In part three of my series on penetration testing I am going to cover port scanning. I introduced this topic in an earlier article for the series, if you haven’t read it I would recommend it because it gives a good overview of scanning as a whole. I would also recommend reading article two in this series which covers network tracing. This article will cover how port scanning works in practice, the tools used for port scanning, and useful tips for the most popular tools.
There are some basic concepts that you first need to be able to understand in order to follow this article, I have listed them below with some links to sources where you can learn more about these concepts in case you needed a refresh on them.
Every TCP connection begins with a TCP handshake, used to exchange sequence numbers to every lost packet, it can be retransmitted and also put in proper order.
If machine A wants to initiate a connection with machine B with the SYN Control Bit set. This packet will include an initial sequence number (which we' ll call ISNA because it comes from machine A), which is 32-bits long and typically generated in a pseudo-random fashion by the TCP software on machine A. The ACK number (another 32 bits in the TCP header) is typically set to zero because it is ignored in this initial SYN.
If the destination port is open (which means something is listing it will on that port like a webserver on port 80) then machine B will respond with a SYN-ACK packet back. This packet will have a sequence number of ISNB, a pseudo-random number assigned by machine B for this connection. The SYN-ACK packet will have an acknowledgment number of ISNA+1, indicating that machine B has acknowledged the SYN packet from machine A.
To complete the three-way handshake, machine A responds with an ACK packet, which has a sequence number of ISNA+ 1. (It's the next packet, so the sequence number has to change from the value in the original SYN packet.) The acknowledgment number field is set to ISNB+ 1, thereby acknowledging the SYN-ACK packet.
According to the original TCP specification, if a service is listening on a TCP port and a packet with the SYN Control Bit set arrives at that port, the TCP software must respond with a SYN-ACK packet. This response must be sent, regardless of the payload of the SYN packet. Which means even if we don't know what service is listening on the target port, we can still measure whether it is open by simply sending it a SYN packet. That gives us a reliable method for determining whether a TCP port is open or closed.
The first scenario: The attacker machine send a SYN packet, and receives a SYN-ACK from the target. This means that the port is open and we move on to a different port. There is a very unlikely chance that there is a software sending a SYN-ACK packet for every port to trick the attacker but that is unlikely.
The second scenario: The attacker sends a SYN packet and receives an ICMP port Unreachable message back, this most likely means that there is firewall that is blocking the connection. These ports are also called filtered ports.
The third scenario: The attacker machine sends SYN packet and receives an RST-ACK packet back, this means that we cannot reach the port, its either closed or a firewall is not letting us access it.
The fourth scenario: The attacker machine sends SYN packet and get nothing in response, usually the port scanning tools retry before moving on and the port is marked filtered. In this case either there is nothing listening on the end system (which has been configured via a personal firewall to silently drop all packets to closed ports) or a firewall is blocking our inbound SYN packet (again, silently rejecting it).
These are the most likely scenarios you will encounter while port scanning, the last scenario can cause the tool run for a long time, because it retries and then mark it as filtered after the timeout. This technique is also called half-open scanning. We don’t establish a full connection.
As we all know UDP is a connection less protocol, so there is no state of connection and no control bits, and because of this there is less option of scanning , often slower scanning and less reliable scanning and a lot of uncertainty from the results . Some scenarios you might encounter in UDP scanning are :-
Scenario A: The attacker machine sends a UDP packet and the target machine responds with a UDP packet. this means that there is something listening on that UDP port, which means the port is open.
Scenario B: The attacker machine send a UDP packet and the target machine responds with a ICMP port unreachable, This means the port is close, but this is also one of the reasons of the UDP scanning being slow because some of the systems have a rate-limit for ICMP Packets, which makes the scan even more slow.
Scenario C: The attacker machine sends a UDP packet and nothing comes back, now there could a lot of reasons why, some of the reason could be:-
Nmap is a very common and amazingly powerful tool for port scanning. Lets see the nmap options that are useful to us.
Nmap timing options are very useful. The format for the timing options is
# nmap -T [timing options] [other options]
Nmap runtime interactions are useful for quick actions after running the scan.
Nmap more specific timing options.
• --host timeout: The maximum time in millisecond spend on a single host
• --max_rtt_timeout: The maximum time to wait for probe packet [DEFAULT-9]
• --min_rtt_timeout: The minimum time to wait for probe packet
• --max_parallelism: set the number of probes nmap will send in parallel.
• --scan_delay: sets the minimum time nmap waits between sending probe packets.
Nmap network sweeping/probe options
Nmap custom control bits scan
• --scanflags [URG | ACK | PSH | RST | SYN | FIN | ECE | CWR | ALL | NONE]
Nmap Output options
• -oN [Filename] : Stores the normal human-readable output typically displayed on the screen in a fi le called "filename."
• -oG [Filename] : Specification is highly useful, as it causes Nmap to store its results in a greppable format
• -oX [Filename] : Causes Nmap to place its results in an XML format, which may be used as an import option for other tools.
• -oS [Filename] : TRY THIS ONE YOURSELF.
Thanks for reading this article, I hope you liked it. School has been kinda hectic and I had exams so this article is my comeback after not writing for a while. If you liked it, please share it and if you have any questions find me on twitter @k4b00m.