Port Scanning
So, let's imagine that we are conducting security testing inside or even outside the company, and before attacking something, we need to find what can be attacked.
As we know, some service or application must be on one or more of the 65,536 ports (0 to 65535), and in order to find open ports and what is running on them, we must scan them using automatic tools or check them manually.
Tools For Automatic Port Scanning
The advantage of automated tools is that they can scan and detect quickly and effectively, but this can result in suspicious activity being detected, as the tools are usually quite noisy.
1. NMap
NMap (Network Mapper) is the most popular and useful opensource tool for port scanning, security auditing and network diagnostics.
nmap can find open ports, find vulnerabilities in services it finds, has a built-in NSE system, and very flexible and customizable.
nmap can be used on both Linux and Windows; you can download binaries for these systems from the official website.
Now let's deal with the commands
Before we scan, let's define that we will use the -v flag, which will give a more detailed scan output, giving a better understanding of the process.
Let's start by defining the host operating system, the -O flag is responsible for this.:
As we can see, nmap scans ports anyway, even if we don't need it now, because without port scanning it won't be able to detect the OS, but the scanning isn't yet in-depth.
As usual, if you don't specify a port range, nmap scans the top 1000 ports.
Different operating systems respond differently to "unusual" network packets, and these differences can be measured and compared to the fingerprint database.
With -O, nmap sends a set of test packets (tests), each of which catches a feature of the TCP/IP stack.
Basic tests:
T1
SYN to an open port
Window size, TCP options
T2–T7
Strange TCP flags
Answer/no answer
PU
UDP to a closed port
ICMP Port Unreachable
ICMP
Echo / Timestamp
TTL, DF bit
SEQ
SYN Series
Generating ISNs (sequence numbers)
As you can see, nmap gives a guess as to what OS it is in percentage - Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%).
Types of port scanning
TCP Connect Scan
Flag - -sT
How it works:
Full TCP handshake - SYN → SYN/ACK → ACK
Interpretation:
SYN/ACK
open
RST
closed
No response
filtered
If you see filtered, it may mean that requests are being processed by a firewall.
This is the most accurate scan, but it is very noisy.
TCP SYN Scan
Flag - -sS
How it works - SYN → SYN/ACK → RST
Interpretation:
SYN/ACK
open
RST
closed
No response
filtered
The scan is fast and less noisy, but requires root.
TCP FIN Scan
Flag - -sF
Interpretation:
RST
closed
No response
open|filtered
Doesn't work on Windows
No distinction open vs filtered
Sometimes bypasses simple firewalls
You can find out about all types of scanning on the official website.
Selectable port scanning
If we need to scan only specific ports, we can use the -p flag:
As you know, ports can be both TCP and UDP, and traditionally nmap scans only TCP; to scan UDP, you can specify the -sU flag:
Separation of TCP and UDP ports (Very important for combined scans):
To scan all 65,536 ports, you can specify the -p- flag:
We can also exclude ports with flag --exclude-ports:
To show only open ports, you can use the --open flag.
Scan speed
Timing templates:
This directly sets nmap scanning speed.
Packet rate limiting:
--min-rate
Minimum packets/sec
--max-rate
Hard ceiling
Parallelism:
Flag - --max-parallelism <VALUE>
Few
Hush, slower
A lot
Fast, noticeable
nmap usually makes good choices on its own, so you rarely need to touch it.
To increase speed, you can also use the --max-retries <VALUE> flag, which limits retries and timeouts, and the -n flag, which completely removes DNS resolving, which can save us from a few seconds to several tens of seconds.
Some hosts may have ICMP blocked, causing nmap to consider the host dead. To disable ICMP scanning, you can use the -Pn flag, which is required in 90% of cases when scanning Windows machines.
Let's try running a scan with these flags and compare the scan time with previous scans:
As we can see, the scanning was almost two to one and a half times faster.
It's important to remember that fast scans are often very noisy and noticeable, so be stealthy if you don't know how the host will react to the scan.
This was just a basic overview of nmap, pages on evasions and advanced scanning will be added soon.
2. Rustscan
Rustscan is an ultra-fast port scanner written in Rust that can be used instead of or before nmap.
How it works (conceptually):
Rustscan asynchronously sends TCP SYN/Connect
Finds only open ports
Passes a list of ports to nmap
Nmap scans more deeply
Most Popular Template:
Here you can find detailed guide on Rustscan.
3. Metasploit
Metasploit has a auxiliary modules for scanning TCP and UDP ports. You can access the parameters using the options command.
Modules:
auxiliary/scanner/portscan/tcp
TCP Port Scan
auxiliary/scanner/portscan/syn
SYN Scan
auxiliary/scanner/portscan/udp
UDP Port Scan
This is what a typical scan looks like:
Tools for manually checking
1. Telnet
A very simple utility with which we can try to connect to the port.
Traditionally, Telnet will use TCP; to use UDP, you need to specify the -u flag.
2. Netcat
Netcat (nc) is the "Swiss knife" of the networked world.
It can handle almost everything related to TCP/UDP connections and is used in both reconnaissance and service exploitation.
Checking if a port is open:
3. Socat
socat is an advanced netcat on steroids, you can use it as alternative of netcat.
Check if port is open:
End
Thanks for reading!
New pages related to this topic will be added soon, and this page may be updated.
Last updated