Stealth Scanning - Bypassing Firewalls and SATAN Detectors ---------------------------------------------------------- Administrators need tools to find out what is going on in their network. Maybe an internal employee has installed a unauthorized web server and put proprietary information online allowing anyone to access it, how does an administrator find out that there is even a web server running on their network? Many administrators use tools called TCP Port scanners. These programs which try to connect to all possible ports on a machine find which services are running. This information gives a network administrator better ability to understand and be aware of how his or her network is configured. Unfortunately, this technology is a double-edge sword because intruders can scan other networks and be able to gather information that helps better mount an attack. The intruder now knows which machines are running and what services are available. TCP port scanning is built into shareware auditing tools, such as ISS (Internet Security Scanner) and SATAN. These tools were intended to help administrators correct security risks in their network, but unfortunately they are just as useful to the bad guys. Because TCP port scanning is like knocking on the door of many services, people have written tools like SATAN detectors which notify administrators when outside people are knocking on their network. This has made the administrator feel like they are getting a good alarm notice if a hacker decides to attack their network. Here is a problem that we want to educate people about and possibly come up with some better solutions to addressing this problem. Most of the TCP port scanning technology relies on making an established connection with a port to determine if it is active or not. Many of the SATAN/Port Scanning Detectors rely on this fact. They record the connections and if a connection happens to a wrong port or the number of connections within a certian time reaches a threshhold, an alarm goes off. TCP_wrappers will also keep a record of any estblished connection which helps administrators find where an intruder came from. One problem which exists is that intruders can scan without establishing a connection. There is a technique for doing a half-open scan. The intruder can send a SYN packet that starts a connection, and if the port is active, it will respond with a SYN|ACK and the intruder records these packets, determining which ports were active now. In a typical established connection, the host responds to the SYN|ACK to finish completing the connection. The intruder can now send a reset packet removing from the kernel that a connection was half open. Here's the interesting information. ---- We do not even need to use a SYN packet to scan. Many firewalls block outside networks from sending in a SYN packet and that stops initiating a connection. So even the half-open scan won't work past a firewall. But we have tried other TCP flags and found many other packets will do the trick just as good, and if not better. Here's a table of the packets and response types to determine active ports. Flag Active Port Response Non-active Port Response SYN SYN|ACK Reset or Nothing SYN|FIN ACK or SYN|ACK* Reset ACK Nothing Reset 0 flag Nothing Reset * Depends on the TCP implementation. Windows 95 returned SYN|ACK while most Unix platforms return an ACK. We have picked the most interesting flags. You can also add URG and PUSH flags to any of the above flags and get the same response. The SYN|FIN is an illegal type of flags that contradict themselves, but a few router based firewalls that were blocking the other type packets allow this one through. The 0 flag packets are packets that designate the packet type as 0, which some packet filter based firewalls may allow through. Some firewalls allow ACK packets through as well. Using these type of packets, we called this a "stealth scan" because typically most TCP port scan detectors do not catch this type of activity and the scan enables you to bypass a firewall and see what services are running on the inside machines. Denial of Service Attacks ------------------------- In coming up with developing this code, we are able to do 2 types of denial of service attacks that people should be aware of and at some point, we need to have vendors fix the problems. 1) By scanning with all these different types of packets, we were able to crash a few popular type routers that could not handle these packets. We reported the problem back to the vendors. 2) By scanning with half-opens and not sending a RESET, the kernel's cache of half-open connections get full and will no longer accept any more connection. This would be a quick and easy way to cause a high connection rate machine to no longer provide any more connections, denying anyone from access to a machine, including a Web server. Solutions --------- Do not rely completely on SATAN detectors. Most of them are designed to only signal alarms if a full established connection is made. Courtney.pl is the only SATAN detector that we found that actually looked at the packets themselves looking for SYN packets. To detect a stealth scan, we need to come up with some heuristics for detecting an anomly of the number of reset packets generated as well. For denial of service attacks, if a device can't handle the packets it will be up to the vendor to provide a patch to fix this. Vendors need to look at potential solutions for half open attacks such as increasing in the kernel the number of half open connections possible, decreasing the time that the cached half opens stay in the memory, possibly logging when a particular host has filled up the half open cache and ignoring further half open packets from the offending host. Firewalls --------- The more secure setup of firewalls tend to be a combination of both packet filter / proxy server type firewalls that would prevent scanning past the firewall if configured properly. ------------------------------------------------------------------------------- Copyright This paper is Copyright (c) 1994, 1995 by Christopher Klaus of Internet Security Systems, Inc. Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium excluding electronic medium, please ask the author for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Address of Author Please send suggestions, updates, and comments to: Christopher Klaus of Internet Security Systems, Inc. Internet Security Systems, Inc. Internet Security Systems, Inc, located in Atlanta, Ga., specializes in the developement of security scanning software tools. Its flagship product, Internet Scanner, is software that learns an organization's network and probes every device on that network for security holes. It is the most comprehensive "attack simulator" available, checking for over 100 security vulnerabilities. -- Christopher William Klaus Voice: (770)441-2531. Fax: (770)441-2431 Internet Security Systems, Inc. "Internet Scanner lets you find 2000 Miller Court West, Norcross, GA 30071 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do."