Sunday, 9 February 2020

Port scanning guide #2 TCP Techniques

In most cases, you will probably use SYN scan, however there are circumstances where other types of scanning may be needed. Unfortunately, modern firewalls detect different port scanning techniques. And there comes well known tool called nmap, which supports few of them which will help you to bypass firewalls. When full scan is chosen, there will be 65 536 ports checked.

TCP SYN 


As mentioned, this is the most common (and default for nmap) of TCP port scans. Firstly, it needs root privileges to run it, because raw sockets are used to send packet with SYN flag. If SYN/ACK is received, the port is open. If RST/ACK - closed. In case of no response, we can set how many times scanner should resend request (--max-retries in nmap). If still does not receives a response - it will be marked as filtered.

Hence SYN scan never establishes a TCP connection, it is relatively stealthy.

TCP ACK


This type of scan is used to check if firewall is tracking the state of existing TCP connections. A TCP ACK scan sends a packet with the ACK flag set. When request is received by the server, it will probably assume that the second party is attempting to continue three way handshake, so it will send back a packet with RST flag.

If firewall do not track opened connections, it will allow to send back RST response, hence we can assume that port is unfiltered.

If it tracks TCP connections - there will be no matches in internal TCP sessions - it will drop the packet or send response via ICMP with type 3 (code may vary depending on OS).

Lastly, when firewall is configured in a proper way, we will do not receive any response, because all of the ACK requests will be dropped.

TCP Connect


A TCP connect scan establishes TCP connection using connect() function and then tears it down. It is used as default when user has no root privileges or IPv6 network is being scanned. Disadvantage of this type of scan is probing may be logged in server and therefore easily detected. Hence it needs more requests to complete, it is also more time-consuming process. Furthermore, it can lead to overload and sometimes produce DoS situations.

NULL  |  FIN  |  Xmas


NULL scan has no flags set.
FIN scan has FIN flag.
Xmas scan has FIN, PSH and URG flags - packet lighted like a christmas tree.

All of those are almost the same - the only difference is in flags set. If in response we will receive RST packet - port is considered closed. No response means open|filtered. If there is ICMP message - filtered.

Main advantage of above three scans are low detectability - just a little bigger than in SYN scan. The biggest disadvantage - not every system is compatible with RFC793, so responses may be independent from actual port state.

Maimon


Very similar to above three - it uses FIN/ACK packet. In all cases RST flag should be received, but OS based on BSD will respond only when a port is closed.

TCP window


This is slightly modified version of the ACK scan. It uses TCP Window field to determine whether port is open. This field is a part of TCP's flow control, it helps to manage data transmission volumes. Some OSes positive TCP Window size will indicate that port is open (even though a RST packet is being sent). Conversely - when a TCP Window size is 0 - means that port is closed.

This type of scan is not very common and it's quite unreliable - it needs deep understanding what is going on to draw some conclusions.





Saturday, 8 February 2020

Port scanning guide #1: TCP three way handshake

In this series I am going to delve in some theory of port scanning, which is essential of service identification within a TCP\IP network. The most popular tool used to do this inspection is nmap, however it is not the only one used to do it (Unicornscan and ZMap are the others). In cyber security it is very important to understand fundamentals, which obviously is port scanning. The two most often used types of scanning are TCP SYN and UDP. First, I will describe how TCP connection is formed.

SYN  |  SYN/ACK  |  ACK


Above term is used to describe how a TCP connection is established. Imagine situation - there is Mike and Kate. Mike wants to send a message to Kate via TCP on port 80. First thing that Mike has to do, is to check if Kate is accessible. He will open TCP connection to check this.


Mike - sends a TCP SYN to Kate on port 80   >>>     Kate
Kate - responds with a TCP SYN/ACK          >>>     Mike
Mike - sends a TCP/ACK                      >>>     Kate
Connection is established


Let's examine those steps:

  1. Mike sends a SYN request to Kate.
  2. Kate receives the request and if there is a listening process on port 80, she will respond with a TCP packet with the SYN/ACK flags set.
  3. Mike receives TCP SYN/ACK, checks the acknowledgement number (more about it here) and then can send the last part of handshake - TCP/ACK. At this point, both parties are successfully connected and can share data on via TCP socket.

Closed port


If there is a situation, when no service is running on Kate server in port 80, she will send response with TCP RST/ACK flags. After this request connection is terminated.

Mike - sends a TCP SYN to Kate on port 80   >>>     Kate
--- port is closed ---
Kate - responds with a TCP RST/ACK          >>>     Mike
Connection is terminated

Other responses


When scanning a network you have to bear in mind that not every one will go as you would like. On the server which is being scanned can run firewall which will drop your SYN requests, hence it will never reach a destination. Rarely, you can encounter situation when request reaches a server, but response is firewalled and dropped.

Friday, 7 February 2020

Stopping a process

Sometimes we want to suspend a process execution. While for those which are running in terminal, we can use CTRL + Z shortcut, what about processes that run in the background? For instance, how we can stop a deamon process?

Fortunately, there is a special Unix signal called SIGSTOP. When this signal is sent to the running process, kernel will suspend the given process, which will stay suspended till the SIGCONT signal will be sent.

This is how it look like from the command line:

# suspend
kill -STOP PID
# resume
kill -CONT PID

I can imagine one situation when this feature can be useful. Let's suppose, there is PHP application which utilises MySQL database. When we want to test how the application will behave when database will stop responding, we can just send SIGSTOP to MySQL process. Despite sending this signal, all of the connections between those two will be preserved. This would be a similar situation of what happens when we experience heavy load on our machines.

Monday, 3 February 2020

VIM cheatsheet... and how to exit it!



Movement 


e             go to end of the current word
b             go to beginning of the current word
⇧ + $   go to an end of the current line
⇧ + ^   go to beginning of the current line
gg           go to beginning of the file
⇧ + q   go to end of the file


Searching


/      enter search (forward) mode
?               enter search (back) mode
n               next occurrence


General


u             undo
o             open new line below and go to insert mode
⇧ + o   open new line above and go to insert mode
%            jump to corresponding bracket
:q           quit
:wq        write changes & quit
:q!        quit without saving changes


Text manipulation



x               delete character being under cursor
r               replace a single character being under cursor
c + e      remove all characters from cursor to an and of given word
c + b      remove all characters from cursor to beginning of the given word 
c3e           remove next 3 words
5dd           remove next 5 lines
ci{           remove all content in between brackets
*                highlight all occurrences of a current word
⇧ + v      mark whole line
v                mark a custom selection
yy              copy whole line
y       copy selection
d                cut selection
p                paste below
⇧ + p      paste above


~/.vimrc


:set nocompatible "Use the newest features
:set number "Let's activate line numbers.
:set incsearch            "Live search
:set hlsearch               "Highlight search occurrences
:set autoindent  "Auto indent in code
:syntax on "Syntax highlightning
:set mouse=a "Enable mouse

Port scanning guide #2 TCP Techniques

In most cases, you will probably use SYN scan, however there are circumstances where other types of scanning may be needed. Unfortunately, ...