All the Previous posts of this article series.
1. Developing A Network Monitoring Tool Using CISCO NetFlow : Part 1
2. Developing A Network Monitoring Tool Using CISCO NetFlow: 2 – Analysis and Design
3. Developing A Network Monitoring Tool Using CISCO NetFlow: 3 – Implementation 1
4. Developing A Network Monitoring Tool Using CISCO NetFlow: 4 – Implementation 2
5. Developing A Network Monitoring Tool Using CISCO NetFlow: 5 – Implementation 3
Implementation of the IP and Port Scanner
The tool takes the network address from the settings.dat file, which added as an initial setting for the IP scanner. The tool sends the ICMP request to each and every IP address of the network and listening for the ICMP echo request. The IP addresses which reply to the “ICMP echo” with “echo-reply” is taken as an available IP address with their hostnames.
In the Port scanner, there is an IP scan process to check the availability of the submitted IP address by the user. If the IP address replied ICMP echo by IP scan process, the port scan process continues. The tool creates TCP socket connections to all ports of the given IP address. If the connection was available, the tool takes the port that used to initiate TCP connection as an opened port of a given client.
Problems, Limitations, and Solutions
- IP scanner may not have better accuracy in some secured networks. An IP scanning process based on ICMP echo request and ICMP echo reply. Most of the firewalls and Access list (ACL) are blocking the ICMP echo request. Then the tool will not work on those types of networks. The person who creates security policies, the network administrator who uses this tool can modify security rules accordingly. Rules for firewalls and ACL should be as follows.
An inbound rule for ICMP echo reply from LAN to the server that the tool running must be allowed.
Extended ACL configuration:
access-list ACL_number permiticmp ip_of_server 0.0.0.0 LAN_network_address LAN_wildcard_mask echo-reply
IP scanner may not give all the available IP addresses of the network. The reason for this problem is ICMP echo requests time out. It specifies that the amount of time that the tool waits for ICMP echo reply. The tool uses this value for 2500 milliseconds. Increasing the time out time also increases the resulting available IP address, but it also increases the total scan time period.
- The Port scanner may be blocked by firewalls and IDS. As the user of this tool is a network administrator, can modify rules accordingly. The reason for blocking is the firewalls, and the IDS are configured to check and block TCP connections to one IP from another one IP and different sessions (using different ports) within a small time period. Increasing the time period between each port scan gives a chance to scan ports mostly undetectable.
The Port scanner may be blocked by firewalls and IDS. As the user of this tool is a network administrator, can modify rules accordingly. The reason for blocking is the firewalls, and the IDS are configured to check and block TCP connections to one IP from another one IP and different sessions (using different ports) within a small time period. Increasing the time period between each port scan gives a chance to scan ports mostly undetectable.
The other best solution for this problem is to use FIN to scan instead of a TCP scan. Use a FIN scan for port scanning is taking advantage of normal TCP behavior. Since it is a normal TCP behavior FIN port scan can bypass the firewalls and IDS.
- The author was tried to get the host MAC address for an IP scanner. But unfortunately, the author didn’t find a suitable method to get the mac address of clients in the network. Java doesn’t provide a direct way to get MAC address of a host. IT professionals are suggesting using the default operating system command line/console commands. To resolve this problem, we can use ARP table cache. The ARP table is a table that contains MAC address and corresponding IP address. The following are the ARP commands for different operating systems.
Windows : arp –a
Linux: arp –an
MAC OS: arp –a
But getting MAC address of a host is not very helpful for network monitoring.
- Let’s assume that someone needs to get MAC address of a client in another subnet. When checking the source MAC address, he or she will get the MAC address of the last router, which the packet passed through instead of the MAC address that needs to find
In the network diagram shown above, PC1 sends a TCP segment to PC over Router1 and Router2. Changes of the MAC addresses of a packet happen as follows.
* After adding source IP address and destination IP address for IP header of a packet, it determined the destination IP address is from a remote network using a subnet mask of PC1. So the PC1 sends an ARP request to get the MAC address of Router1, and it frames with the MAC address of PC1 as source MAC and MAC address of Router1 as destination MAC.
* Router1 receives the packet and sends the packet to Router2 using routing tables. It frames the packet with the MAC address of the exit interface of Router1 as source MAC and MAC address of the incoming interface of Router2 as destination MAC.
* Router2 receives the packet. Destination IP is in the Network of Router2. So it frames MAC of Router2 as source MAC and MAC of PC2 as destination MAC.
When someone checks the Source MAC address of the received packet to the PC2 from PC1, it is not the MAC address of the PC, but the MAC address of Router2.
In a secured network, Servers are in another subnetwork like DMZ. Because this tool is installed on a server, it belongs to another subnetwork. As the above explanation and the server is behind a router (in another subnetwork), requesting the MAC address of packets will give the tool of the MAC address of the router.
- A host has more than one NIC which can connect to the network such as an Ethernet adapter, WiFi adapter, FireWire adapter. Each NIC has different MAC addresses. Therefore a client doesn’t have a definitive MAC address, but many MAC addresses.
Possible Future Developments
Following future increments can be done.
- Use FIN scan for stealth port scanner instead of TCP.
As mentioned before, a FIN scan can bypass the firewalls and the IDS. The tool can modify to send FIN packets to all ports of the given IP address, and the RST packet will be sent if the port is closed. After the finishing, the scan, the port that not reply to FIN packets with RST are open ports