Project: Port Scanner
- Port Scanning on Linux
- Setting up the Project
- Using the Docker Container
- Trying the Port Scanner
- Basic Task
- Intermediate Task
- Advanced Task
- Further Reading
8

Project: Port Scanner

This project will assume that you have already completed the preceding project (Transcoder), as details regarding environment set-up, documentation and testing are not included in this project page. You will be expected to write tests and documentation whilst working on this project.

Port scanning is common in security audits and penetration tests. It involves checking which ports are open or closed on a given target (or a list/range of targets).

You are required to modify the port scanner project, so it is able to scan for a new piece of malware, known as Wyhdah. This is a previously unseen piece of malware that has been found on the target machine. The malware works by opening a port on the infected machine that can be used for command control - i.e. it gets messages from the creator and then acts upon these messages.

When connected to one of these infected ports, the client will receive a special message of:

57 65 6c 63 6f 6d 65 20 74 6f 20 57 79 64 61 68

This message is used to identify it. The malware has only opened up one of the following port numbers: $37000, 37102, 37204, 37306, 37408, 37510, 37612, 37714$ or $37816$ which are also useful for scanning.

Port Scanning on Linux

Using the Linux terminal in the left-hand pane, you can use the nmap command to scan the open and closed ports of a target. For example, a port scan can be executed on www.coventry.ac.uk using the following terminal command:

$ nmap www.coventry.ac.uk -Pn -sT -F

You may be required to install this tool in the virtual machine or your local machine (running Linux), to do this use the command:

$ sudo apt install nmap

Upon executing the command an output similar to below will be displayed:

$ nmap www.coventry.ac.uk -Pn -sT -F
  Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-24 10:08 BST
  Nmap scan report for www.coventry.ac.uk (104.18.28.61)
  Host is up (0.045s latency).
  Other addresses for www.coventry.ac.uk (not scanned): 104.18.29.61 2606:4700::6812:1d3d 2606:4700::6812:1c3d
  Not shown: 96 filtered ports
  PORT     STATE SERVICE
  80/tcp   open  http
  443/tcp  open  https
  8080/tcp open  http-proxy
  8443/tcp open  https-alt

  Nmap done: 1 IP address (1 host up) scanned in 3.34 seconds

From the excerpt above, you can see that it reports four ports are open: $80, 443, 8080, 8443$ what it suspects they are for: http, https, http-proxy and https-alt, respectively. Using the nmap tool is something you will become familiar with when working within the cybersecurity domain. The tool consists of many options, and it would be wise to check the manual (man nmap).

There may be instances where nmap may not be useful and you require something more customised. For example, scanning for a zero-day attack, which nmap (as of writing) is unable to perform. In this instance, there may be a service that is running on one (or a range) of port(s) that can be compromised. For this, you will need to write your own scanning tool to find it and then exploit it.

Setting up the Project

To begin this project, you will need to clone the Port Scanner repository, which is available at the following URL:

https://github.coventry.ac.uk/CUEH/4061CEM_PortScanner/

You should create a fork of the repository first, and then clone it. This will create a local copy which enables you to make edits.

Setting up a Virtual Environment

As Python is a popular programming language, there are a lot of libraries/modules available to help you achieve certain functionality with minimal effort. However, when you write code that rely upon these libraries/modules there may be instances where they do not exist on the target platform, or they are incompatible with other libraries/modules on the target system.

In this instance, a virtual environment is used. It is not like a virtual machine, a virtual environment is a directory that consists of a copy of the Python interpreter and libraries; and they are localised for that project only.

For this project, you will use a virtual environment. In order to enable this, you will need to create the new environment using the following command in the root directory of the repository 4061CEM_PortScanner:

$ python3 -m venv portscanner_venv

This action is only performed once, so there is no need to recall this action each time the project is worked upon. The only instance in which you would repeat this process is when the development machine has been changed.

To use the virtual environment, you need to activate it from within the root directory of the project using the following command:

$ . ./portscanner_venv/bin/activate

There is an extra period (.) at the start, this tells the shell to import the environment variables from within the file portscanner_venv/bin/activate/ into the current environment. This action may need to be repeated each time you begin working on the project.

Installing the Libraries/Modules

When it comes to using the particular libraries/modules required for this project, you can install them using the following command:

(portscanner_venv) $ pip install -r requirements.txt

(portscanner_venv) $ python3 -m pip install -r requirements.txt

Before the dollar symbol ($) is (portscanner_venv); this denotes that you are working inside the virtual environment.

pip is the Python package installer, and it will read the contents of requirements.txt and download/install the libraries/modules that are listed within it. This action is only performed once, so there is no need to recall this action each time the project is worked upon. The only instance in which you would repeat this process is when the development machine has been changed, or if you have added libraries/modules to the file.

Automating the Environment Set-up

Included as part of the project is a Makefile. This file consists of functions that the make command can read and execute in the terminal. This file will not be discussed in-depth, but it enables you to set up the virtual environment and install requirements with ease by using two commands:

$ make venv

This will create the virtual environment, and once activated you can install the pre-requisite libraries and modules by using:

$ make prereqs

Using the Docker Container

The project utilises a Docker container, called harbourmaster_target. The container has been uploaded to 'dockerhub', therefore you only require to use the following command to run it:

$ docker run -t --name target csx239/harbourmaster_target:latest

The provided Makefile also has a command to clean up any existing versions and start a new one of the docker image:

$ make start_target

When running the image, the target machine will show its IP address and run some services, this machine will be useful for checking that the port scanner works correctly.

Trying the Port Scanner

When the repository has been cloned to your machine, it will be in a working state; but with similar functionality to the nmap tool. The source code of src/harbourmaster.py imports some functionality from src/h_sockets.py. You can manually view the source of sockets.py to understand its functionality, or view the documentation using the make docs command.

The source code of harbourmaster.py consists of a fixed target $172.17.0.24. If you want it to try it on something other than the target machine in the docker (or the target machine is running a different IP address) you will need to change the target variable. The code also consists of a fixed range of ports (range('1, 100')). Executing the harbourmaster.py file will get an output similar to:

$ python3 src/harbourmaster.py
  1: Closed
  2: Closed
  3: Closed
  4: Closed
  5: Closed

  ... (more closed ports, removed to shorten the page)

  20: Closed
  21: Closed
  22: Open - Data Received
  SSH-2.0-OpenSSH_7.6pl Ubuntu-4ubuntu0.3

  23: Closed
  24: Closed
  25: Closed
  26: Closed
  27: Closed

  ... (more closed ports, removed to shorten the page)

  76: Closed
  77: Closed
  78: Closed
  79: Closed
  80: Open
  81: Closed

  ... (more closed ports, removed to shorten the page)

  99: Closed

From the excerpt above, you can see that two ports were open in the range of $1$ to $99$: $22$ and $80$. You can look these up on the internet to see what these ports might be used for.

Basic Task

For this task, you will need to modify the current port scanner. Currently, a scan is performed between the range of 1 and 99. Instead, the scanner needs to scan the range of ports that the Wydah malware uses and for each one display either: "Closed", "Open: Non-Wydah" or "Wydah Malware Detected". Here is an example of the intended output:

22: Open: Non-Wydah (SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3)
80: Open: Non-Wydah
37816: Wydah Malware Detected (57 65 6c 63 6f 6d 65 20 74 6f 20 57 79 64 61 68)

You will need to check the data that is sent back and compare that with what you know the Wydah server will send on connection, showing an appropriate message for the user.

Intermediate Task

The ability to scan a single host is useful, but if we have to maintain a set of machines it can be time-consuming. For this task, you need to modify the code so it accepts a series of addresses from the command line:

$ ./harbourmaster.py 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4

Any number of the hosts could be included in this command, and the bash ability can be used to expand the sequences. A numeric range on the command line can be given as ${1..10}$ and this becomes $1 2 3 4 5 6 7 8 9 10$. This can be used for IP address ranges, i.e. $192.168.{0..255}.{0.255}$.

Advanced Task

The function test_port() takes a parameter called poke. This parameter is used to tell the function to send something to the port upon a successful connection. This can be used to trigger a response from some services.

In the project repository is another implementation: src/web_scan.py. Try running this, ensuring that you set the target variable to point towards the IP address of the docker container. Notice that this implementation can interact with the web server sockets as it can send a request and capture the output:

$ python3 src/webscan.py 
  80: Open: (response follows)
  HTTP/1.1 200 OK
  Date: Sat, 08 Aug 2020 18:07:27 GMT
  Server: Apache/2.4.29 (Ubuntu)
  Last-Modified: Thu, 30 Jul 2020 13:07:29 GMT
  ETag: "19b-5aba85ac0e640"
  Accept-Ranges: bytes
  Content-Length: 411
  Vary: Accept-Encoding
  Connection: close
  Content-Type: text/html

  <html>
    <head><title>Wydah</title></head>
    <body>
      <iframe width="560" height="315" 
      src="https://www.youtube.com/embed/TZw4M1yHta8" 
      frameborder="0" allow="accelerometer; autoplay; encrypted-media; 
      gyroscope; picture

Using the extra parameter it is possible to interact with the Wydah malware. For example, if you send it the command SHADOW it will try and send back the /etc/shadow file from the host it is on. This file contains the hashes of the user account passwords.

Your tasked with trying to make the scanner send this command to any open port. It would be useful to store the information to a log file. So implement a method to open a file and write the result of any successful interactions with a Wydah-infected host.