Shulou(Shulou.com)06/02 Report--

1: What exactly is a scanning tool? Information collection is the foundation of security analysis, traditional manual collection of information time-consuming and laborious, so the scanning tool appeared, it can automatically detect and discover loopholes in the rules according to program settings, is a security tool to detect system defects. There are two main types of scanners: host scanners and network scanners: System scanner is used to scan the local host, find security vulnerabilities, check and kill viruses,***, worms and other malicious programs that endanger system security, such as non-focus of this article, so no longer detailed analysis of network scanners through the network to test the host security, it detects the host currently available services and their open ports, find a large number of well-known vulnerabilities, hidden dangers and security vulnerabilities that may be remote attempts to malicious visitors ***. Even many scanners encapsulate simple password detection, password generators with self-setting rules, backdoor automatic installation devices, and other commonly used small things. Such tools can be called network scanning kits, which are complete network host security evaluation tools [such as the originator SATAN and the most famous streamer in China]. There is also a relatively rare database scanner, such as ISS 'Database Scanner, which works similar to network scanners. It is mainly used to detect security vulnerabilities and various hidden dangers of database systems. 2: What can a scanner do? [1]Port and service detection detects open ports and running services on the target host and prompts for possible security risks [2] Backdoor detection detects PCANYWAY VNC BO2K Glacier and other remote control programs that exist on the target host [3] Password detection detects vulnerability of operating system user passwords,FTP, POP3, Telnet and other login or administrative passwords [4] Application security detection detects CGI vulnerabilities,WEB Server [IIS, IIS] APACHE, etc.],FTP server security vulnerabilities [5] D.o. S probe detects whether there are various denial of service vulnerabilities [6] System probe detects system information such as NT registry, users and groups, network conditions, etc.[7] Output report will sort out the detection results and report them to users. Many scanners will also propose security vulnerability solutions at the same time.[8] User-defined interfaces Some scanners allow users to add scanning rules themselves. And provide a convenient interface for users, such as the Russian SSS Base SDK3: Who often uses/needs to use this tool? A technician at a security company that provides security detection services, after being authorized by the customer, needs to use scanning tools to exploit the customer's host, check the work, and after thoroughly examining the host, he can complete his work--submit to the customer a complete and detailed security solution for the host. There are often a lot of overworked script kiddies on the network, and their main work [of course, It is also their entertainment] is to search for some public exploit information on the Internet, and then through search engines and other WEB tools, match special strings to search for hosts with these vulnerabilities, in order to carry out their games. In this process, scanning tools are definitely a big accomplice of them. Without the assistance of scanning tools, they may not be so fast [for some script kids, Without the scanning tool it means you cannot *** So, scanning tools on the Internet are both good and bad, and the key lies in the motivation of the people who use them. 4: What should I know before learning more about scanning technology? Of course, there must be the necessary basic network knowledge, I assume that the readers who see this article have already understood some of the most basic things of TCP/IP protocol, such as protocol layer and its nature, etc. Let us review the structure of TCP packet header, and then the principle introduction will involve the content, and these things are estimated that many people cannot remember: )TCP packet header has 6 bits,FIN, SYN, PSH, RST, ACK and URGACK are set to 1, indicating that the acknowledgement number is valid; Cleared to 0 to indicate that the packet does not contain acknowledgements, and the Acknowledgment field is ignored. PSH indicates that the recipient of the packet passes the received data directly to the application, rather than placing it in a buffer until the buffer is full. This is often used for real-time communication. RST is used to reset a connection. Used for communication chaos caused by a host crash or other reasons. It is also used to reject an invalid TCP packet or to reject an attempt to establish a connection. When you get a TCP packet with RST set, it usually indicates that something is wrong with the local machine. SYN is used to establish a connection. SYN=1 and ACK=0 indicate that the acknowledgement field is not used and that a response is required for the connection request. Therefore, SYN=1 and ACK=1 are included in the TCP packet that responds. SYN is usually used to indicate that a connection is requested and that the request is accepted. ACK is used to distinguish between these two cases. FIN is used to release a connection. It indicates that the sender has no more data to send. However, processes can continue to receive data after closing a connection. SYN and FIN TCP packets have sequence numbers. This ensures that data is received and processed in the correct order. 5: What is the scanning principle of scanning tools and their concealment? TCP connect : This type is the most traditional scanning technology, the program calls connect() socket interface function to connect to the target port, forming a complete TCP three-way handshake process, obviously can connect to the target port is open. No permissions are required to use this scanning method under UNIX. Another feature is that it scans very fast, can use multiple sockets at the same time to speed up scanning, using a non-blocking I/O call that can monitor multiple sockets. However, since it does not exist hidden, it is inevitable that the target host records connection information and error information or is rejected by the protection system TCP SYN : this type is also known as half-open scanning [half-open scanning] principle is to send a SYN packet to the target port, if the SYN/ACK response packet returned from the target port, the target port is open, if RST is not open. ROOT privileges are required to perform this scan under UNIX. Since it doesn't establish a complete TCP three-way handshake, it's rarely recorded by the operating system, so it's much more subtle than TCP connect scanning, but if you think this scanning is stealthy enough, you'd be wrong. Some firewalls monitor TCP SYN scanning, and tools such as synlogger and courtney can detect it. Why not? Because this secret scanning method violates the general rule, it is quite conspicuous in network traffic, and it is its deliberate pursuit of concealment that leaves a fox tail! TCP FIN : Principle: According to RFC 793 document program to send FIN to a port, if the port is open then this packet will be ignored, otherwise it will return RST, this is some operating system TCP implementation of the existence of bugs, not all operating systems exist this BUG, so its accuracy is not high, and this method often only works successfully on UNIX, so this method is not particularly popular. The advantage is that it's stealthy enough, so try it if you think you might be exposed when using TCP SYN scanning. TCP reverse ident scanning: Dave Goldsmith pointed out in 1996 that according to RFC1413, the ident protocol allows the username of the owner of a process to be obtained over a TCP connection, even if the process is not the initiator of the connection. This method can be used to get FTP owner information, as well as other required information and so on. TCP Xmas Tree Scan: According to RFC 793, the program sends a FIN, URG and PUSH packet to the target port, and if it is closed, it should return a RST packet TCP NULL Scan: According to RFC 793, the program sends a TCP packet without any flags, and the closed port will return a RST packet. TCP ACK scanning: This scanning technique is often used to detect the type of firewall, according to the ACK bit setting can determine whether the firewall is simple packet filtering or stateful firewall TCP window scanning: due to the irregular way TCP window size is reported, this scanning method can detect some UNIX-like systems [AIX , FreeBSD, etc.] open and filtered ports. TCP RPC scanning: This method is unique to UNIX systems and can be used to detect and locate remote procedure call [RPC] ports and their associated program and version labels. UDP port unreachability scan: This method takes advantage of UDP itself being a connectionless protocol, so an open UDP port does not return any response packets to us, although some systems will return ICMP_PORT_UNREACH if the port is closed. But because UDP is an unreliable, non-connection-oriented protocol, this scanning method is also error-prone and slow. UDP recvfrom() and write() scanning: Since non-ROOT users cannot read port unreachability information under UNIX, NMAP provides this method that works only under LINUX. Under LINUX, if a UDP port is closed, the second write() fails. Also, when we call recvfrom(), a non-blocking UDP socket typically returns EAGAIN("Try Again",error=13) if no ICMP error message is received, and ECONNREFUSED("Connection rejected",error=111) if an ICMP error message is received. In this way,NMAP will know if the target port is open [BTW: Mr Fyodor is great!] Fragment scanning: This is a variant of other scanning methods, which can divide a packet into many IP fragments when sending a scanning packet. By dividing the TCP header into several segments and putting them into different IP packets, it will make it difficult for some packet filters to filter them, so this method can bypass some packet filters. However, some programs are unable to properly handle these artificially segmented IP fragments, resulting in system crashes, which will expose the scanner's behavior! FTP jump scan: According to RFC 959 document,FTP protocol supports proxy [PROXY], image metaphor: we can connect to provide FTP service machine A, and then let A send data to our target host B, of course, the general FTP host does not support this function. If we need to scan the port B, you can use the PORT command to declare that a port B is open. If this port is really open,FTP server A will return 150 and 226 information, otherwise it will return an error message:"425 Can's not build data connection: Connection refused". This way of concealment is very good. Under certain conditions, you can also break through the firewall for information collection. ICMP strafing is not a port scan, because ICMP has no abstract port concept, this is mainly to use the PING command to quickly determine how many active hosts are in a network segment. 6. Which scanning tools are better? nMAP: the most popular scanner in the world, can achieve secret scanning, dynamic delay, retransmission and parallel scanning, deception scanning, port filtering detection, RPC direct scanning, distributed scanning, etc., flexibility is very good, powerful. Official homepage www.insecure.org/nmap/SATAN The originator of the scanner, which uses a Perl kernel, calls a large number of C language Detection Tools through PERL to analyze the target website, so it can be embedded in the browser

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.