dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

This FAQ text is copyright dslreports.com
Reproduction of all or part only with our permission..
This FAQ is edited by: Mike See Profile, KeysCapt See Profile
It was last modified on 2010-03-13 18:41:23

1.0 General Info

Tell me about Port Scanning

Analogy of a scan:

Imagine a building with 65535 closed doors. Most of these doors are locked, but some will open if you knock on them (although they may still not let you in). A scan is like trying each of these doors in turn.

Obviously, scans are done by people trying to find a way in. The reason they choose to scan first is that since some of the doors (ports) may open if they scan (knock) on them, or might be opened by a program (doorman) that identifies itself. This gives them valuable information on what kind of security (if any) they are facing, and what revisions of software components can be seen.

Finding this out is half the challenge ... the other half is exploiting the holes.

Back to the analogy: there is more than one way to try a door ... but in every single case, you must interact with the door, somehow, to determine if it may be opened.
The obvious interaction is banging on the door... however, if you do not wish to alert the security guards, this is probably a bad approach. There are slightly quieter approaches (such as, moving the door handle slightly).

A port scan on a computer can be as simple as rattling the door handle of one door, or as lengthy as combinations of tapping, rattling and banging on every one of the 65535 doors, in parallel, to see which respond and how.

In the early days of scanning, tools scanned ports sequentially, and simply attempted a full connection with each port. These scans gave interesting results, but became so common that port scan detectors were quickly designed to set off alarms if the computer under attack noticed doors being accessed like this in a sequential manner.
Then came random port scans ... simple randomizing of the order of doors, and intervals between door knocks. This soon became easy to detect also.

Next stage in the arms race: by looking at the protocol involved in knocking on doors, it become possible to program a so-called 'stealth' scan. (TCP SYN Scan). This is more subtle than a straight knock. If your objective is to know whether the door would be answered, but you don't want it to be opened yet, it is possible to do a few different "half-knocks" that reveal whether the door is "alive" but do not alert possible higher level security or logging systems that the door was tried.

Next in port scan technology came the FIN Scan. This is like an inverse half knock(!). It happens that computer packet handlers (tcp stacks) have an interesting characteristic: FIN packets (a type of negotiation packet) addressed to "dead" doors cause a receipt of an RST packet, but alive doors do NOT. Therefore, a FIN scan can identify all the dead doors, and leave you with a list of potentially alive ones. Because the lowest level of the operating system is handling this, most port scan alarm systems have no awareness that this is happening.

If the FIN scan is not good enough, then there is the fragmentation scan. This breaks probe packets up, to possibly get through firewalls or avoid port alarms, and then be reassembled by the victim's computer to possibly reveal an open port.

Once a port scanner has assembled a list of potentially alive port numbers (doors), it has a good chance of identifying the operating system, the machine hardware, and which alive doors may have faulty "doormen" (software) behind them.

How are Computers Cracked?

How systems are broken (owned in underground terminology)

1. Passwords: If your computer has passwords, it may be possible to guess them, sometimes by what is known as "brute force".

2. Exploitable flaws in gatekeeping programs: Tricking a program into doing something it should not do. usually by modify a file, deleting a file, or, returning information that should not be returned, by taking advantage of a known software bug. Webservers are incredibly complex gatekeepers or guardians of information, and currently have the richest variety of exploitable flaws or insecurities that creep into their setup and administration.

3. Buffer Overflows: Many programs, even the ones that operate as gatekeepers, are written with assumptions that inputs are always shorter than some given length. This has come about mainly due to a characteristic of the C programming language, which encourages (or more strictly, does not disallow) programmers to allocate fixed sized character buffers when reading data, and then not check for the case of input data over-writing those buffers. If the input data is unexpectedly large, the data may write over into the programs stack, and cause either a crash or worse, execution of code that the intruder plants into the input data.

4. Trojans: Tricking a computer to run something that contains code which compromises the machine, is what a Trojan does. It can take almost any form, such as a screen saver or a christmas greeting program. A trojan usually arrives by email or by IRC file-send, or in some cases from a web page. Trojans are sophisticated and unlikely to have been written specifically for either the person using them or the target they are used against, but with binary standards and more complex home operating systems, they are becoming more common.

5. Man in the Middle: The interception of communication between two computers gives the opportunity to either listen for information, possibly leading to cracking via passwords, or to impersonate one party, therefore leading to betrayal of trust. More complex betrayal intrusions can involve three or more parties.

Locating Vulnerable Systems

Information is gained by:

1. Scanning: Programs can scan a domain looking for telltale fingerprints of a system running services with known flaws.

2. Social Engineering: Simply contacting an organization and asking for a password is remarkably effective for the brazen armed with a little background information about the victims.

3. Sniffing: By compromising an otherwise uninteresting host, packet sniffers can be setup to watch data passing by the host that will lead to more information. Sniffers usually just look for cleartext passwords, but can also watch sessions and figure out which machines trust which other machines, information that is invaluable for attacking corporations.

Denial of Service (DOS Attacks)

A "denial-of-service" attack is an explicit attempt by attackers to prevent legitimate use of a service by those who depend upon it. Some examples are attempting to "flood" a network, thereby preventing legitimate network traffic, attempting to disrupt connections between two machines, thereby preventing access to a service, attempting to prevent a particular individual from accessing a service, and attempting to disrupt service to a specific system or person.

Denial of Service attacks are numerous and difficult to defend against, because they exploit very low level flaws in communications protocols, protocols designed in more academic environments. However, when a machine that provides security-related information is muzzled, denial of service can possibly lead to break ins. If a logging machine is crashed via a packet handling flaw, then because it is no longer logging activity, more ambitious attacks can be mounted.


Not getting caught is obviously of paramount importance to an attacker, so they go to incredible lengths to cover their tracks. Spoofed packets contain an invalid or innocent "from" address. Without access to network administrators, it is impossible to tell the origin from data at the point of reception. The trouble with this, from the attackers point of view, is that if they are invisible, they also cannot get any return data! Therefore, they can attempt to use proxies to remain connected. Proxies are usually innocent computers previously "owned", with relay programs setup on them. Conveniently, certain service programs like FTP, Wingate or Socks, when incorrectly configured, can act as relays even without the host being cracked, so scanning for possibly proxies that may be used is also a common activity.

What does Secure-Me concentrate on?

Evaluating security of corporate networks cannot be done with anything so simple as an automated tool, so Secure-Me is aimed at auditing the security of a simple home PC or a simple small business gateway machine, in the context of the increase in the number of machines now hooked to the net fulltime. In this situation, the possible security loopholes are fewer, and the evaluation becomes easier to automate On the other hand however, the number of people with access to scanning tools and the amount of bandwidth they have to use them are growing, so anyone who is running an insecure service or a misconfigured computer can easily be found and "owned".

Simply put, Secure-Me gives the machine a brief scan for what open services it runs, then uses some common crack scripts and programs that are in use now by the net underground to probe for possible risks with those services. The tools Secure-Me uses are really just an automated collection of cracking scripts and programs, orchestrated to report their results in one file. In a way, it is like an online webified version of Satan (an old cracking toolkit), but considerably more complete with newer tools.

What is a SYN-FLOOD?

A syn-flood is a stream of packets that each initiate a new TCP session, but no follow-up packets are sent to complete the connection handshake.

Targetted at a service port, this will usually overload the server such that it cannot respond to any real connection requests from real clients because the server can only keep a limited number of connection slots active at any one time.

A syn-flood is a class of attack known as a denial of service attack. The origin for syn-flood packets can be set to any address on the net, making location of the source of a syn-flood attack, difficult.

One Denial of Service Story

For a good look into a DOS attack and the measures taken to combat it, read about it on the GRC website: Denial of Service Attack.

Where can I go for further reading?

There are a lot of security resources on the web that can be explored by using any search engine, such as Google.

A good discussion on prevention of DOS attacks is available here: »www.cisco.com/warp/public/707/newsflash.html

An excellent source for current information is our own Security Forum and the Security FAQ.

Tell me about nbtstat and netbios port 139

Windows operating systems (win95, win98 and NT) implement a network protocol called NETBIOS. A machine with Netbios running over TCP/IP usually listens on several ports for SMB packets (regular IP packets with microsoft formats inside them).

By default, Windows machines advertise their existence and their name, domain and usernames, to anything that asks, without requiring a password for this information. Your desktop configuration may not have any public shares, or all shares may be password protected, but your machine will still advertise its login name and workgroup name to anything that asks it. It may also crash if sent a netbios packet designed to exploit a bug.

nbtstat is the name of a windows command prompt program that can be used to query any machine for this information.

smbclient is the name of a Samba program that can also talk SMB.

2.0 DSLR Port Scans

Why can't the scan be done instantly?

A basic port scan is available. (Under the Tools menu item)

It is implemented as a java applet that simply reports back the results of a port scan done by the server. This scan simply reports on a few common vulnerabilities.

The slightly more extensive scan system has a queue, as each test can take a while. There are usually a few people 'waiting' in this queue so the scan is not instant.

What tools are used?

Nmap, nbtstat, queso, smbclient, targa and whatever the latest flavour of ping of death programs are used (optionally - if selected by you), and a perl script with various modules controls it all.

Summarize what is done to my computer please

A modern port scan tool is used (nmap) and this attempts to identify the machine signature, and any vulnerable services running on it. If NETBIOS ports are open (indicating it is a Windows machine), then we attempt to talk to your netbios to see if there are any shares or printers visible, and to query your machine name and domain name.

If you requested 'ping of death' tests, then some ping of death packets are sent to your machine, to see if this will crash your operating system.

If you have a Cisco router, it is probed to see if the IOS is protected or not.

None of these default tests will damage anything. It is possible, but only remotely, that the 'ping of death' tests could cause disk corruption since the OS may freeze in the middle of writing a file. If you are not using your PC for something else, this is extremely unlikely. (Turn off your defragger if you run that overnight though!).

Can I run a Port Scan against my company firewall?

To ensure the IP is yours, but without causing a blizzard of email, the site is setup to look out for FTP or Telnet requests from hosts targetted for scans.

If a request is logged, this releases the scan. Therefore, if your scan has gone into hold status, you must find some way of running an FTP or Telnet request to this site to release it.

Do you keep the results?

We keep logs of vulnerabilities found, but with the IP address REMOVED.

Why? Because we want to publish summaries of the security vulnerabilities we fiind. At no time will we reveal your IP address associated with the security scan results. Even the email of results do not reveal your IP address.

How do I interpret the score?

Just because you have open ports, or a visible computer name, or visible shares, or crash out when sent certain ping packets, do not rush out and buy the first security package you can find.

Simple things like turning off file sharing can be enough while you do some further reading.

That said, if you use IRC and ICQ a lot, and tread on the toes of strangers online, then you should probably at least run a software firewall. It is also highly recommended that you install some type of virus scanner and keep its virus definitions updated. You can find more information to help in the Security Forum.

What firewall do you recommend?

At this point there are simply too many possible choices to recommend any particular brand of firewall.

Zonealarm for Windows platforms is popular and has a free version.

An ipchains firewall script in your startup is recommended for Linux.

Netbarrier seems to show a lot of information for Macintosh users.

3.0 Results

I have a firewall, but the scan shows my UDP ports are open. Why?

When a probe (scan) is sent to a UDP port there a twop possible responses, "open" and "closed".

Normally, a closed UDP port responds to an incoming packet by returning an "ICMP unreachable" message. Many port scanners depend on this message to list the port as "closed". Some firewall programs "absorb" the UPD packet before it ever reaches the UPD port and an "ICMP unreachable" message is not sent. In a case like this the scanner is fooled and thinks the port is "open", when it actually may be closed.

One way to tell if your firewall is exhibiting this behavior is to scan a large number of your UDP ports. Since it's impossible for your system to have several thousand ports open at once, if a UDP scan tells you they are, chances are it's your firewall doing its job.

Why do I show UDP ports open, when I BLOCKED them?

A UDP scan works by implying state:

• If a UDP port is probed and a PORT UNREACHABLE packet comes back, the port is marked as closed.
• If a UDP port is probed and nothing comes back, it is marked as open.

If you block only certain UDP ports, then strangely, you appear to have those ports open to a scanner. It is better to simply block response from ANY and ALL UDP ports. That way, you are not giving away any information at all.

Can I see an example of a scan report?

There is an example scan result report available from the link at the top of each secure-me page called 'example scan'.

Why is it good practice to re-scan?

To ensure that your security profile does not change over time, re-scans are recommended as good practice. Since computers may get re-installed, reconfigured, or upgraded, new loopholes may open up without you being aware of it, especially if the loopholes are only visible from outside.

Why is port 113 open?

Port 113 is often left visible by firewalls since 113 is the IDENT port.

IDENT is used when you connect to mail servers, or to IRC servers, to find out "who" is using the service. With IDENT filtered, your ISP mail server (unlikely) or IRC server (likely) may refuse your request or take a long time to respond as it waits for a closed/open response.

It is possible to remove IDENTD as showing up as a port by reconfiguring your firewall to over-ride the default rules. As above, if IDENTD is filtered in this way, IRC and mail servers may not work properly.

You can also decide that IDENTD is safe, since just having it visible does not mean there is anything that can be exploited on your side, and live with the less than "perfect" results.

4.0 Problems

My scan is in hold status

If you request a scan against an IP that we cannot ascertain belongs to or is controlled by you, then you need to release the scan so it can proceed.

The release procedure is easy. From the IP you wish scanned, you must TELNET to dslreports.com using any regular telnet client. Windows comes with a native telnet client. To use TELNET from Windows, try Start -> Run -> telnet. Enter dslreports.com as the target to connect.

You will get a prompt asking you for your queue ticket number. Enter the number you received when the scan request was accepted, and press return.

There is no other way to authorize a held scan. Sorry, but we cannot process release requests manually.

I can't find a submit button!

There is no submit button on the scan request form if you have not logged into the site yet, OR, if the queue has the maximum number of pending scans waiting for processing.

In the case of the first problem, you need to get a site account if you haven't already, and you need to login.

Your browser will have to accept a cookie from the site before you can login. This is the single most common problem with logging in. If you cannot accept a cookie, the scan request form will still not have a button.

If you are sure you have logged in, reload the scan request form page if necessary. Pressing the "back" button can give you the old form that still has no button.

My scan was rejected

Scans are automatically rejected if you provided an IP address that has the word proxy or cache in its DNS lookup.

This is usually because your ISP has placed a web proxy in the way and you did not over-ride the default IP address in the request scan form with your own.

The queue is always full

There are TWO queue processors running at once, capable of full scanning between 5 to 10 machines an hour, and 20-40 simpler free scans per hour. Check back just past the hour to fit into the queue.

I can't login! I go round in circles!

You need to accept a login cookie from www.secure-me.net, otherwise we cannot record your login and accept a scan request.

What is my IP address? The default is wrong

If the default IP address shown for you is wrong, it is probably your ISP web proxy server, used by them to cache frequently used web pages. This is something you would not want to scan.

Please check your PC's IP address using Start -> Run -> winipcfg (Windows), or the TCP control panel GUI (Macintosh).

If your Windows OS does not include the winipcfg program, simply open a command line window (Start -> Run -> CMD) and use IPCONFIG. (Type IPCONFIG HELP to get some options)

Why is my (paid) scan taking so long and free scans are going ahead?

Paid scans get priority, but they also take much longer.

Also, queue processors sometimes die and are not restarted by us. If you think that has happened, please post in the Site Help forum.