call
Networks Vulnerability Scanning

• Two systems communicate with each other over a network by establishing a socket

• Each end point (usually a client who initiates a request) and server (which receives
the request) bind a local port to use for the connection.

• The port number does not have to be unique per connection

Networks Vulnerability Scanning Cont..

• In network programming, the core functions used to communicate between

servers are
– Bind
– Listen
– Connect
– Accept
– Send
Net-cat

• Net-cat performs a narrow function with a broad application to hacking and network
debugging
• It reads and writes data for TCP and UDP connections
• Net-cat enables you to redirect shell commands across a network.
• It’s a cat command for networking
Net cat’s Uses
• Obtain Remote Access to a Shell
• Perform Basic Port Scanning
• Identify Yourself: Services Spilling Their Guts
• Communicate with UDP Services
• Frame a Friend: IP Spoofing
• Hijack a Service
• Create Proxies and Relays
• Get Around Port Filters
• Build a Datapipe: Your Own File Transfer……
So-cat
• So-cat is a Net-cat clone with extensive configuration options
• It supports several protocols, from Open SSL to proxies to IPv4 and IPv6
• The biggest difference from other clones is so-cat’s departure from familiar
command-line options
• Instead of the alphabet soup of Net-cat’s flags, so-cat uses
word-based directives on the command line
Understanding Port and Services tools

• For a packet to reach its destination, it must have an IP address (a host on the
network) and a port (a “socket” on that host)
• Example
– E-mail and the Web have predefined destination port numbers
– e-mail uses port 25 (SMTP)
– Web uses 80 (HTTP) and 443 (HTTPS)
Cont..
• A port redirection tool works by:
– Receiving data on one IP/port combination
– Forwarding the data to another IP/port combination.
• It works as an intermediary between the original client and the eventual destination
Data pipe
• A port redirection tool passes TCP/IP traffic received by the tool on one port to
another port to which the tool points.
• Aside from handling IP addresses and port numbers, port redirection is protocol
ignorant—the tool does not care whether you pass encrypted SSH traffic or plain-text
e-mail through it.
Data Pipe Cont…..

• A port redirection tool functions as a conduit for

• TCP/IP connections.
• For example,
– Place a data pipe on a system between a browser and a web server.
– If you pointed the browser to the listening port of the system with the redirection
tool, the browser would see the contents of the web server without having to directly
access the web server’s IP address.
• Data pipe is a Unix-based port redirection tool.
F-Pipe

• F-Pipe is a source port forwarder/redirector.

• It can create a TCP or UDP stream with a source port of your choice.
• This is useful for getting past firewalls that allow traffic with source ports of say 23,
to connect with internal servers.
Win-Relay

• Win-Relay is another Windows-based port redirection tool.

• It and F-Pipe share the same features, including the ability to define a static source
port for redirected traffic.
• Consequently, it can be used interchangeably with F-Pipe on any Windows platform
www.paruluniversity.ac.in