Port Scanning – Friend or Foe?
About five years ago, a flood of network scanning software saturated the market. Up until then, nmap was the only well known port scanner being used by hackers and firewall admins everywhere. All of sudden, we began seeing multitude of commercial and open source solutions that does scanning, report and remediation, chop, dice, slice and air dry. Obviously, it was a very confusing time. Endless scanners and they all fear you into using them all. As a cautious firewall admin, you’d want to use every single one of these products, just to make sure your network did not have any gaping holes, anywhere. But, that is ridiculous. You do not have enough hours in a day to use every single package on your network. So we all ended up using one or two scanner software, hoping it would be enough. But, you always feared that,one day, your scanning program will miss something and, bam, your network is compromised.
How does one perform a ‘traditional’ penetration?. Without, teaching anyone how, major components of network penetration is: The first step is ‘intellegence’. You do nslookup on the domain and find out the ip addresses of your target devices. On a pice of paper, you start drawing network diagrams. Once you have a rough network diagram, you start tracerouting to each devices. This will reveal other devices in between. You start completing the network diagram with routers and firewalls.
Once you have a network diagram, you scan all the ports on each host for well known vunerabilities. You also scan ip addresses in between, to make sure there are no ‘hidden’ devices. ** Do it on your internet facing network and see how much of your network is visible!**
The king of port scanning ‘nmap’ was, simple and effective. However, it lacked intelligence in its findings. For example, if there is a well known problem with the version 99 of XYZ web server, and I detect that the host is running the version 99 of XYZ, I should test for this specific problem. nmap does the other way around. It scans for all ports, and if it matches something that is well known, it will alert you. So, it is good for a one shot port scanning of a specific port for confirmation.
Also, the single thread nature of nmap meant, we couldn’t do a wide range of network scanning at the same time. This was not accptable for a large range of host scanning. Moreover, the central database of known vunerabilities – CVE – Common Vunerability and Exposure database , was widely being used by many vendors for specific scanning. This gave a rise to Nessus – open source scanner, and Retina – Commercial solution with added value in reporting and remediation.
You rarely find a port listening outright on the internet. What you do find is that, a version of snmp running on the webserver you are scanning, is known to have a problem with a buffer overflow. So, the remediation step is, usually, an upgrade to a newer version. However, sometimes, that is not possible. Some network devices and IOS version can not redily be replaced or upgraded.And it is this type of situation that a comprehensive report from your scanning software is important. There might be a patch available. Maybe, all you need to do is create an ACL. Instead of you spending hours of your time doing research, you can have someone tell you what to do. And it is this step, that makes some commercial products so valuable. Retina, for example, does an excellent job of reporting scanning results and remediation steps. However, for $9000, not many small firewall admins would want to jump right in. Nessus, on the other hand, might be lacking in some remediation recommendations, but it is a very capable scanning software. It is a client / server , so you can have one of your server act as a scanning server. You use your workstation to log in and schedule a port scan. Once completed, you read the report of that scan.
This raises an interesting question about port scanners. Are they helping us more than helping hackers? Are they being developed for ’script kiddie’ hackers? Well, I think ports are being scanned more frequently by hackers than network admins. That means, more hackers are using these port scanners. That means, they are not our tools. However, that does not mean we simply write them off. I think we have to make these tools ours. It can only happen, if more of us use them than hackers. So, I suggest we all start using these tools. More we use them, more features will be geared toward us.
If you have never done a port scanning, make sure you let everyone know you are doing it. And, make sure you do it on off-hours. And make sure you document each steps. You can start with downloading Nessus. Run it on one machine to start with. Once you have used it, start comparing against other products. Try nmap. Dameware has a windows scanning software that enumerate your windows services. Try all of these tools. Try Retina. It is something we all should be doing anyway; why not? Hackers are doing it!
Your blog is so informative