Port scanning

Theory

When targeting machines connected to a network, identifying which services are running and accessible remotely allows attackers to have a better understanding of the attack surface.
Services open to the network usually rely on one of two transport protocols: TCP or UDP.
  • TCP (Transmission Control Protocol): requires a 3-way handshake to establish a connection. TCP is the most reliable transport protocol of the two as it allows re-transmission of lost data packets.
  • UDP (User Datagram Protocol): doesn't require any connection at all. Packets can be sent freely but may not arrive. UDP is faster, simpler, but less reliable. It's mostly used for streaming purposes and for services that have a high speed requirement.
TCP and UDP are quite similar in the sense that they work with ports. Services can be bound to ports and users go through these ports to access the services.
ICMP (Internet Control Message Protocol) is a separate transport protocol that is commonly known for its "echo request" message used to "ping" machines across networks. ICMP doesn't rely on ports like TCP and UDP do. There is no port in ICMP.
While there are many services that are well known for using common ports (e.g. 80/TCP for HTTP, 443/TCP for HTTPS, 22/TCP for SSH, etc.), the port is just a number. Any port from 0 to 65535 can be bound to any service. Machines (a.k.a. hosts) can theoretically have 65535 ports open on TCP, and 65535 ports open on UDP at the same time.
Knowing which ports are open on a host, and which services hide between these ports is essential in the host reconnaissance part of an intrusion attempt.

Practice

The most commonly used tool for port scanning is nmap ("Network Mapper"). This tool features a lot of options but the main ones are the following.
1
SCAN TECHNIQUES
2
-sS/sT/sA: TCP SYN/Connect()/ACK scans
3
-sU: UDP Scan
4
โ€‹
5
PORT SPECIFICATION AND SCAN ORDER
6
-p <port ranges>: Only scan specified ports
7
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
8
-F: Fast mode - Scan 100 most common
9
--top-ports <number>: Scan <number> most common ports
10
11
TIMING AND PERFORMANCE
12
-T<0-5>: Set timing template (higher is faster)
13
Templates (0-5): paranoid|sneaky|polite|normal|aggressive|insane
14
โ€‹
15
SERVICE/VERSION DETECTION
16
-sV: Probe open ports to determine service/version info
17
18
SCRIPT SCAN
19
-sC: equivalent to --script=default
20
โ€‹
21
HOST DISCOVERY
22
-Pn: Treat all hosts as online -- skip host discovery
23
โ€‹
24
FIREWALL/IDS EVASION AND SPOOFING
25
-f; --mtu <val>: fragment packets (optionally w/given MTU)
26
-S <IP_Address>: Spoof source address
27
-e <iface>: Use specified interface
28
โ€‹
29
OUTPUT
30
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
31
and Grepable format, respectively, to the given filename.
32
-oA <basename>: Output in the three major formats at once
33
-v: Increase verbosity level (use -vv or more for greater effect)
Copied!
The following nmap commands are the most commonly used.
1
# basic TCP SYN scanning of the 1000 most common TCP ports, with a normal speed
2
nmap $TARGET
3
โ€‹
4
# basic TCP SYN scanning of the 100 most common TCP ports, with a normal speed
5
nmap -F $TARGET
6
โ€‹
7
# scan all TCP ports with an aggressive speed, skipping host discovery, adding verbosity
8
nmap -v -Pn -p0-65535 -T4 $TARGET
9
โ€‹
10
# scan specific TCP ports, enable service/version detection and script scanning, skipping host discovery, with an aggressive speed
11
nmap -Pn -sC -sV -p "20-25,53,80,135,139,443,445" $TARGET
12
โ€‹
13
# same, but scanning known vulnerabilites (CVEs) instead of default scripts
14
nmap -Pn --script vuln -sV -p "20-25,53,80,135,139,443,445" $TARGET
15
โ€‹
16
# scan 20 most common UDP ports and enable service detection
17
nmap -sU -sV --top-ports 20 $TARGET
Copied!
SCTP (Stream Control Transmission Protocol) is another transport protocol. Its main benfits are high reliability, congestion control and better error handling. This protocol is quite rare but is sometimes used and is worth scanning. Just like TCP and UDP, SCTP works with ports. The -sY option can be used in nmap to scan SCTP ports, similarly to -sU for UDP.
โ€‹MASSCAN (C) is an alternative to nmap, mostly known for its speed. Its usage is similar to nmap but focuses essentially on port scanning. Services, versions and scripts scans should be conducted with nmap. Below is an example of masscan being used to scan all TCP and UDP ports of a host with a high rate.
1
masscan -e $INTERFACE -p0-65535,U:0-65535 --max-rate 100000 $TARGETS
Copied!

Resources

Finding the Balance Between Speed & Accuracy During an Internet-wide Port Scanning
Hack.Learn.Share
Copy link