Welcome to the security section...

This is a very nice screenshot from the Matrix movie. However it tells us a lot about the methodology a hacker is using to exploit a specific target. Of course this is a movie, normally pure crap if you see how these guys are hacking in movies like "Hackers". But here you basically see two phases of an attack attempt. Phase 1 Information Gathering - Phase 2 exploiting the target with typical tools that we see and use in the area of IT security. There can be even more phases like "erasing logfiles" and "leave a backdoor". However to start here we beginn with Phase 1. If you want to go deeper into IT security you should typically not use an operating system like Windows (especially because with the newest service pack Microsoft removed the ability of "raw packets" from WindowsXP). Go for a linux system, a UNIX system, BSD derivates or a special security distribution on a small bootable device (e.g. Memorystick or a CD/DVD). This also helps you to understand how those systems are built up and how do they work. If you do not increase your knowledge you will never be able to go over the level of a so called script kiddie. By the way, start to build up your own Web-Servers, Email-Servers and learn what you have to keep in mind to secure them. However I will also submit some tools and hints for Windows as well. Regarding the information I provide here I assume you have at least basic network knowledge and that the OSI model is common to you.

Information Gathering

In this phase you try to identify the target environment. It can be a single host or it can be a range of IP-adresses. Use tools and URLs like http://www.samspade.org to acquire more specific information about a target using public available databases like DeNiC (in Germany) and RIPE.

In addition to that investigate in tools like "whois" and "dig". Dig is a special tool to enumerate DNS Servers. The enumeration of DNS servers is very helpful to identify interestings targets and to clarify if the DNS server is a security risk as well. Sometimes when you quering a DNS server you'll probably be able to perform a zone transfer. The result of such a transfer is very helpful to choose valuable targets.

Scanning & Network enumeration

After the targets are once identified the next phase is to see what kind of services are "offered" to the customer. It is a litle bid like "knocking on the door" and see what happens. Basically you have to differ between port scanning and vulnerability scanning. First of all we start with port scanning:

What is port scanning ? It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet. There are 65535 TCP and UDP ports in theory on each IP stack instance. The ports below 1024 are normally named as "well known" ports or reserved ports. In this range we often find very common services like HTTP (TCP port 80) SMTP (TCP port 25) and others. This is a small extraction of well known ports and the related services:

0 to 1023

• 1/ tcp : TCP Multiplexor
• 7/tcp: ECHO protocol
• 7/ udp : ECHO protocol
• 9/tcp: DISCARD protocol
• 9/udp: DISCARD protocol
• 13/tcp: DAYTIME protocol
• 17/tcp: QOTD (Quote of the Day) protocol
• 19/tcp: CHARGEN (Character Generator) protocol
• 19/udp: CHARGEN protocol
• 20/tcp: FTP (File Transfer Protocol) - data port
• 21/tcp: FTP - control (command) port
• 22/tcp: SSH (Secure Shell) - used for secure logins, file transfers ( scp , sftp ) and port forwarding
• 23/tcp: Telnet protocol - unencrypted text communications
• 25/tcp: SMTP (Simple Mail Transfer Protocol) - used for sending E-mails
• 53/tcp: DNS (Domain Name Server)
• 53/udp: DNS
• 67/udp: BOOTP (BootStrap Protocol) server; also used by DHCP (Dynamic Host Configuration Protocol)
• 68/udp: BOOTP client; also used by DHCP
• 69/udp: TFTP (Trivial File Transfer Protocol)
• 70/tcp: Gopher protocol
• 79/tcp: Finger protocol
• 80/tcp: HTTP (HyperText Transfer Protocol) - used for transferring web pages
• 88/tcp: Kerberos - authenticating agent
• 109/tcp: POP2 (Post Office Protocol version 2) - used for retrieving E-mails
• 110/tcp: POP3 (Post Office Protocol version 3) - used for retrieving E-mails
• 113/tcp: ident - old server identification system, still used by IRC servers to identify its users
• 119/tcp: NNTP (Network News Transfer Protocol) - used for retrieving newsgroups messages
• 123/udp: NTP (Network Time Protocol) - used for time synchronization
• 139/tcp: NetBIOS
• 143/tcp: IMAP4 (Internet Message Access Protocol 4) - used for retrieving E-mails
• 161/udp: SNMP (Simple Network Management Protocol)
• 179/tcp: BGP (Border Gateway Protocol)
• 389/tcp: LDAP (Lightweight Directory Access Protocol)
• 443/tcp: HTTPS - HTTP over SSL (encrypted transmission)
• 445/udp: Microsoft-DS SMB - used for file sharing
• 514/udp: syslog protocol - used for system logging
• 540/tcp: UUCP (Unix-to-Unix CoPy protocol)
• 636/tcp: LDAP over SSL (encrypted transmission)
• 666/tcp: id Software 's DOOM multiplayer game played over TCP
• 993/tcp: IMAP4 over SSL (encrypted transmission)
• 995/tcp: POP3 over SSL (encrypted transmission)

1024 to 49151

• 1080/tcp: SOCKS proxy
• 1352/tcp: IBM Lotus Notes /Domino RCP
• 1433/tcp: Microsoft SQL database system
• 1434/tcp: Microsoft SQL Monitor
• 1434/udp: Microsoft SQL Monitor
• 1984/tcp: Big Brother - network monitoring tool
• 3128/tcp: HTTP used by web caches and the default port for the Squid cache
• 3306/tcp: MySQL database system
• 3389/tcp: Microsoft Terminal Server (RDP)
• 5190/tcp: AOL and AOL Instant Messenger
• 5222/tcp: XMPP/Jabber - client connection
• 5269/tcp: XMPP/Jabber - server connection
• 5432/tcp: PostgreSQL database system
• 6000/tcp: X11 - used for X-windows
• 6667/tcp: IRC (Internet Relay Chat)
• 8000/tcp: iRDMI - often mistakenly used instead of port 8080
• 8080/tcp: HTTP Alternate ( http-alt ) - used when running a second web server on the same machine (the other is in port 80), for web proxy and caching server, or for running a web server as a non- root user. Default port for Jakarta Tomcat .
• 8118/tcp: Privoxy web proxy - advertisements-filtering web proxy

Unregistered Ports

These are ports that may be in common use, but that are not formally registered with IANA. Where the use conflicts with a registered use, the notation CONFLICT is used.

• 1337/tcp: WASTE Encrypted File Sharing Program
• 1521/tcp: Oracle database default listener - CONFLICT with registered use: nCube License Manager
• 2082/tcp: CPanel 's default port - CONFLICT with registered use: Infowave Mobility Server
• 2086/tcp: Web Host Manager 's default port - CONFLICT with registered use: GNUnet
• 5000/tcp: Universal plug-and-play (UPnP) - Windows network device interoperability; CONFLICT with registered use: commplex-main
• 5223/tcp: XMPP/Jabber - default port for SSL Client Connection
• 5800/tcp: VNC remote desktop protocol - for use over HTTP
• 5900/tcp: VNC remote desktop protocol - regular port
• 6881/tcp: BitTorrent - port often used
• 6969/tcp: BitTorrent tracker port - CONFLICT with registered use: acmsoda
• 27960/udp: (through 27969) id Software 's Quake 3 and Quake 3 derived games
• 31337/tcp: Back Orifice - remote administration tool (often Trojan horse ) ("31337" - "Elite")

Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.

If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. By setting different TCP flags or sending different types of TCP packets the port scan can generate different results or locate open ports in different ways. One of the best tools to perform port scanning and network enumeration is Nmap.

Nmap is free port scanning software distributed by Insecure.Org and designed to detect open ports on a target computer , determine which services are running on those ports, and infer which operating system the computer is running (this is also known as fingerprinting ). It has become one of the de-facto tools in any network administrator's toolbox, and is used for penetration testing and general computer security.

Like most tools used in computer security , Nmap is useful to both system administrators and crackers (or script kiddies ). System administrators can use it to test for possible unauthorized servers in the workplace, whereas crackers use it to "scope out" a potential target. Nmap is often confused with a host vulnerability assessment tool such as Nessus . Nmap is stealthy, built to evade intrusion detection systems , and less likely to interfere with the normal operation of the networks or computers being scanned. You can download it here.

Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.

As I am too lazy to write my own Nmap-HOWTO you will find a very good overview right here. Please have a special look at the chapter of "idle scanning".

More content to come soon...