Many hackers use tools such as nmap without properly understanding what certain switches mean and why they should be turned on. In this article, we will not discuss nmap; however, we will look at how it and some other scanners work, especially for stealth scans.
Overview
Before we can begin attacking any system, we need to first of all understand the type of system we are dealing with. Unfortunately, in order to properly probe a target, we employ probing techniques that are largely noisy and non-stealthy. These will largely get picked up by devices on the network such as firewalls, SIEMs and IDS devices. The focus now becomes identifying targets without alarming the system admins or Security Operations Center team. The techniques discussed below will either confuse the available defense mechanisms or make it more difficult to detect the activity from our attacking machine. Before we can dive deeper, though, it is important to understand what a non-stealthy scan is.
What is a non-stealthy scan?
A TCP connection works through a three-way handshake, where a client and a server communicate in a particular manner before establishing a connection. This communication happens in the following steps:
The client sends a TCP packet to the server with the SYN flag set The server responds to the client with a TCP packet with the SYN and ACK flags set if it says a probed port is open If the port is closed, the server will respond with a TCP packet with the RST flag set In case the port is open, the client will respond to the server with an ACK
The communication above is known as a three-way handshake and must happen before a TCP connection can be established between a client and server. A non-stealthy scan will implement the TCP “connect()” method, which is enabled by operating systems for connection to target hosts. This scan employs the three-way-handshake described above and will only respond with a list of hosts with open ports as specified at the onset of the scan. This scan is easily detected, due to the numerous attempts by the scanner to establish a connection to many ports on a target host over a short period of time. Also remember that login attempts which fail will most certainly be logged and can be retrieved during a security audit.
What are stealthy network recon strategies?
In computer security and hacking, stealth is considered the ability to remain undetected within a network as we perform activities, whether malicious or not. These activities will often be counteractive to the defense mechanisms and may or may not be authorized. We of course encourage you to ONLY run the commands here with authorization from the network owners. The two main perspectives here are:
Identification of ports and services for defense: This will be true for the Blue Team Identification of ports and services for attacking: This will be true for the Red Team
There are a couple of stealth scans that can be executed. These include inverse mapping, half-open, X-mas tree, UDP, null and more. We shall discuss these types of scans in detail in the following sections.
Inverse mapping
The inverse mapping scan involves sending specially customized packets, including SYN-ACK packets, RST packets and DNS packets, which only discover which hosts are online within the network and which ones are offline. The hosts that were discovered to be offline would result in an “ICMP host unreachable” error message. This scan does not attempt to discover open ports, thus achieving some level of stealth.
Slow scan
This is one of the most effective stealth scans that can be performed within the network. The idea is to greatly reduce the speeds at which port scans take place. The attacker introduces a delay that prevents host-based IDS or firewalls from picking up excess attempts to connect to a TCP port. Even though this scan has great success in achieving stealth, the major disadvantage would be the amount of time that it takes to complete a scan. The only way of detecting this scan is by analyzing traffic log files.
Half-open scan
This scan is also known as SYN scan. The name comes from the method that this scan is implemented. Whereas the TCP connect() scan makes use of the three-way handshake to perform a scan, the SYN scan implements a modified two-way communication channel. The SYN scan will begin the handshake just like the TCP connect(). The client sends a SYN packet to the server, then the server responds with a SYN-ACK packet to the client in case the port is open. The server will respond with an RST packet if the port is not open. Instead of the client responding with an ACK to acknowledge receipt of the RST, it sends the server an RST packet. This is how the SYN scan differs from the TCP connect() scan. This scan has two main disadvantages. It is caught by a vast number of firewalls and requires root privileges to initiate.
FIN scan
This scan is very successful, as it seeks to defeat the methods put in place to detect SYN scans. Here, packets are sent to the server with the FIN flag set. If the port is open, the server ignores the FIN flag; however, if the port is closed, the server responds with an RST flag set. The scanner is able to defeat packet loggers that would otherwise log SYN packets.
X-mas tree scan
This stealth scan sends invalid packet header flags to the server. It differs from the FIN scan in that it sends multiple flags together with the FIN flag in an attempt to confuse any present logging mechanism. The nmap scanner, by default, includes three flags turned on. These are the FIN, URG and PSH flags. Other scanners will go beyond nmap and turn on all TCP header flags — hence the name X-mas tree scan, since everything is turned on and lit up just like a Christmas tree. There are also some other stealth scans that can be performed. These are the null scan, UDP scan and dumb scan.
What are some stealthy scanning techniques?
The following techniques are implemented within multiple scanners in order to make scan detection much harder even as we conduct the scans discussed above.
Fragmentation
We can make the administrators of our target network have a hard time discovering our activities by making use of a fragmentation scan. This scan involves breaking up the TCP header into numerous smaller packets that cannot be picked up by packet filters and IDSes. This method will be picked up by firewalls or systems that collect packets and assemble them before forwarding them. The idea behind this technique is to conceal the intention of the packets originating from the attacker.
Spoofing
This attack is very common. It works by the attacker impersonating a whitelisted and known IP address to carry out scanning within the network. As the system administrator monitors the network, the observed traffic will seem to originate from a trusted IP address; however, it will be coming from the attacker. This stealth technique is quite obvious and noticeable and will definitely be caught by an IDS. There is also the ability to impersonate other machines within the network by abusing the ARP (Address Resolution Protocol). The Address Resolution Protocol allows hosts within the network to determine the host’s MAC address given its IP address. The network keeps a table of MAC addresses and IP addresses to keep network traffic down. If we can spoof ARP packets and responses, we can scan the network undetected. We can spoof the MAC address using tools such as macchanger on Kali Linux.
Decoying
This technique involves the spoofing of legitimate IP addresses within the network while carrying out a port scan. The intention is to bury the attacker’s IP address within a huge list of online IPs. When this is done, it confuses the system administrator by making it look like all the IPs are involved in the attack. The greater the number of spoofed IP addresses, the more difficult it is to weed out the attacking IP address. However, some host-based security systems such as firewalls and IDSes might be able to filter out the traffic and pinpoint the attacking machine.
Bouncing
This technique allows attackers to “bounce” their traffic from hosts within the network to their target host. This works due to the ability of some services to allow input to pass through them. Services such as “finger” and FTP are normally abused to achieve this.
What are some tools of trade that can be used?
There are many good port scanners available out there. The most well-known and appreciated one of them all is nmap. Nmap is able to perform all of the scans discussed above and lets you customize each scan according to the uniqueness of the environment you’re in. The success of nmap is in its ability to do much more than just port scanning. The following are some of the common port scanners you can use today:
Angry IP Scanner Unicornscan Netcat Zenmap
Conclusion
Stealth scanning is extremely important in that it allows you to bypass whatever defenses have been implemented in the network. We encourage you to be able to understand the different scanning techniques so as to know what to apply within your environment during a hacking exercise. We have by no means exhausted the stealth scanning techniques available. You should consider researching UDP scanning to see how it can also be used for stealth.
Sources
Stealth Port Scanning Methods, GIAC Top 5 Best Port Scanners, SecurityTrails