When performing a penetration test it is imperative that all hosts on the target network are identified. Typically when performing a penetration test all that is provided to the tester is the IP range, sometimes that is not even provided. With just a network range you must identify all live hosts in that range.
In the past, ping sweeps was reliable enough that a pen tester could be comfortable in those results. Today this is not the case, as many organizations block ALL unsolicited ICMP traffic at their border, so other methods must be used to identify live host on the network. Not only are organizations blocking ICMP but they are using tools to identify this type of activity such as firewalls, IPS/IDS and possibly even a Security Event Incident Manager (SEIM).
Since just a ping sweep can’t be performed other methods must used to identify live hosts. To accomplish this I typically use the tool
nmap to perform a TCP SYN scan.
To understand how this scan works you must first understand how TCP connections are established on open ports, what happens if the port is closed and finally what happens if the target host is not online. When two hosts want to communicate over TCP a TCP connection called a TCP session must be established. To establish the connection the TCP three way handshake must be completed.
The first step is for the host initiating the connection (Host A) to send a TCP packet to a specific port, for example 80, with the SYN flag set to the target host (Host B) it is attempting to establish the connection with as seen in this lovely ASCII art.
Host A ------SYN------- > Host B
Since Host B is listening on port 80, Host B sends a TCP packet with both the SYN/ACK flag set back to Host A as seen here.
Host A <------SYN/ACK-----Host B
Host A, after receiving the packet from Host B, sends a TCP packet with the ACK flag set to Host B to acknowledge it received the 2nd packet, and the connection is now established and data can be transferred as seen here.
Host A ------ACK------- > Host B
So now that there is understanding of how a TCP session is established, let’s examine what happens if the Host B is not listening on port 80.
The first step is the same with Host A initiating a connection to port 80 on Host B with the SYN flag set.
Host A ------SYN------- > Host B
Since Host B is not listening port 80, Host B will reply with a TCP packet with the RST flag set.
Host A <------RST-----Host B
Although the Host B is not listening on that port a response from Host B is still sent to Host A indicating it’s online.
Finally let’s look at attempting to establish a TCP connection for a host that is not online.
Again the first step is the same with Host A initiating a connection to port 80 on Host B with the SYN flag set and a timeout of 1 second.
Host A ------SYN------- > Host B
Since Host B is offline there is no response, Host A will send another packet these time waiting 2 seconds for Host B to respond. After not hearing from Host B a second time it will send a third packet waiting 4 seconds for Host B to respond. After the third packet Host A will assume Host B is unavailable and quit trying to reach it.
Understanding how TCP sessions are establish can be useful in identifying live host on the network. With this knowledge it is time to start discovery live hosts.
The objective of this scan is Host discovery, with a secondary objective of being stealthy to avoid detection. To meet these objectives nmap’s TCP SYN or “half open” scan will be used.
Nmap’s SYN scan sends a TCP packet with SYN flag set to the target. The target host will reply if online with the appropriate response (SYN/ACK for open ports, or RST for closed ports) depending on the state of the port. If the target host sends a TCP packet with the SYN/ACK flags set, the scanning host will not complete, resulting in a half open connection. If the target host is offline there should be no response.
To perform the SYN scan using nmap is the command line options:
nmap –Pn –n –sS –T 1 –p 21-23,25,80,110,143,443,3389 TARGET -oA OUTPUTFILES
The first option (-Pn) treats all host online, skipping the Host Discovery phase. Nmap’s Discovery Host sends an ICMP echo request, ICMP timestamp request, a TCP SYN packet to port 443, and a TCP ACK packet to port 80. This type of discovery is good if there are no packet filtering devices between the scanner and the target, but this typically will not be successful over the Internet.
The second option (-n) turns off name resolution. Other tools such as nslookup, dig, can be used for DNS enumeration. Turning off name resolution has an additional benefit of speeding up the scan, especially when scanning large networks.
The third option (-sS) is the SYN scan option.
The fourth option (-T 1) is the speed of the scan. The speed range of the scan is 1 through 5 with 1 being the slowest and 5 being the fastest. This option can be used to assist in evading detection during a scan. Since an objective is to scan undetected slow scans are preferred, but not always an option.
The fifth option (-p) selects the ports to scan.
The TARGET is of course the target of the scan. For nmap this can be a single host, a subnet, a range of host (such as 10.0.0.1-10.0.0.23) or a combination of any or all of them (such as 10.0.0.1,10.10.10.0/25,10.10.20.4-56).
The last option (-oA) is to output the scan results in normal, XML, and grepable formats. Following that flag is the base name of the output files. The normal (-oN) output is great if you want to look through all of the results. The grepable (-oG) output is for using grep and other shell commands to search through the output. The XML (-oX) output produces the output formatted in XML.
For demonstration purposes the target network to be scanned is 192.168.1.0/24. To simulate a typical Internet connected target network this network is protected by a firewall. To begin host discovery, type this command:
nmap –Pn –n –sS –T 1 –p 21-23,25,80,110,143,443,3389 192.168.1.0/24 -oA hostdiscovery
Once the scan completes the following information will appear.
Nmap done: 256 IP addresses (10 hosts up) scanned in 7807.86 seconds
From these results we see 10 hosts are up. The benefit is there is a likely chance, not guaranteed though, most online host are detected. Now more extensive scans can be performed against known live targets.
Another thing to note it took over two hours to complete the scan, even though the scan host and the target network are connected to same switch. This could have been performed quicker using the timing option, but the likely hood of detection would have been higher.
Also looking in the directory there will be three files containing the output of the scan named hostdiscovery.gnmap (-oG), hostdiscovery.nmap (-oN) and hostdiscovery.xml (-oX). These file will be used to determine if host are on online.
With the discovery scan complete, the results have to be interpreted. The interpretation of the results is critical to determine online host that should have more intensive port scans. Next time I will discuss how to interpret the scan results.