Week 1 Case Study
Ping sweeps and port scans are two common network probes used as cracking tools by intruders. Network probes are technically not intrusions on a computer or system, but they should not be taken lightly as they may lead to actual intrusions in the future. A port scan is a method used to discover what services are running on a computer. Whereas a ping sweep sends a set of packets to a network of machines to find out which ones respond. They are both common types of “information gathering” to help devise a course of action by intruders. These two network probes help identify a week point that attackers can exploit.
Port scans are fairly simple to perform. You just have to connect to a series of ports on the computer and discover which ports respond and which ports don’t. An attack can then be planned towards any vulnerable service that is found. A good programmer can write a simple port scanner in java or perl in less than 15 minutes. Fortunately this kind of port scan can be easily detectable by the operating system of the PC and are not commonly used these days. Another type of port scan is a “half-open” scan. In a “half-open” scan, after a connection is made with the port it is quickly shut down before a full connection occurs. The operating system does not log the scan since a full connection never happened. These types of scan are much more sneaky and harder to prevent.
Ping sweeps are used to identify which machines are alive on a network. Once the intruder knows the machines that are alive or not, they can begin to focus on what machines to attack. A network administrator may have legitimate reasons to perform a ping sweep for diagnostic purposes. A tool used for implementing a ping sweep is fping. fping works by taking a list of IP addresses and sends packets to each of them, one ping packet to one IP address, then it goes on to the next one and so on. Just like port scan, ping sweeps can be detected by...