A secure network blocks scanning techniques and alerts when a scan is detected. Firewalls block scanning attempts or drop responses to request packets. Intrusion detection systems (IDS) monitor network and host activity and create alerts when traffi c matches predefined signatures. Most scanning techniques are easy to detect and will easily trigger IDS alarms. Attackers therefore use a variety of techniques to scan in stealth mode to evade
fi rewalls and IDSs, including the following:
¦ Low and slow scanning Security applications and IDSs watch for a large
number of connections during a short period of time to hosts and ports. Low
and slow scanning is a painfully slow technique that limits the number of hosts and ports that are scanned in a specifi ed time period. Scanning over a long period of time reduces the chance of triggering an alert. If the attacker is patient, this type of scan can be very successful simply because it has a higher chance of not being detected.
¦ Fragmentation Fragmentation splits up TCP-based scan requests over
several packets in an attempt to evade detection.
¦ Spoofing and decoys Attackers often spoof their IP addresses and use decoys to evade detection. Spoofing changes the source IP address of the scanner. This technique isn’t effective for obtaining scan results since the scanner won’t receive replies; it won’t be able to obtain any information about the targets. Decoys are fake hosts that appear to be scanning your network at the same time the real attacker is also scanning. This makes it difficult to determine which IP address is the valid scanner.
¦ Source ports Another fi rewall evasion technique is to specify a source port that is allowed through a fi rewall such as port 53 (DNS).
¦ IP options Some scanners also allow you to modify IP protocol options
to evade fi rewalls and specify a route to the target.
¦ Advanced techniques Other advanced evasion techniques include FTP
bounce scans, idle scans, or proxy tunneling.
Common Network Scanning Tools
There are numerous network scanners available including free, open source and commercial
products. The following list contains a few of the more popular scanners:
¦ Nmap
Nmap is a free open source network scanning utility. It runs on most
operating systems including Linux, Windows, and MacOSX. Nmap is the most
widely used network scanner and there are many third party tools that integrate with Nmap. It can be downloaded from http://insecure.org.
¦ Superscan
Superscan is a free Windows-based network scanner developed
by Foundstone. It can be downloaded from www.foundstone.com/us/
resources-free-tools.asp.
¦ YAPS
Yet Another Port Scanner (YAPS) is a free Windows-based port scanner.
It has a simple graphical interface and can scan many targets simultaneously.
It can be downloaded from www.steelbytes.com.
¦ Angry IP Scanner Angry IP Scanner is a small, fast IP and port scanner.
It runs on Windows, Linux, and Mac OSX. It can be downloaded for free
from www.angryziber.com/ipscan/.
¦ NEWT NEWT is both a freeware and commercial Windows-based
network scanner. The freeware version has not been updated since 2003,
but the commercial version is updated frequently. It is available at www.
komodolabs.com
