Sunday, September 15, 2013

Port Scanning

Filled under:

Port scanning is the process of checking for open TCP or UDP ports on a machine. Please note that port scanning is considered illegal in many countries and should not be performed outside the labs. I was once running an Nmap scan during an internal penetration test. Unwittingly, I did not take note of the unusual subnet mask employed on the local network, and ended up running the Nmap scan through a remote up link that was offsite. The routers separating these two remote networks were overwhelmed by the intense scan, and, suffice it to say, bad things happened. Never run a port scan blindly. Always think of the traffic implications of your scans, and their possible outcome on the target machines.
Port Scan_Dec 2010
TCP Port Scanning Basics
The theory behind TCP port scanning is based on the three-way TCP handshake. The TCP RFC states that when a SYN is sent to an open port, an ACK should be sent back. So the process of port scanning involves attempting to establish a three-way handshake with given ports. If they respond and continue the handshake, the port is open; otherwise, an RST is sent back. Netcat can be used as a simple port scanner.
The following syntax is used to perform a port scan using Netcat. You’ll scan ports 24–26 on 192.168.0.10:
root@bt:~# nc -vv -z -w2 192.168.0.10 24-26
192.168.0.10: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.10] 26 (?) : Connection refused
(UNKNOWN) [192.168.0.10] 25 (smtp) open
(UNKNOWN) [192.168.0.10] 24 (?) : Connection refused
root@bt:~#
Look at the Wireshark dump that was generated due to this scan:
port-scan

UDP Port Scanning Basics
Since UDP is stateless and does not involve a three-way handshake, the mechanism behind UDP port scanning is different. Try using Wireshark while UDP scanning a lab machine to understand the how UDP port scans work.
Port Scanning Pitfalls
  • UDP port scanning is often unreliable because ICMP packets are often dropped by firewalls and routers. This can lead to false positives in your scan, and you’ll often see UDP port scans showing all UDP ports open on a scanned machine. Please be aware of this.
  • Most port scanners do not scan all available ports and usually have a preset list of “interesting ports” that are scanned.
  • People often forget to scan for UDP services, and stick only to TCP, thereby potentially seeing only half of the equation.

0 comments:

Post a Comment