Why is port scanning useful?

“Ports are the point from where information goes in and out of any system. Scanning of the ports to find out any loop holes in the system are known as Port Scanning. There can be some weak points in the system to which hackers can attack and get the critical information. These points should be identified and prevented from any misuse. Following are the types of port scans:
  1. Strobe: Scanning of known services.
  2. UDP: Scanning of open UDP ports
  3. Vanilla: In this scanning, the scanner attempts to connect to all 65,535 ports.
  4. Sweep: The scanner connects to the same port on more than one machine.
  5. Fragmented packets: The scanner sends packet fragments that get through simple packet filters in a firewall
  6. Stealth scan: The scanner blocks the scanned computer from recording the port scan activities.
  7. FTP bounce: The scanner goes through an FTP server in order to disguise the source of the scan.” (Shinde, 2015)
---------
§  Why would attackers scan systems and networks?
The primary step in any successful attack is sniffing, used to see what type of traffic is being passed on a network and to look for things like passwords, credit card numbers, and so forth. Port scanning can find system vulnerabilities—but they take different approaches. Sniffing is used by an attacker already on the network who wants to gather more information about the network. Port scanning is used by someone who is interested in finding vulnerabilities on a system that is unknown. (Liska, 2003)
--------
§  Why would security analysts scan systems and networks?

Discovery holes before somebody else does at any given time, attackers are employing any number of automated tools and network attacks watching for ways to penetrate systems. Only a minority of those people will have access to 0-day exploits, most will be using well known (and hence preventable) attacks and exploits. Penetration testing provides IT management with a view of their network from a malevolent point of view. The objective is that the penetration tester will find ways into the network so that they can be fixed before someone with less than honorable intentions discovers the same holes. In a sense, think of a Penetration Test as an annual medical physical. Even if you believe you are healthy, your physician will run a series of tests (some old and some new) to detect dangers that have not yet developed symptoms. (Insitute, 2006)

§  Why is enumeration useful?

“Enumeration involves listing and identifying the specific services and resources that a target offers. You perform enumeration by starting with a set of parameters, such as an IP address range, or a specific domain name system (DNS) entry, and the open ports on the system. Your goal for enumeration is a list of services which are known and reachable from your source. From those services, you move further into the scanning process, including security scanning and testing, the core of penetration testing. Terms such as banner grabbing and fingerprinting fall under the category of enumeration.” (Faircloth, 2011)


§  Why would security analysts use password cracking tools?
To test if the current password from the firm analyzed is secure and following the right policy.


§  How would attackers cover their tracks?
§  “Covering Tracks in the previous phases penetration tester or attacker often made significant changes to the compromised systems to exploit the systems or to gain administrative rights. This is the final stage in penetration test in which an attack clears all the changes made by himself in the compromised systems and returns the system and all compromised hosts to the precise configurations as they are before conducting penetration test.” (Narwal & Gupta, 2015)

§  How is privilege escalation used?
Programming errors in privileged services can result in system compromise allowing an adversary to gain unauthorized privileges. Privilege separation is a concept that allows parts of an application to run without any privileges at all. Programming errors in the unprivileged part of the application cannot lead to privilege escalation. As a proof of concept, we implemented privilege separation in OpenSSH and show that past errors that allowed system compromise would have been contained with privilege separation. There is no performance penalty when running OpenSSH with privilege separation enabled.” (Provos, 2002)


§  How can an organization protect itself and when can it do so? When is it not possible?

Some firewalls use "adaptive behavior," which means they will block previously open and closed ports if a suspect IP address is probing them. They can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting the port scan in strobe or stealth mode. In strobe mode, hackers can only scan a small number of ports at a time, but in stealth mode, they can scan the ports over a much longer period, which reduces the chance that the firewall will activate an alert.
In order to decide whether your computer is at risk, you should find out what an attacker would see in a port scan of your router. You could do this using Nmap, a free port scanner that hackers often use. Once you find out what ports respond as being open on your computer, you can review whether it's actually necessary for those ports to be accessible from outside your network. If they're not necessary, you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to and apply the appropriate patches to protect your network.” (Cobb, 2006)


Bibliography

Cobb, M. (2006, June). Retrieved from Tech Target: http://searchsecurity.techtarget.com/answer/How-to-protect-against-port-scans
Faircloth, J. (2011). Penetration Tester's Open Source Toolkit (Third Edition). Elsevier Inc.
Insitute, S. (2006, June). Retrieved from SANS Insitute: https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635
Liska, A. (2003, June). Retrieved from Network Security: Understanding Types of Attacks | Sniffing and Port Scanning: http://www.informit.com/articles/article.aspx?p=31964
Narwal, E. R., & Gupta, E. G. (2015). Tracks covering in Penetration Testing and Cyber Attack. IJASPM.
Provos, N. (2002, August 05). Preventing Privilege Escalation. Retrieved from UMICH.EDU: http://www.citi.umich.edu/techreports/reports/citi-tr-02-2.pdf
Shinde, V. (2015, May 23). Retrieved from Software Testing Help: www.softwaretestinghelp.com/interview-questions/security-testing-interview-questions-and-answers/