search
GitHubTwitterExegolTools

Port scanning

hashtag
Theory

When targeting machines connected to a network, identifying which services are running and accessible remotely allows attackers to have a better understanding of the attack surface.

Services open to the network usually rely on one of two transport protocols: TCP or UDP.

  • TCP (Transmission Control Protocol): requires a 3-way handshake to establish a connection. TCP is the most reliable transport protocol of the two as it allows re-transmission of lost data packets.

  • UDP (User Datagram Protocol): doesn't require any connection at all. Packets can be sent freely but may not arrive. UDP is faster, simpler, but less reliable. It's mostly used for streaming purposes and for services that have a high speed requirement.

TCP and UDP are quite similar in the sense that they work with ports. Services can be bound to ports and users go through these ports to access the services.

circle-info

ICMP (Internet Control Message Protocol) is a separate transport protocol that is commonly known for its "echo request" message used to "ping" machines across networks. ICMP doesn't rely on ports like TCP and UDP do. There is no port in ICMP.

While there are many services that are well known for using common ports (e.g. 80/TCP for HTTP, 443/TCP for HTTPS, 22/TCP for SSH, etc.), the port is just a number. Any port from 0 to 65535 can be bound to any service. Machines (a.k.a. hosts) can theoretically have 65536 ports open on TCP, and 65536 ports open on UDP at the same time.

Knowing which ports are open on a host, and which services hide between these ports is essential in the host reconnaissance part of an intrusion attempt.

hashtag
Practice

The most commonly used tool for port scanning is nmaparrow-up-right ("Network Mapper"). This tool features a lot of options but the main ones are the following.

SCAN TECHNIQUES
  -sS/sT/sA: TCP SYN/Connect()/ACK scans
  -sU: UDP Scan

PORT SPECIFICATION AND SCAN ORDER
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
  -F: Fast mode - Scan 100 most common
  --top-ports <number>: Scan <number> most common ports
  
TIMING AND PERFORMANCE
  -T<0-5>: Set timing template (higher is faster)
    Templates (0-5): paranoid|sneaky|polite|normal|aggressive|insane 

SERVICE/VERSION DETECTION
  -sV: Probe open ports to determine service/version info
  
SCRIPT SCAN
  -sC: equivalent to --script=default

HOST DISCOVERY
  -Pn: Treat all hosts as online -- skip host discovery

FIREWALL/IDS EVASION AND SPOOFING
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface

OUTPUT
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)

The following nmap commands are the most commonly used.

circle-info

SCTP (Stream Control Transmission Protocol) is another transport protocol. Its main benfits are high reliability, congestion control and better error handling. This protocol is quite rare but is sometimes used and is worth scanning. Just like TCP and UDP, SCTP works with ports. The -sY option can be used in nmap to scan SCTP ports, similarly to -sU for UDP.

MASSCANarrow-up-right (C) is an alternative to nmap, mostly known for its speed. Its usage is similar to nmap but focuses essentially on port scanning. Services, versions and scripts scans should be conducted with nmap. Below is an example of masscan being used to scan all TCP and UDP ports of a host with a high rate.

hashtag
Resources

https://captmeelo.com/pentest/2019/07/29/port-scanning.htmlcaptmeelo.comchevron-right
PreviousHosts discoveryNextInitial access (protocols)

Last updated

Was this helpful?