Let’s talk about Port Scanning!

Port Scanning is one of the methodologies that will be conducted during Enumerating Target process. This process will scan all TCP Ports or UDP ports, not only just the well-known ports which make the process could take a minute or two. This process also helps in determining which TCP and UDP ports are open, closed, or filtered.

In this post, I’m going to talk about the differences between TCP & UDP port, types of port scanning, and also showing how to do port scanning using Nmap!

Why is it important to know the state of the TCP and UDP port?

Let’s just assume that open port is like an unlocked door to your house. A thief could rob your home anytime because you left your door unlocked or unguarded 24/7. Well, in this case, the attacker could find vulnerabilities and exploit the network system by simply checking the version of the software used by the network service through the open ports. Knowing the software version is like a walk in the park for the attacker because they can find the vulnerabilities that have not been fixed by the software.

Now that we understand the importance of port scanning, let’s discuss a bit about TCP and UDP, so you will not get lost during the port scanning practice later.

TCP (Transmission Control Protocol) is a connection-oriented protocol. Which means a connection should be established by both parties before they can communicate to each other. This connection is established with a three-way handshake.

SYN = Synchronize, used to initiate a TCP connection. SYN/ACK = Synchronize-Acknowledgement, used to tell the client that the server has received the SYN flag. ACK = Acknowledge, used to acknowledge receipt of a packet.

After the connection has been established, TCP will send ACK packet for every packet they received so if the packet is lost which means the sender does not received any ACK packet from the receiver, TCP will automatically retransmit it. This makes TCP good for sending important information or files since it gives acknowledgement when the receiver has successfully get the file.

UDP (User Datagram Protocol) is a connectionless protocol. To send data, the client and the server don’t need to establish such connection like UDP which makes UDP is much faster than TCP. However, the disadvantage of UDP is the protocol will not retransmit any lost packet.

Now that we have discussed the difference between UDP and TCP, let’s talk about different types of scanning.

Different types of Scanning

  • SYN or Stealth Scan: The sender sends an SYN packet to the target; if an SYN/ACK frame is received back, the sender will send an RST packet without sending the ACK packet first so it does not complete the three-way handshake.
  • ACK Scan: This scan type is used to determine whether a firewall is stateful or not and which ports are filtered by sending an ACK packet.
  • Connect Scan: This scan will complete the three-way handshake with each target port. If the connection succeeds, the port is considered open.
  • XMAS Scan: This scan will send a packet that sets the FIN, PSH, and URG flags. If the port is open, there is no response; but if the port is closed, the target responds with an RST/ACK packet.
    • FIN Flag: This flag indicates that the party has no more data to send. It is
      used to tear down a connection gracefully.
    • PSH Flag: This flag indicates that the buffered data should be pushed
      immediately to the application rather than waiting for more data.
    • URG Flag: This flag indicates that the Urgent Pointer field in the TCP
      header is significant. The urgent pointer refers to important data
      sequence numbers.
  • FIN Scan: This scan works like XMAS Scan but it only sets the FIN flag.
  • NULL Scan: This scan also works like XMAS Scan but has no flags set.
  • Maimon Scan: This scan will send a packet with the FIN/ACK flag bit
    set. BSD-derived systems will drop the packet if the port is open, and it will
    respond with RST if the port is closed.
  • Window Scan: This scan type works by examining the TCP Window field of the RST packet’s response. An open port will have a positive TCP Window value, while a closed port will have a zero window value.
  • Idle Scan: No packets are sent to the target by your machine, instead the scan will bounce off to a zombie host you specify.
  • UDP Scan: Send a packet with UDP flag. Closed port responds with ICMP “Port Unreachable” message.

Nmap for Port Scanning

I’ve already used Nmap in my previous post for Target Discovery (Check it out!). Now, I’m going to use Nmap for Port Scanning purposes. My lecturer shared Nmap Quick Reference Guide during class which I find it really useful. If I were you, I would save it for later use. :p

Identifying Open Ports with Nmap

LET’S DO SOME PORT SCANNING~!

Open your Wireshark and click ‘Start capturing packets’ button below the File button to start capturing every packet sent and received on your network during port scanning so we can know which ports are open.

Wireshark GUI when capturing packets

Let’s start doing an SYN scan to pentest.id by typing nmap -sS pentest.id in your Terminal.

The complete process of SYN Stealth Scan on Nmap. It tells all the open ports as a result.

The process of SYN scan can be monitored using Wireshark.

Nmap sends an SYN packet at the beginning of port scanning process

This picture shows that port 80 is open because the receiver sends back an SYN, ACK packet

RST,ACK packet will be sent to the sender if the port is closed. In this case, port 993, 199, 587, 110, and 23 are closed.

Since Nmap can only scan the 1000 most common ports for each protocol randomly, it supports port range specification features where we can specify which port on the target that we want to scan. Simply type -p <port numbers you want to scan> at the end of the command.

XMAS Scan to pentest.id to port 80 and 21 only.

XMAS Scan captured by Wireshark

I have mentioned earlier that we can check whether the firewall is stateful or stateless in each port by doing the ACK scan. Now, let’s check if the specified ports (port 80-85) of pentest.id have a stateful or stateless firewall.

For those who are wondering the difference between stateless and stateful firewalls:
Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security functions such as tunnels and encryption. Stateless firewalls are typically faster and perform better under heavier traffic loads. Whereas, Stateless firewalls do not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. Stateful firewalls are better at identifying unauthorized and forged communications.

Based on my research, the port that uses stateful firewall will likely return as filtered since the firewall can determine if an incoming ACK packet is part of an established outgoing connection. The port that uses stateless firewall will show as unfiltered during ACK scan but show as filtered during SYN scan since the firewall can’t block incoming ACK packets because those could be sent in response to an outgoing connection and only filter SYN packets from all port numbers except those who can pass the firewall.

Port 80 until 85 of pentest.id use stateless firewalls.

Other than port specification, Nmap also supports IPv4 target specifications:

  • A single host such as 192.168.0.1.
  • A whole network of adjacent hosts such as 192.168.0.0/24. This specification will include 256 IP addresses ranging from 192.168.0.0 to 192.168.0.255.
  • An octet range addressing such as 192.168.2-4,6.1. This addressing will
    include four IP addresses: 192.168.2.1, 192.168.3.1, 192.168.4.1, and 192.168.6.1.
  • Multiple host specifications such as 192.168.2.1 172.168.3-5,9.1

Scanning 1000 ports in 192.168.0.0 until 192.168.0.255

Bash Shell Scripting + Nmap 

In Linux Terminal, we can run Nmap combining with bash shell scripting. Bash shell scripting is basically a computer program written in a Bash (a command line interface for interacting with the operating system) programming language that can a single command or even runs an entire script of commands.

In the picture below, I scanned port 25 and 80 in 10.25.46.168 by using the for loop and put the port variable in Nmap command ($port).

You can also specify the 4th octet of the IP address using a for loop and a sequence command (`seq 1 5`) to generate a sequence of numbers.

You can also combine more than two commands like I’ve mentioned earlier. In this picture, I’m scanning 10.25.46.1-3 for port 25 and 80 by combining the previous two commands. If you do not like a command line-based application like Nmap, you can try using Zenmap! Zenmap is basically Nmap with a much better interface. ❤

SYN Scan using Zenmap

So, that’s all about Port Scanning. If you have any questions or feedback for me, feel free to hit the comment section! Thank you ❤

References

  • Lecturer’s Slide Material
  • Ali, S., Allen, L. & Heriyanto, T. Kali Linux: Assuring security by penetration testing.
  • https://www.linkedin.com/pulse/20140930164834-1571978-syn-stealth-xmas-null-idle-fin
  • https://www.cybrary.it/0p3n/stateful-vs-stateless-firewalls/
  • https://unix.stackexchange.com/questions/292691/how-to-tell-stateful-vs-stateless-firewall-with-nmap-ack-scan