Security

NMAP Scanner

NMAP Scanner

Overview

Port scanning can aid us in the foot-printing process, the task of accumulating data regarding a specific network environment. This is usually performed for the purpose of revealing system vulnerabilities and improving the ease with which they can be exploited. By port scanning a pen-tester can find out information about what services are running, what users own these services, whether anonymous logins are supported, and whether certain network services require authentication.

Scanning Methods

TCP Connect Scan

The most rudimentary of scans is the TCP connect scan. Should the port be vulnerable, or listening, then a TCP connect scan will succeed, otherwise the port isn’t reachable. (Stevens, 1999) In the example below, if a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection, otherwise an error code is returned.

root@bt:~# nmap -sT 192.168.1.106

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-16 19:34 EST

Nmap scan report for 192.168.1.106

Host is up (0.048s latency).

Not shown: 988 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1027/tcp open  IIS

1028/tcp open  unknown

1029/tcp open  ms-lsa

1095/tcp open  nicelink

5357/tcp open  wsdapi

5800/tcp open  vnc-http

5900/tcp open  vnc

This scan mode is advantageous in that the user does not require special privileges, and its’ ease of use. Its downside is the speed of execution, that it easily detected, and yields poor results.

SYN Scan

SYN scanning, also known as half-open scanning is the default and most popular scan. This is due to the fact that a SYN network scan does not make TCP connections, can be executed quickly, and scans in a fairly covert manner.

root@bt:~# nmap -sS 192.168.1.106

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-16 19:32 EST

Nmap scan report for 192.168.1.106

Host is up (0.0074s latency).

Not shown: 988 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1027/tcp open  IIS

1028/tcp open  unknown

1029/tcp open  ms-lsa

1095/tcp open  nicelink

5357/tcp open  wsdapi

5800/tcp open  vnc-http

5900/tcp open  vnc

The key disadvantage of SYN scanning is the requirement to access raw socket, which requires administrative privileges, and may not be possible on some operating systems.

FIN Scan

Reminiscent of the SYN scan is the FIN scanner, which sends a FIN packet that will attempt to close a connection that is open. If a port is closed, then it will reply to a FIN packet with a RST. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. Nonetheless, though this type of scan may pass through devices that filter incoming TCP packets with the FIN and ACK flag combination, this isn’t an effective scan as packets can be dropped or blocked by firewalls.

UDP Scan

It might seem as if performing UDP scans would not provide reliable results, as a UDP port scan considers a port open if there is no response. However, if there is a screening router in front of the target, and it is configured to send ICMP unreachable responses, which is fairly standard practice, the scanner is able to report that the port is filtered. By this method an attacker can deduce that the unreachable response is coming from a different IP address than that of the target.

root@bt:~# nmap -sU 192.168.1.106

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-16 21:35 EST

Nmap scan report for 192.168.1.106

Not shown: 990 open|filtered ports

PORT      STATE    SERVICE

111/udp   filtered rpcbind

123/udp   filtered ntp

137/udp   filtered netbios-ns

161/udp   filtered snmp

520/udp   filtered route

626/udp   filtered serialnumberd

1812/udp  filtered radius

2049/udp  filtered nfs

5353/udp  filtered zeroconf

10080/udp filtered amanda

 Inverse Mapping

Another surreptitious scanning technique is inverse mapping, which utilizes destination unreachable (type 3) messages. The destination unreachable type has 15 subtypes (codes), which is used to discern the causal relationship. Our intrusion detection devices can report a port as unreachable, or it may issue a vendor specific output, this would allow someone who knew those error codes to be able to figure out that the packets were blocked by a specific device.

XMAS Scan

Aptly named because all of its options are set for whatever protocol is in use. This scan uses a series of uniquely configured TCP packets, a sequence number of 0, the Urgent (URG), Push (PSH), and FIN flags. This type of scan may circumvent basic firewalls and boundary routers that filter on incoming TCP packets with standard flag settings as XMAS scan packets do not have the SYN flag turned on.

root@bt:~# nmap -sX 192.168.1.105

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-17 21:47 EST

Nmap scan report for 192.168.1.105

Host is up (0.00014s latency).

All 1000 scanned ports on 192.168.1.105 are closed

If the target device's TCP port is closed, the target device sends a TCP Reset (RST) packet as a reply. If the target device's TCP port is open, the target discards the TCP XMAS scan, sending no reply. Due to the fact that XMAS scan packets are not commonly present on the network, this will be highly indicative of network surveillance attempts.

 

Web application frameworks (WAF) synopsis

Web Application Frameworks (WAF)

By formal definition a web application framework (WAF) is a re-usable program, set of programs, and/or code library that performs common tasks for an application or layer of one application (Johnson, 2005). These “non-full-stack frameworks” may perform such common tasks as database operations, URL routing, caching, security, et cetera. By using the framework, we as the developers will only need to customize specific portions of the application that we deem necessary. Conversely, agile web frameworks such as Ruby on Rail (RoR) are considered mature “full-stack web frameworks” and useful for the development of web applications. In contrast with WAFs, agile web frameworks are not limited to one layer, but rather they serve the full stack. In essence, the full-stack web application brings together multiple libraries, and provides all the applications that are required to build the website. As with the WAF, the agile frameworks are reusable as well, and may be utilized countless times for any of the applications that are included within the framework (Ignacio Fernández-Villamor, Díaz-Casillas & Iglesias, 2008).

Agile Web Frameworks

Having performed a cursory introduction of the agile web frameworks, we are now prepared for a more detailed discussion. Of the agile web frameworks, perhaps the most well-known is Ruby on Rails (Thomas, 2006), which fostered the ability to create a website, with a single web framework. The RoR framework, as with most of the other agile frameworks follows the principles of convention over configuration; which is customize portions of the application only if deemed necessary, and don't repeat yourself. 

Ruby on Rails Alternatives

Ruby on Rails is based on the Ruby language, however Java is the industry standard for business applications. This has brought about the need for Java-based web frameworks, which will work with legacy Java systems and permit the reuse of Java libraries, subsystems and technologies already developed in Java. One popular Java-based framework alternative is Grails. Grails is an open-source framework, that will run on a JVM (Rudolph, 2007), and follows the principles of convention over configuration, and don't repeat yourself. Trails, is another Java-based full-stack web application framework alternative. It makes use of the maturity of existing frameworks, and tight integration and automatic code generation for common tasks. (“Overview Of Trails”, 2014). Finally, there is the agile Java-based alternative framework, Roma. The Roma framework is a meta-framework with an API to Java frameworks such as Hibernate, Spring, and JPOX (Tate, 2006).

References

Black, D. (2006). Ruby for Rails: Ruby Techniques for Rails Developers

Dauzon, S. (2014). Getting Started with Django. Packt Publishing Ltd.

Ignacio Fernández-Villamor, J., Díaz-Casillas, L., & Iglesias, C. Á. (2008). A comparison model   for agile web frameworks. Proceedings of the 2008 Euro American Conference on Telematics and Information Systems - EATIS ’08. doi:10.1145/1621087.1621101

Johnson, R. (2005). J2EE development frameworks. Computer, 38(1), 107–110. doi:10.1109/mc.2005.22

Overview Of Trails. (2014). Retrieved from http://trails.codehaus.org/Overview

Rudolph, J. (2007). Getting started with Grails. Lulu. com. Retrieved from http://jasonrudolph.com/downloads/presentations/Getting_Started_with_Grails.pdf

Tate, B. (2006). From Java to Ruby. consultazione differenze tra Java e Ruby.

Thomas, D. (2006). Agile web development with Rails. Retrieved from http://limi.googlecode.com/svn-history/r43/reading/Agile+Web+Development+with+Rails.pdf