compliances , policies , security

The Process that Rapid7 goes through when Scanning Hosts

November 12, 2022

Rapid7 scanning methodology mainly focuses on the different steps that an attacker might follow in order to perform an attack. It tries to use exactly the same discovering and information gathering techniques that will be used by an attacker.

The scanning engine is composed of different modules that handle specific scanning tasks and are chained in an intelligent way in order to avoid performing any meaningless vulnerability checks. It only performs vulnerability detection based on services that were discovered and properly identified.

The scanning engine performs scans in a very dynamic manner to optimize speed and performance. The following is a simplified description of the main steps of a scan:

  1. Checking if the remote host is alive – The first step is to check if the host to be scanned is up and running in order to avoid wasting time on scanning a dead or unreachable host. This detection is done by sending ICMP Echo Request (ping) packets, as well as probing well-known TCP and UDP ports:

TCP probes:

21 (FTP)

22 (SSH)

23 (TELNET)

25 (SMTP)

53 (DNS)

80 (HTTP)

88 (Kerberos)

110 (POP3)

111 (RPC)

135 (MSRPC)

139 (SMB)

443 (HTTPS)

445 (MS-DS)

These TCP probes are Synchronization (SYN) packets. When a TCP SYN packet is sent to an open port on the target host, the target host sends a TCP SYNACK packet in response. The scanner responds to it with a TCP RST (Reset) packet. When a TCP SYN packet is sent to a closed port on the target host, the target host sends a TCP RST packet in response.

This is typically referred to as TCP Half-Open Port Scanning because TCP connections to these ports are not fully established. To fully establish a TCP connection to an open port requires a TCP Three-Way Handshake (SYN, SYNACK, ACK), a process not completed by a half-open port scan, as the ACK packet is not sent by the scanner.

UDP probes:

53 (DNS)135 (MSRPC)161 (SNMP)
111 (RPC)137 (NETBIOS-NS)500 (ISAKM)

These UDP probes are different for different ports, but they are all well-formed, constructed according to RFC standards for the default protocols using these ports.

Note:

If the scanner receives at least one reply from the remote host, it continues the scan.

  1. Firewall detection – The second test is to check if the host is behind any firewalling / filtering device. This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.
  • If a firewall is detected, the scanner also tries to check if the firewall is properly configured by sending specifically forged packets such as fragmented or spoofed packets to some firewalled ports to check if they can go through the firewall despite its filtering rules.
  • TCP / UDP Port scanning – The third step is to detect all open TCP and UDP ports to determine which services are running on this host. TCP port scanning is based on a Stealth scan (i.e sending TCP SYN packets) and can be configured in order to use more or less bandwidth in order to avoid consuming too many network resources.
  • OS Detection – Once the TCP port scanning has been performed, the scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports. By checking the format of the host replies the scanner may identify the TCP/IP stack used for sending these replies, and thus the operating system.
  • TCP / UDP Service Discovery – Once TCP/UDP ports have been found open, the scanner tries to identify which service runs on each open port by using active discovery tests.
  • Vulnerability assessment based on the services detected – Once the scanner has identified the specific services running on each open TCP and UDP port, it performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version. For example, when an HTTP service has been detected, the scanner first determines whether it is an Apache, IIS, Domino or any other HTTP service, then the version of the service, and then tests only the vulnerabilities known for this service and version. Every vulnerability detection test is non-intrusive, meaning that the scanner never exploits vulnerability if it could negatively affect the host in any way.