Introduction to advanced scanning technology and principles

Introduction to advanced scanning technology and principles

Release date:2002-01-29
Abstract:

Refdom (refdom@263.net)

Scan is the basis for all intrusions. There are many host detection tools, such as the well-known NMAP. I don't have any new technologies here. They are old things and old things. Even if I have been referring to the phrack document or even a 96-year old document, I just picked people up.

The most basic test is Ping, but now even the basic personal firewall limits Ping, which is too basic. How to obtain the ideal target chart through the firewall is also a problem that many people think about all day long.

I. Advanced ICMP scan technology

Ping uses the ICMP protocol. Here we mainly use the most basic purpose of the ICMP protocol: report an error. If an error occurs according to the network protocol, the receiving end generates an ICMP error message. These error messages are not sent proactively, but are automatically generated according to the Protocol due to errors.

When the checksum and version of the IP datagram are incorrect, the target host discards the datagram. If the checksum error occurs, the router directly discards the datagram. Some hosts, such as AIX and HP-UX, do not send ICMP unreachable datagram.

We use the following features:
1. Send an IP packet with only the IP header to the target host. The target will return the ICMP Error Message destination unreachable.
2. Send a bad IP datagram to the target host. For example, if the IP header length is incorrect, the target host will return the ICMP error message of parameter problem.
3. When the data packet is sharded but the data packet is not sharded enough to the receiver, the receiver's multipart assembly time-out will send the ICMP datagram with the multipart assembly time-out.

An IP datagram is sent to the target host, but the Protocol items are incorrect. For example, if the protocol item is unavailable, the target will return the ICMP packet of Destination Unreachable, however, if there is a firewall or another filter device in front of the target host, the request may be filtered out and no response is received. A very large number of protocol numbers can be used as the Protocol content of the IP header, and this Protocol number is at least not used today, the host must return unreachable, if no error message is returned for the unreachable ICMP datagram, it indicates that it is filtered out by the firewall or other devices. We can also use this method to detect whether a firewall or other filtering device exists.

The Protocol items of IP addresses are used to detect which protocols are being used by the host. We can change the Protocol items of IP addresses because they are 8-bit and there are 256 possibilities. The ICMP error message returned by the target is used to determine which protocols are in use. If Destination Unreachable is returned, the host does not use this Protocol. On the contrary, if nothing is returned, the host may use this protocol, but may also be filtered out by the firewall. NMAP's IP protocol scan uses this principle.

Using IP fragmentation to cause the assembly of timeout ICMP error messages can also achieve our testing purpose. When the host receives a data packet that has lost parts and does not receive the data packet within a certain period of time, the entire packet is discarded and an ICMP part assembly timeout error is sent to the original sender. We can use this feature to create fragmented data packets and wait for ICMP to assemble timeout error messages. You can partition UDP or TCP or ICMP data packets, as long as the target host is not allowed to obtain the complete data packet. Of course, for a non-connection unreliable protocol such as UDP, if we do not receive the ICMP return report with a timeout error, it may also be lost during transmission due to line or other problems.

We can use these features to obtain the firewall's ACL (access list), and even use these features to obtain the entire network topology. If we cannot get the Unreachable message from the target or assemble the timeout error message in parts, we can make the following judgment:
1. The firewall filters out the protocol types we send
2. the firewall filters out the specified port.
3. The firewall blocks the ICMP Destination Unreachable or Protocol unreachable error message.
4. The firewall blocks ICMP error packets on the specified host.

Ii. Advanced TCP Scanning Technology

The most basic use of TCP scanning is the use of Connect (), which is easy to achieve. If the target host can connect, it indicates that a corresponding port is opened. However, this is also the most primitive and the first type to be rejected by protection tools.
In advanced TCP scanning technology, the three-way handshake feature of TCP connections is used, that is, half-open scanning. These methods can bypass some firewalls and obtain the host information behind the firewalls. Of course, it is not spoofed. Another advantage of the following methods is that they are hard to be recorded. Some methods cannot be displayed even when using the netstat command.

SYN
Send a TCP datagram with only the SYN flag to a port of the remote host. If the host reports a SYN | ACK packet, the host is listening to this port, if rst data packets are reported, the host does not listen to this port. There is a SYN option on X-ray.

ACK
Send a TCP datagram with only the ACK flag to the host. If the host reports a tcp rst datagram, the host exists.

Fin
Send a tcp fin datagram to the remote host. If the host does not provide any feedback, the host exists and is listening for this port. If the host returns a tcp rst, it indicates that the host exists but does not listen for this port.

Null
That is, a TCP packet without any flag is sent. According to rfc793, if the corresponding port of the target host is disabled, an RST packet should be sent back.

FIN + URG + push
Send a fin, URG, and push group to the target host. According to rfc793, if the corresponding port of the target host is disabled, an rst flag should be returned.

Iii. Advanced UDP Scanning Technology
Most of the UDP-implemented scans are performed in combination with ICMP, which is mentioned in ICMP. Another special feature is UDP feedback. For example, if SQL server sends 'x02' or 'x03' to port 1434, it can detect the connection port.

The following Program is an example of TCP detection. Of course, it is not perfect because it does not receive any portion, and win2000 is actually a selective sniffer, you can use other sniffer methods to achieve the same purpose. You can also change the following program to send only IP packets and use the ICMP feature for detection.

# Include <stdio. h>
# Include <winsock2.h>
# Include <ws2tcpip. h>

# Define source_port 7234
# Define max_receivebyte 255

Typedef struct ip_hdr // defines the IP Header
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP version number
Unsigned char TOS; // an 8-bit service type TOS
Unsigned short total_len; // The total length of 16 bits (in bytes)
Unsigned short ident; // 16-bit ID
Unsigned short frag_and_flags; // 3-Bit Flag
Unsigned char TTL; // 8-bit TTL
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other)
Unsigned short checksum; // 16-bit IP header checksum
Unsigned int sourceip; // 32-bit source IP address
Unsigned int destip; // 32-bit destination IP address
} Ipheader;

Typedef struct tsd_hdr // defines the TCP pseudo Header
{
Unsigned long saddr; // Source Address
Unsigned long daddr; // Destination Address
Char mbz;
Char ptcl; // protocol type
Unsigned short tcpl; // TCP Length
} Psdheader;

Typedef struct tcp_hdr // defines the TCP Header
{
Ushort th_sport; // 16-bit Source Port
Ushort th_dport; // 16-bit destination port
Unsigned int th_seq; // 32-bit serial number
Unsigned int th_ack; // 32-bit confirmation number
Unsigned char th_lenres; // 4-bit header length/6-bit reserved words
Unsigned char th_flag; // 6-digit flag
Ushort th_win; // 16-bit window size
Ushort th_sum; // 16-bit checksum
Ushort th_urp; // 16-bit emergency data offset
} Tcpheader;

// Checksum: The subfunction used to calculate the checksum.
Ushort checksum (ushort * buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
Cksum + = * buffer ++;
Size-= sizeof (ushort );
}
If (size)
{
Cksum + = * (uchar *) buffer;
}

Cksum = (cksum> 16) + (cksum & 0 xFFFF );
Cksum + = (cksum> 16 );
Return (ushort )(~ Cksum );
}

Void usage ()
{
Printf ("************************************* */N ");
Printf ("tcpping/N ");
Printf ("/T written by refdom/N ");
Printf ("/T Email: refdom@263.net/N ");
Printf ("useage: tcpping.exe target_ip target_port/N ");
Printf ("************************************* * *****/N ");
}

Int main (INT argc, char * argv [])
{
Wsadata;
Socket sock;
Sockaddr_in addr_in;
Ipheader;
Tcpheader;
Psdheader;

Char szsendbuf [60] = {0 };
Bool flag;
Int rect, ntimeover;

Usage ();

If (argc! = 3)
{Return false ;}

If (wsastartup (makeword (2, 2), & wsadata )! = 0)
{
Printf ("wsastartup error! /N ");
Return false;
}

If (sock = wsasocket (af_inet, sock_raw, ipproto_raw, null, 0, wsa_flag_overlapped) = invalid_socket)
{
Printf ("socket setup error! /N ");
Return false;
}
Flag = true;
If (setsockopt (sock, ipproto_ip, ip_hdrincl, (char *) & flag, sizeof (FLAG) = socket_error)
{
Printf ("setsockopt ip_hdrincl error! /N ");
Return false;
}

Ntimeover= 1000;
If (setsockopt (sock, sol_socket, so_sndtimeo, (char *) & ntimeover, sizeof (ntimeover) = socket_error)
{
Printf ("setsockopt so_sndtimeo error! /N ");
Return false;
}
Addr_in.sin_family = af_inet;
Addr_in.sin_port = htons (atoi (argv [2]);
Addr_in.sin_addr.s_un.s_addr = inet_addr (argv [1]);

//
//
// Fill in the IP Header
Ipheader. h_verlen = (4 <4 | sizeof (ipheader)/sizeof (unsigned long ));
// Ipheader. TOS = 0;
Ipheader. total_len = htons (sizeof (ipheader) + sizeof (tcpheader ));
Ipheader. ident = 1;
Ipheader. frag_and_flags = 0;
Ipheader. TTL = 128;
Ipheader. proto = ipproto_tcp;
Ipheader. checksum = 0;
Ipheader. sourceip = inet_addr ("local address ");
Ipheader. destip = inet_addr (argv [1]);

// Fill the TCP Header
Tcpheader. th_dport = htons (atoi (argv [2]);
Tcpheader. th_sport = htons (source_port); // source port number
Tcpheader. th_seq = htonl (0x12345678 );
Tcpheader. th_ack = 0;
Tcpheader. th_lenres = (sizeof (tcpheader)/4 <4 | 0 );
Tcpheader. th_flag = 2; // modify here to implement different flag detection, 2 is SYN, 1 is Fin, 16 is ack detection, etc.
Tcpheader. th_win = htons (512 );
Tcpheader. th_urp = 0;
Tcpheader. th_sum = 0;

Psdheader. saddr = ipheader. sourceip;
Psdheader. daddr = ipheader. destip;
Psdheader. mbz = 0;
Psdheader. ptcl = ipproto_tcp;
Psdheader. tcpl = htons (sizeof (tcpheader ));

// Calculate the checksum
Memcpy (szsendbuf, & psdheader, sizeof (psdheader ));
Memcpy (szsendbuf + sizeof (psdheader), & tcpheader, sizeof (tcpheader ));
Tcpheader. th_sum = checksum (ushort *) szsendbuf, sizeof (psdheader) + sizeof (tcpheader ));

Memcpy (szsendbuf, & ipheader, sizeof (ipheader ));
Memcpy (szsendbuf + sizeof (ipheader), & tcpheader, sizeof (tcpheader ));
Memset (szsendbuf + sizeof (ipheader) + sizeof (tcpheader), 0, 4 );
Ipheader. checksum = checksum (ushort *) szsendbuf, sizeof (ipheader) + sizeof (tcpheader ));

Memcpy (szsendbuf, & ipheader, sizeof (ipheader ));

Rect = sendto (sock, szsendbuf, sizeof (ipheader) + sizeof (tcpheader ),
0, (struct sockaddr *) & addr_in, sizeof (addr_in ));
If (rect = socket_error)
{
Printf ("send error! : % D/N ", wsagetlasterror ());
Return false;
}
Else
Printf ("Send OK! /N ");

Closesocket (sock );
Wsacleanup ();

Return 0;
}

-------------------------------------------

Reference:

1. Breaking into computer networks from the Internet roelof temmingh & sensepost (Pty) Ltd
2. phrack #49, port scanning without the SYN flag
3. phrack #51, the art of port scanning
4. sys-Security Group ICMP usage in Scanning