Port scanning

The only way to protect your system from hacker attacks is to know how hackers carry out these attacks. When considering the fundamentals of hacker attacks, you have to think as a hacker. For example, what should be done first to break into a server or to test it for vulnerabilities? There is no clear answer to this question. Any break-in is a creative process and requires an individual approach. There are no clear-cut rules or ready-made templates. Nevertheless, a few practical recommendations can be given.

The first step in a break-in or vulnerability test is to scan the ports. Why? To find out what services (daemons, in Linux) are installed in the system. Each open port is a service program installed on the server, to which someone can connect and make it do certain things. For example, port 21 is used by the file transfer protocol (FTP) service. If a hacker can connect to this port, he or she will be able to download and upload files from and to the server. The hacker must acquire the corresponding rights to be able to do this, however.

The first 1,024 ports must be scanned initially. Many of them are used by standard services like FTP, hypertext transfer protocol (HTTP), and Telnet. Each open port is like a locked door to the server. The more doors the server has, the more chances there are that the lock on one of them can be picked. Therefore, you should only install those services that are necessary.

I often say that only those programs that will be used should be installed on servers. If you are not sure whether a certain service will be used, you should not start it, disable it, or, even better, not install it at all, thus preventing hackers from starting and using it for their own goals.

A good administrator leaves only the most necessary ports open. For example, if your server is used only to serve Web pages but provides no email services, there is no need to keep the mail servers open. The only port that a Web server needs is port 80, so this port should be the only one left open. The rest of the ports cannot be merely shielded by a firewall; their corresponding services should not be installed. A mistake that many administrators make is installing all services and protecting them either by not starting them or by shielding with a firewall. This is a dangerous approach. If hackers get in through some crack in your system, they can start a stopped service or remove the firewall protection from it, and turn this service into a wide-open door.

Again, my advice to server administrators is to never install services or programs that you don’t use or seldom use. Try to install as few applications as possible. Even such an innocent program as a calculator can be used to break into a system. How can this be done? Suppose that for even regular users the calculator is run with administrator privileges. If you have some Linux experience, imagine that an executable file whose owner is root has the set user identifier (SUID) or set group identifier (SGID) bit set. If a vulnerability is discovered in the calculator program — for example, buffer overflow — it can be used by hackers to obtain root privileges.

Although the chances of a calculator program running as a system account in Windows or with the SUID or SGID bit set in Linux are slim, consider the following, much likelier, developments:

• Once a hacker penetrates a system as a regular user, he or she can set the program to be run as the system administrator and then use it to raise his or her privileges.
• Some programs can make it easier to break in. For example, if there is an FTP client installed in the system, hackers can use it to upload to the server the software necessary to break into the server. A compiler or a Perl or PHP interpreter can be used by hackers to create or run malicious code on the server. Some utilities for taking advantage of vulnerabilities, called exploits, are written in Perl. Therefore, administrators try not to use this interpreter and don’t install it on a work server.

Thus, the fewer programs installed on a server, the fewer cracks for hackers to use to enter the system or to obtain root privileges.

In addition to detecting open ports, a good port scanner shows the names of the well-known services listening on the open port. For example, the service listening on port 80 will be given as HTTP.

If your port scanner does not give the well-known service names, in Windows, you can look up these names in the protocol and services files in the C:\WINDOWS\system32\drivers\etc directory. These files have no extension; they are simple text files and can be opened using Notepad or any other text editor. The contents of the files look something like the following:

echo      7/tcp
echo      7/udp
discard   9/tcp    sink null
discard   9/udp    sink null
systat    11/tcp    users        #Active users
systat    11/tcp    users        #Active users
daytime   13/tcp
daytime   13/udp
qotd      17/tcp    quote        #Quote of the day
qotd      17/udp    quote        #Quote of the day

The table has the following format:

<service> <port number>/<protocol> [aliases...] [#<comment>].

Keep in mind that the service-to-port mapping shown in this file is only the standard requirements, which can be easily changed. It’s no problem for the administrator to start a Web server on port 21 instead of the standard port 80, but the port scanner will say that port 21 is used by the FTP server.

Take a good look at the contents of the services file. It maps well-known services to ports. I recommend that you remember at least some of the most important combinations so that you know what to look for in the system under investigation. For example, ports 1433/TCP and 1434/UDP are used by Microsoft SQL Server and Microsoft SQL Monitor, respectively. Port 1512/UDP is used by Microsoft Windows Internet Name Service (WINS).

It is desirable that the scanner be able to save the scanning results to a file and even allow you to print them out. If your scanner does not have these features, you will have to write down all the information and save it. This is the information hackers need for exploits.

After scanning the first 1,024 ports, you can move on to scanning the rest. Standard services are a rare occurrence in this port range. Why then should you scan them? Well, there is always a chance that someone has already visited this area and left an open door or installed a Trojan horse on the server. Most Trojan horses keep ports open in the range above port 1,024. So if you are a server administrator, an open port above 1,024 should make you sit up and take notice. If a hacker stumbles on an open port in the range above 1,024, he or she will try to find out what Trojan horse server is installed on it and find a client for it to control the machine.

Some services using ports above 1,024 are common commercial applications, for example, database servers. The first 1,024 ports were allocated long ago, and for a new service to use a port from this range is quite problematic; therefore, modern services actively use the entire port address range — up to 65,525.

In Linux, services using the first 1,024 ports can only be started by a user with root privileges. These are the most dangerous in terms of break-in services; therefore, regular users must not be able to start them.

Discovering another hacker’s back door means that the current hacker’s break-in work is over, because he or she already has access to the server. Unfortunately for hackers, discoveries of this kind are the exception rather than the rule. In most cases, the hacker will have to do all the dirty work. In this respect, things were much easier when the Back Orifice Trojan first started making its rounds. Then a computer infected by one hacker could be easily accessed by anyone with the client part of the Trojan. Nowadays, there are just too many Trojans on the Internet, which use different ports and in most cases even configure the necessary port. Moreover, if the server part is protected with a password, the hacker will have to break into the break-in to use it.

Knowing which ports are listening, that is, which doors the server has, is not enough; the hacker must know how to open these doors.