A two topic blog ...
Submitted by Si on Thu, 19/08/2004 - 13:36.
penetration testing
This is a two topic blog - ethics and port scanning. Having promised not to go off on a tangent again I thought that I had better fill in something more relevant to actual testing !
So lets start with Port Scanning. This is something that you should understand the theory of, and then use someone elses tool to do it. I ( shameless self plug comming up ) wrote a little wrapper for nmap that takes its output and runs it up against the OPRP ( Open Protocol Resource Project ) database - this is a project at ISECOM - which is where you can also download the wrapper. Anyhoo back to the point ... Some of the feedback that came in said that I "shouldn't rely on the output of another program" and that I should "do it all". Sorry but this is complete garbage ! Choose your tools wisely - but please don't waste time reinventing the wheel - it is good to know that you can make a wheel if you need to, but mostly I leave that to Mr.Goodyear, why should my other tools be any different ?
So - Port Scanning - this is the action of sending packets to a computer on a network to enumerate the ports that are running open / running filtered / or closed on it. The simplest method of doing this attempts to make a connection to each port in turn via a normal TCP handshake - Syn -> SynAck -> Ack etc. ( You did learn TCP didn't you ... ) If this goes through then the port is open, if the Port sends a RstAck then it is closed. Failure to respond is usually determined as filtered.
You can do this really simply on the command line :
telnet target.machine.address 25
Connection created = port open
Connection denied = port closed
Connection timed-out = host isn't there or filtered
Then you get into the complicated stuff - using diferent packet settings, you can detect ports in different ways, through firewalls and generally in a more subtle manner than firing of 1 million and one Syn packets ...
One of my personal favourites ( and a Movie star as well - see the Matrix ) is NMap. This is a robust, and time tested tool allowing you to scan any number of hosts in a variety of ways. Reading the documentation to NMap is an education in itself - and there are also a number of references that are available from the NMap site. I would so reccomend that you read these. NMap is also available to run on Windows machines ( and also MacOS X ).
Another good tool is HPing - this is predominantly a packet creation tool, but it does have some nice scanning features as well. You can get hping from here. If you use the --scan option, you can see both the flags on the packets that are sent and those on the packets recieved. This is a seriously useful tool, and I'm going to revisit it in a later installment, so go get your copy now ! Again the manual pages are a must read, you can learn a great deal from them ...
This isn't to say that other PortScanners are no good, there are even commercial implementations out there. These are my favourites, and also is huge use accross the industry - you aren't going to get a funny look if you say that you use NMap.
Topic 2 - Ethics ...
Having bored you to death with that incoherent rubbish onto topic two !
As a security professional you are likely to become privy to knowledge that will allow you to take advantage of others. It is vital that you act with the best interests of the public and your client before yourself. This is not because I think that all clients really deserve this, but because as a professional it is inappropriate to abuse this.
To illustrate : I got a phone call yesterday asking if they could speak to someone in charge of standards compliance for our e-mail system. I, grandly oversteping my authority as a contractor, said that I would do. I then got asked if we complied with "standards" for e-mail archiving - I considered this carefully and asked what exactly we should be considering complying with - "urm ... standards..." - Ok said I which standard would that be - "urm... Have you heard of Sarbanes Oxley" - yes, but that is only an American standard at the moment anything else ? - "Urm... can we call you back if it becomes a standard ?"
This ( on behalf of a LARGE company ) took advantage of the fear that would be caused by the idea that someone might not be in compliance to try to get in a consultant to make a quick buck. In any other industry this would be considered a con !
Be a good professional - help those less knowledgeable than yourself - uphold the profession - be a nice person. There are people out there in this industry who can make us all look like idiots when it comes to it - how would you like it if - instead of being our mentors and helpers - they made us look stupid when we asked a question.
I'm not at all religious - but one thing that does stick with me is : "Do unto other as you would have them do unto you."
Make the world a nicer place, hold the door open for ladies and the elderly, say "Bless you" when someone sneezes, and behave ethically in your professional life - things will be better in the long run.
For more info on ethics look at ISECOM and ISC2. I fully support and subscribe to both of these codes, and it hasn't let me down yet.
So lets start with Port Scanning. This is something that you should understand the theory of, and then use someone elses tool to do it. I ( shameless self plug comming up ) wrote a little wrapper for nmap that takes its output and runs it up against the OPRP ( Open Protocol Resource Project ) database - this is a project at ISECOM - which is where you can also download the wrapper. Anyhoo back to the point ... Some of the feedback that came in said that I "shouldn't rely on the output of another program" and that I should "do it all". Sorry but this is complete garbage ! Choose your tools wisely - but please don't waste time reinventing the wheel - it is good to know that you can make a wheel if you need to, but mostly I leave that to Mr.Goodyear, why should my other tools be any different ?
So - Port Scanning - this is the action of sending packets to a computer on a network to enumerate the ports that are running open / running filtered / or closed on it. The simplest method of doing this attempts to make a connection to each port in turn via a normal TCP handshake - Syn -> SynAck -> Ack etc. ( You did learn TCP didn't you ... ) If this goes through then the port is open, if the Port sends a RstAck then it is closed. Failure to respond is usually determined as filtered.
You can do this really simply on the command line :
telnet target.machine.address 25
Connection created = port open
Connection denied = port closed
Connection timed-out = host isn't there or filtered
Then you get into the complicated stuff - using diferent packet settings, you can detect ports in different ways, through firewalls and generally in a more subtle manner than firing of 1 million and one Syn packets ...
One of my personal favourites ( and a Movie star as well - see the Matrix ) is NMap. This is a robust, and time tested tool allowing you to scan any number of hosts in a variety of ways. Reading the documentation to NMap is an education in itself - and there are also a number of references that are available from the NMap site. I would so reccomend that you read these. NMap is also available to run on Windows machines ( and also MacOS X ).
Another good tool is HPing - this is predominantly a packet creation tool, but it does have some nice scanning features as well. You can get hping from here. If you use the --scan option, you can see both the flags on the packets that are sent and those on the packets recieved. This is a seriously useful tool, and I'm going to revisit it in a later installment, so go get your copy now ! Again the manual pages are a must read, you can learn a great deal from them ...
This isn't to say that other PortScanners are no good, there are even commercial implementations out there. These are my favourites, and also is huge use accross the industry - you aren't going to get a funny look if you say that you use NMap.
Topic 2 - Ethics ...
Having bored you to death with that incoherent rubbish onto topic two !
As a security professional you are likely to become privy to knowledge that will allow you to take advantage of others. It is vital that you act with the best interests of the public and your client before yourself. This is not because I think that all clients really deserve this, but because as a professional it is inappropriate to abuse this.
To illustrate : I got a phone call yesterday asking if they could speak to someone in charge of standards compliance for our e-mail system. I, grandly oversteping my authority as a contractor, said that I would do. I then got asked if we complied with "standards" for e-mail archiving - I considered this carefully and asked what exactly we should be considering complying with - "urm ... standards..." - Ok said I which standard would that be - "urm... Have you heard of Sarbanes Oxley" - yes, but that is only an American standard at the moment anything else ? - "Urm... can we call you back if it becomes a standard ?"
This ( on behalf of a LARGE company ) took advantage of the fear that would be caused by the idea that someone might not be in compliance to try to get in a consultant to make a quick buck. In any other industry this would be considered a con !
Be a good professional - help those less knowledgeable than yourself - uphold the profession - be a nice person. There are people out there in this industry who can make us all look like idiots when it comes to it - how would you like it if - instead of being our mentors and helpers - they made us look stupid when we asked a question.
I'm not at all religious - but one thing that does stick with me is : "Do unto other as you would have them do unto you."
Make the world a nicer place, hold the door open for ladies and the elderly, say "Bless you" when someone sneezes, and behave ethically in your professional life - things will be better in the long run.
For more info on ethics look at ISECOM and ISC2. I fully support and subscribe to both of these codes, and it hasn't let me down yet.