Assignment 2.1 Port Scanning 1

You will not always have tools on target, so a few other methods using native commands will also be introduced.

Part 1: Creating a TCP connection on Port 80

Do the following:

• Open up wireshark with a display filter on tcp port 80

• Execute the echo command

  • bash -c "echo >/dev/tcp/19.0.5.21/80"

    • This command attempts to open a TCP connection to the specified IP address on port 80.

      • bash -c executes the following command string using bash

      • "echo >/dev/tcp/19.0.5.21/90 uses Bashes built-in /dev/tcp feature to attempt to connect to the IP address on port 80.

• Capture the TCP handshake, push and then tear down

The TCP handshake between 10.0.17.44 (my host) and 10.0.5.21 (the target)

Deliverable 1: Provide a screenshot of the wireshark capture above.

Part 2: With Bash - Single Host Single Port

• Create a list of targets

Creating a target list with printf

For this step I played around with the printfcommand to input text into a file without having to open nano or vi.

• this command is great for formatting texts without having to go into the text file itself

Key Features:

• \n --> new line

• \t --> tab

• \\ --> backslash

• %s --> string

• %dor %i --> decimal integer

• %f --> floating point number

It is different from echo because it does not automatically add a new line, it gives you more control over formatting files and text.

• Create a short list of popular TCP ports

• Recreate the script and add enhancements such as error checking, parameter and option checking, and output enhancement.

Orginal Script

Script Breakdown

• hostfile=$1

  • This assigns the first argument $1 to the variable hostfile

  • must be defined when executing the script (./portscanner.sh hostfile portfile)

• profile=$2

  • This overwrites the value of portfilewith $2

  • must be defined when executing the script (./portscanner.sh hostfile portfile)

• echo "host,port"

  • Prints host,port to the terminal

• for host in $(cat $hostfile); do

  • Outer loop

    • Reads each line from the hostfile and assigns the value to the variable host

    • $cat $hostfile) reads the contents of the file specified by hostfile

• for port in $(cat $portfile); do

  • Inner Loop

    • Reads each line from the portfile and assigns the value to the variable port

    • This loop iterates for every host in the outer loop

• timeout .1 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "$host,$port"

  • Testing TCP connection

    • timeout .1 limits the execution time of the following command to 0.1 seconds

    • bash -c "echo >/dev/tcp/$host/$port" Tries to open a TCP connection to the current host and port

      • Uses Bash's /dev/tcp feature for this purpose

      • If the connection is successful, the command will succeed

      • 2>/dev/bull

        • Redirects the error messages ti /dev/null and silently discards them

      • && echo "$host,$port"

        • If the connection is successful, it prints the hostand port

Enchanced Script

I had to execute sudo chmod +x portscanner.sh for sudo to recognize the file as an executable.

Putting Line numbers in Nano:

• nano /etc/nanorc

• uncomment the line that says set linenumbers

https://www.geeksforgeeks.org/how-to-show-line-numbers-in-nano-editor/

#!/bin/bash

#variables users must define when running the script

hostfile=$1
portfile=$2
outputfile=$3


#checks to see if users gave variable $outputfile a value 
#the -z option checks if the variable is empty or undefined 
if [[ -z $outputfile ]]; then
  outputfile="results.csv"
fi

#makes a header in the output file 
echo "host,port,status" > "$outputfile"

#the display message on the screen once the scan is complete.
#Uses the variable $outputfile in the message
echo "host,port,status can be found in "$outputfile""


#reads each line the hostfile/portfile and assigns a value to host and port

for host in $(cat $hostfile); do
  for port in $(cat $portfile); do
  
#commands to make a connection via the specified hosts/ports
    if timeout .1 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null; then
    
#Status was added to show weather a TCP connection was a success/failure
      echo "$host,$port,success" >> "$outputfile"
    else
      echo "$host,$port,failure" >> "$outputfile"
    fi
 done
done

#command above attempts to establish a connect with the hosts
#and ports specified

Deliverable 2: Execute your script (demo your enhancements as well), provide a source code listing (also upload this to your technical journal)

Successful run of the script and displaying the contents of the output file that was made

Deliverable 3: So, you notice we target the file /dev/tcp/thehostip/thetcpport. Can you find this file in kali? Break out our friend Google and see if you can find out what is going on. Briefly explain what you discover.

/dev/tcp/"the host ip/ "the tcp port"

/dev/tcp is device file within the /dev directory that allows you to directly connect to a remote TCP endpoint without the use of netcat. The command allows you to establish a connection with a remote server over a network. It does this by opening a network socket and then allowing you to read/write to it, similar to how you would be with a normal file.

One of the most common uses for this command is to check if a port is open in a remote host. It can be useful on machines that nc, curl, or wgetdon't work to check for network connections.

Network socket

A virtual connection endpoint within a computer network that allows applications on different devices to send and receive data with each other, acting as a two-way channel for network communication. A socket is identified by a port number and IP address.

Sources:

• https://unix.stackexchange.com/questions/305811/where-has-dev-tcp-gone

• https://starbeamrainbowlabs.com/blog/article.php?article=posts%2F344-Pure-Bash-TCP-Client.html#:~:text=Recently%20I%20re%2Dremembered%20about,avoid%20awkward%20platform%2Dspecific%20issues.

• (great resource for more options that work with this command) https://medium.com/@stefanos.kalandaridis/bash-ing-your-network-f7069ab7c5f4

• https://en.wikipedia.org/wiki/Network_socket

• https://www.geeksforgeeks.org/socket-in-computer-network/

• https://w0lfram1te.com/exploring-dev-tcp

NMAP

• Begin a wireshark session and run a default scan against 10.0.5.31

Deliverable 4. Provide a screenshot showing your nmap output

Default nmap scan

ou will notice right away that the default nmap scan begins by an ICMP echo request, a SYN to 80 and 443 and an ICMP timestamp request. It will then SYN scans 1000 popular ports.

ICMP echo request, SYN to 80/443 and ICMP timestamp request

• Find a port reported to be open and observe the TCP Flags being invoked by client and server.

A TCP flag is a control bit in a TCP header that indicates the state of a TCP connection. TCP flags are used to manage data flow and control how a connection is handled.

• URG indicates that data is urgent and show be prioritized

• SYN used for connection establishment

• ACK indicates that data has been received and the receiver expects the next sequence of data (used to confirm that data has been recived)

• PSH indicates that data should be delivered to the application later immediately

• RST Resests the connection when an error occurs or an unexpected packet is recieved

• FIN Indicates that a device has finished sending data and wants to close the connection (connection termination)

https://www.elastiflow.com/blog/posts/detecting-tcp-flag-based-attacks-with-elastiflow

Deliverable 5. find another open port, create the appropriate display filter and submit a screenshot similar to the example (but with another port).

Troubleshooting

I found that using the tcp.flags.xxx filter in wireshark wasn't filtering the packets in the way I wanted because it was still showing packets with other flags.

I found that using the hexadecimal value of the flag worked better.

• tcp.flags == 0x10 && ip.addr == 10.0.5.31

The only connection with an ACK flag

NMAP Single Port

Restart a new wireshark capture and clear display filters. Run the following command

• sudo nmap 10.0.5.31 -p 3389 (-p defines a port)

  • Look for traffic to and from port 3389

    • tcp.port == 3389

  

  • Run the same command without sudo

Deliverable 6. Describe the difference in the two wireshark captures

When nmap was run without sudo, the host was able to complete the TCP handshake with 10.0.5.31, as we can see by the ACK flag in packet 14. In the wireshark capture with sudo, 10.0.5.31 responds to us but doesn't make the full connection.

By default an unpriviledge scan uses -sT while priviledged uses -sS

TCP Connect (-sT)

• Unpriviledged scan

• Uses the system name to scan machines instead of just sending packets

TCP SYN Stealth

• Priviledged scan

• Fastest way to scan ports

• Stealthier than the connect scan

• works against all functional TCP stacks

The SYN Stealth scan is better for penetration testing purposes, because logs won't show a connection to the host/any data being sent to the host. It is solely to check if is host has connectivity and doesn't need to make a full TCP connection.

https://superuser.com/questions/887887/different-behavior-sudo-nmap-vs-just-nmap

Limiting NMAP's host discovery with -Pn

Deliverable 7. Add the -Pn flag and provide a wireshark display. You should have a total of 3 packets and evidence of a simple SYN scan similar to the one below.

the -Pn option tells the tool to not perform a host discovery phase before scanning. By default nmap tries to determine whether a host is online by sending an ICMP echo requests. If the host doesn't respond, nmap assumes it's offline and skips scanning. -Pn skips this step and goes right to scanning the machine. This is useful if a firewall is blocking ICMP.