SCANNING FOR OPEN PORTS AND SERVICES
Once we have successfully scanned the number of live hosts on a network, we attempt to find open ports and the services associated with them on a network. Port scanning is the process of discovering TCP and UDP open ports on the target host or network. Open ports reveal the services that are running upon the network. We perform port scanning in order to look for potential entry points into the systems.
One of the most challenging tasks with port scanning is to evade firewalls and intrusion detection and prevention mechanisms. Our goal is to make our scan less noisy. In this chapter, we will also discuss some stealth scanning techniques to make your scans less noisy.
There exist many tools such as netcat, hping2, and Unicornscan for scanning open ports, but nmap is our ultimate choice. However, we will look at some of the gui and command line tools too. But our main focus will be on nmap as it’s one of the most comprehensive port scanning tools.
One of the most challenging tasks with port scanning is to evade firewalls and intrusion detection and prevention mechanisms. Our goal is to make our scan less noisy. In this chapter, we will also discuss some stealth scanning techniques to make your scans less noisy.
There exist many tools such as netcat, hping2, and Unicornscan for scanning open ports, but nmap is our ultimate choice. However, we will look at some of the gui and command line tools too. But our main focus will be on nmap as it’s one of the most comprehensive port scanning tools.
TYPES OF PORT SCANNING
Port scanning is primarily divided into two main categories: TCP scanning and UDP scanning. Nmap supports a wide variety of scanning methods such as the TCP syn scan and the TCP connect scan, and we will discuss some of them here in great detail.
Nmap is very simple to use; the basic command line format for nmap is as follows:
Nmap is very simple to use; the basic command line format for nmap is as follows:
nmap <Scan Type> <Option> <Target Specification>
A simple port can be launched by the following command:
nmap <target Ip Address>
This would return us the ports that are opened upon the target host.
We can also scan a range by either using the CIDR notation that we used earlier in the host
discovery process or using the * sign.
Command:
nmap 192.168.15.*
A simple port can be launched by the following command:
nmap <target Ip Address>
This would return us the ports that are opened upon the target host.
We can also scan a range by either using the CIDR notation that we used earlier in the host
discovery process or using the * sign.
Command:
nmap 192.168.15.*
This would scan the whole range 192.168.15.1–255 and return open ports. Also, you can see
that nmap returns the service associated with each port.
UNDERSTANDING THE TCP THREE-WAY HANDSHAKE
The transmission control protocol (TCP) was made for reliable communication. It is used for a wide variety of protocols on the Internet and contributes toward reliable communication with the help of the three-way handshake.
Before understanding how port scanning works, we need to understand how the TCP three-
way handshake works.
Before understanding how port scanning works, we need to understand how the TCP three-
way handshake works.
The first host sends a SYN packet to the second host. The second host responds with a SYN/ACK packet; it indicates that the packet was received. The first host completes the connection by sending an acknowledgment packet.TCP Flags
SYN—Initiates a connection.
ACK—Acknowledges that the packet was received.
RST—Resets the connections between two hosts.
FIN—Finishes the connection.
There are many other flags, and I would recommend you to spend some time reading rfc 793,the TCP protocol specification. I cannot emphasize enough the importance of understanding the TCP IP; it will help you a lot.
PORT STATUS TYPES
With nmap you would see one of four port status types:
Open—It means that the port is accessible and an application is listening on it.
Closed—It means that the port is inaccessible and no application is listening on it.
Filtered—It means that nmap is not able to figure out if the port is open or closed, as the packets are being filtered, which probably means that the machine is behind a firewall.
Unfiltered—It means that the ports are accessible by nmap but it is not possible to figure out if they are open or closed.
Open—It means that the port is accessible and an application is listening on it.
Closed—It means that the port is inaccessible and no application is listening on it.
Filtered—It means that nmap is not able to figure out if the port is open or closed, as the packets are being filtered, which probably means that the machine is behind a firewall.
Unfiltered—It means that the ports are accessible by nmap but it is not possible to figure out if they are open or closed.
TCP SYN SCAN
The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan. You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip the DNS resolution.
1. SYN + Port 80
2. SYN/ACK
3. RST
Source
192.168.0.8
Destination
192.168.0.10
2. SYN/ACK
3. RST
Source
192.168.0.8
Destination
192.168.0.10
This diagram illustrates how a TCP SYN scan works:
The source machine sends a SYN packet to port 80 in the destination machine.
If the machine responds with SYN/ACK packet, Nmap would know that the particular port
is open on the target machine.
The operating system would send a RST (Reset) packet in order to close the connection,
since we already know that the port is open.
However, if there is no response from the destination after sending the SYN packet, the
nmap would know that the port is filtered.
If you send a SYN packet and the target machine sends a RST packet, then nmap would
know that the port is closed.
Command: The command/syntax for the TCP SYN scan is as follows:
nmap –sS <target IP>
The source machine sends a SYN packet to port 80 in the destination machine. If the machine responds with SYN/ACK packet, Nmap would know that the particular portis open on the target machine.
The operating system would send a RST (Reset) packet in order to close the connection,since we already know that the port is open.
However, if there is no response from the destination after sending the SYN packet, thenmap would know that the port is filtered.
If you send a SYN packet and the target machine sends a RST packet, then nmap wouldknow that the port is closed.
Command: The command/syntax for the TCP SYN scan is as follows:
nmap –sS <target IP>
From this picture, you can see that I have specified two additional parameters (–n and –p).
The –n parameter tells the nmap not to perform the name resolution; this is commonly used to increase the speed of the scan. The –p parameter is used to specify the ports to scan, which in this case is port 80.
I also ran Wireshark (a network analysis tool) while performing this scan to record the behavior of the packets. The output was what we expected.
As you can see from the first line the source 192.168.15.14 sends a SYN packet to the desti-
nation 192.168.15.1. The destination responds with a SYN, ACK in the second line. The source 192.168.15.14 then sends a RST packet to close the connection, thus displaying the behavior discussed earlier. I have also used the “TCP” filter to filter out tcp protocol–related requests.
The positive side of this scan is that it is pretty fast; its downside is that it is often detected by IDS, IPS, and firewalls. We will talk about some techniques to perform noiseless scans later in this chapter.
TCP CONNECT SCAN
The TCP connect scan is similar to the SYN scan, with a slight difference in that it completes the three-way handshake. The TCP connect scan becomes the default scan if the SYN scan is not supported by the machine. A common reason for that could be that the machine is not privileged to create its own RAW packet.
This diagram illustrates that it’s working:
1. The source machine sends a SYN packet at Port 80.
2. The destination machine responds with a SYN/ACK.
3. The source machine then sends an ACK packet to complete the three-way handshake.
4. The source machine finally sends the RST packet in order to close the connection.
The TCP connect scan can be accomplished by specifying an additional –sC parameter with
nmap.
Here is an example:
2. The destination machine responds with a SYN/ACK.
3. The source machine then sends an ACK packet to complete the three-way handshake.
4. The source machine finally sends the RST packet in order to close the connection.
The TCP connect scan can be accomplished by specifying an additional –sC parameter with
nmap.
Here is an example:
No comments:
Post a Comment