1.2.10 Lab – Use a Port Scanner to Detect Open Ports Answers

1.2.10 Lab – Use a Port Scanner to Detect Open Ports (Answers)

Objectives

Use Nmap, a port scanner and network mapping, tool to detect open ports.

Background / Scenario

Network Mapper, or Nmap, is an open-source utility used for network discovery and security auditing. A common task is to scan local machines to determine potential vulnerabilities including open and unmanaged ports. All workstations require open ports and services to communicate and perform tasks like printing, sharing a file, or browsing the web. Administrators also use Nmap for monitoring hosts or managing service upgrade schedules. Nmap determines what hosts are available on a network, what services are running, what operating systems are running, and what packet filters or firewalls are running. In this lab, you will use Nmap inside your VM environment to detect open ports.

Introduction to TCP/UDP Ports

All communication that happens over the internet is exchanged using ports. Every IP host can use two types of ports: TCP and UDP. There can be up to 65,535 of each for any given IP address.

Services that connect to the internet (like web browsers, email clients, and file transfer services) use specific ports to receive information. Therefore, each logical connection is assigned a specific number. The port number also identifies which port it must send or receive traffic through when communicating. The Internet Assigned Number Authority (IANA) assigned the official port numbers and divided these ports into three subcategories:

  • Well-Known Ports (0-1023)
  • Registered Ports (1024 – 49,151)
  • Dynamic / Private Ports (49,152 – 65,535)

The following lists common ports:

20 – File Transfer Protocol – Data (FTP-DATA)
21 – File Transfer Protocol – Control (FTP)
22 – Secure Shell (SSH)
23 – Telnet (TELNET)
25 – Simple Mail Transfer Protocol (SMTP)
53 – Domain Name System (DNS)
67 – Client to server Dynamic Host Configuration Protocol v4 (DHCPv4)
68 – Server to client Dynamic Host Configuration Protocol v4 (DHCPv4)
69 – Trivial File Transfer Protocol (TFTP)
80 – Hypertext Transfer Protocol (HTTP)

Security of Logical Ports

Every logical port is subject to a threat and poses a vulnerability to a system, but some of the commonly used ports receive a lot of attention from attackers. Over 75% of all cyberattacks involve just a few common ports.

Attackers scan systems to identify opened ports on a target system. Here is a list of potential logical ports that are the most common targets of cybercriminals:

20/21 FTP
22 SSH
23 Telnet
25 SMTP
50/51 IPsec
53 DNS
67/68 BOOTP
69 TFTP
80 HTTP
110 POP3
111 Port Map
119 NNTP
123 NTP
137-139 NetBIOS
143 IMAP
161 SNMP
389 LDAP
443 SSL

Required Resources

  • PC with the CSE-LABVM installed in VirtualBox.

Instructions

Step 1: Open a terminal window in the CSE-LABVM.

a. Launch the CSE-LABVM.

b. Double-click the Terminal icon to open a terminal.

Step 2: Run Nmap.

At the command prompt, enter the following command to run a basic scan against this system:

[email protected]:~$ nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 14:14 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

The results are a scan of the first 1024 TCP ports.

Questions:

What TCP ports are open?
Ports 22, 23, and 631

Provide a description of the service associated with each open port.
Port 22 – SSH (Secure Shell) is a remote administration protocol used to control and modify a remote server over the internet. SSH authenticates the remote user and uses cryptography to encrypt all communications to and from the remote server.
Port 23 – Telnet provides a command line interface for communication with a remote server and transmits using clear-text (there is no encryption)
Port 631 – CUPS allows a computer to act as a print server. A system running CUPS can accept print jobs from clients and send the print jobs to the appropriate printer. CUPS uses IPP (Internet Printing Protocol).

Research the vulnerabilities associated with each of these open ports.
Answers may vary.
An unauthorized user only needs your username and password to gain access to a server with an open SSH port. You may see many attempts to log in to the server with default or common logins to gain access.
Other common targets are ports 22 and 23 (SSH) and (Telnet). These ports are designed to provide authorized remote access to an IP host. Port 23 is essentially unsafe because the data transferred in plaintext. Port 22 is much more secure and is preferred when connecting to a remote host. These ports can be utilized by cybercriminals to perform the following types of malicious activity.
Gain authorized remote access to a host.
Plant backdoors and other types of malicious codes.
View sensitive data and credentials.
Perform man-in-the-middle attacks.
Impact the availability of other host services.
UDP Port 631 is a popular protocol in TCP/IP networks.
The term CUPS (Common UNIX Printing System) is modular network printing service for Linux host which allows a computer to act as a print server. UPS consists of a print spooler and scheduler, a filter system that converts the print data to a format that the printer will understand, and a backend system that sends this data to the print device.
An unauthorized user may be able to execute arbitrary commands with the privileges of the CUPS daemon. Additionally, a remote DoS may cause the server to be unresponsive.

Step 3: Use administrative privileges with Nmap.

a. Type the following command in the terminal to scan the computer’s UDP ports (remember, Ubuntu is case sensitive) and enter the password password when prompted:

[email protected]:~$ sudo nmap -sU localhost
[sudo] password for cisco:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 14:18 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT      STATE         SERVICE
631/udp   open|filtered ipp
5353/udp  open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

What UDP ports are open?
Ports 68, 631, and 5353

Describe the purpose of the UDP services associated with each port.
Port 67 and 68 provide client-server Dynamic Host Configuration Protocol (DHCP) services. The DHCP is a network management protocol used on Internet Protocol (IP) networks. It dynamically assigns an IP address and other network configuration parameters to host on the network. This information is required for IP hosts to communicate with other hosts on the IP networks.
UDP Port 631 is used by client applications for CUPS printing services.
Port 5353 is used to discover network peripherals on the local network.

Research the vulnerabilities associated with each of these open ports.
Answers may vary.
An open port 68 provides Dynamic Host Configuration Protocol (DHCP) services.
This port allows hackers to disrupt dynamic network addressing and can be used for network spoofing and remote code execution.
An open port 631 allows cyber attackers to cause a denial of service and possibly execute arbitrary code.
An open port 5353 is used by Multicast Domain Name System (mDNS) which allows hosts to resolve hostnames to IP addresses in small networks that do not include a name server. However, if the mDNS port 5353 is exposed to the internet, attackers can query the service to collect information about the server as well as launch a DoS attack by spoofing a target and flooding the network with mDNS requests.

b. Type the following command in the terminal:

[email protected]:~$ nmap –sV localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 14:19 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000038s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
23/tcp  open  telnet  Linux telnetd
631/tcp open  ipp     CUPS 2.3
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.34 seconds

Using the –sV switch with the nmap command performs a version detection which you can use to research vulnerabilities.

Step 4: Capture SSH keys.

a. Type the following command in the terminal to initiate a script scan:

[email protected]:~$ nmap –A localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 14:21 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000037s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  3072 56:68:77:00:41:7f:50:17:5b:73:82:36:47:c4:bc:2d (RSA)
|  256 0e:52:78:ba:08:2a:df:e5:be:1b:07:a7:98:3a:c8:50 (ECDSA)
|_ 256 f7:9e:03:10:96:94:cc:f4:4f:2a:f2:7c:6a:37:c1:6f (ED25519)
23/tcp open telnet Linux telnetd
631/tcp open ipp CUPS 2.3
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.37 seconds

You captured the SSH keys for the host system. The command runs a set of scripts built into Nmap to test specific vulnerabilities.

Questions:

What are the values of the SSH hostkeys?
| ssh-hostkey:
| 3072 56:68:77:00:41:7f:50:17:5b:73:82:36:47:c4:bc:2d (RSA)
| 256 0e:52:78:ba:08:2a:df:e5:be:1b:07:a7:98:3a:c8:50 (ECDSA)
|_ 256 f7:9e:03:10:96:94:cc:f4:4f:2a:f2:7c:6a:37:c1:6f (ED25519)

How would an attacker use this information?
This information could be used to gain unauthorized remote access to the target host.

How could you prevent the cyber attacker from stealing the key information?
Send the keys by phone, text, or email. This is called out-of-band key exchange.

b. Enter the man nmap command to open the manual pages for the Nmap utility.

[email protected]:~$ man nmap
NMAP(1) Nmap Reference Guide NMAP(1)
NAME
    nmap - Network exploration tool and security / port scanner
SYNOPSIS
    nmap [Scan Type...] [Options] {target specification}
<output omitted>

You can use this resource to locate other available options for the Nmap utility. At any time, enter q or quit to exit the man pages. You can read the manual pages available for any service or command by entering the man command followed by the name of the utility or command.

Summary

Highly Vulnerable Ports

Many ports must be open for a host to function in a normal computing and communication environment. However, these common ports should be monitored regularly to ensure they are not compromised and being used to attack a victim, provide unauthorized remote access, or being used to hijack a host to participate in a distributed attack on other victims.

Port 21 of TCP is one of the most popular ports for attackers. This port is designed to transmit and receive files from one host to another. Attackers use this port to perform the following types of malicious activity:

  • Unauthorized transfer, deletion, and modification of files
  • Unauthorized transfer of malicious code or payloads
  • Anonymous authentication to host file systems
  • Inject malicious scripts like XSS attack
  • Impact the availability of other host services

Another common target is port 23 (Telnet). This port provides authorized remote access to an IP host. This port poses a vulnerability because the data transferred is in plaintext. Attackers use this port to perform the following types of malicious activity:

  • Gain unauthorized remote access to a host
  • Plant backdoors and other types of malicious code
  • View sensitive data and credentials
  • Perform man-in-the-middle attacks
  • Impact the availability of other host services

Another favorite port for attackers is port 53. This port is used for DNS or looking up domain names when browsing the internet or transferring information. This port is the most common exit route for the attacker after an attack. Because this port is rarely monitored, attackers use this port to exit after clearing their files, logs, and other information to cover their tracks.

The most common port used by attackers is TCP port 80. This port transfers webpages between a web server and the host browser. Attackers use this port to perform the following types of malicious activity:

  • Unauthorized transfer, deletion, and modification of data
  • Unauthorized transfer of malicious code or payloads
  • Injection of malicious scripts (like an XSS attack)
  • Impact the availability of other host services

 


guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x