Port Scanning
The active recon tool we are going to discuss is port scanning.
Port scanning can be used to identify devices on a network, and the services used on them. We could also use port scanning as a defensive measure by scanning for open ports and devices behind a firewall.
Addresses and Ports
First concept we need to cover is Addresses and Ports. These provide a mechanism for identifying devices on the network, and the services that they run.
Therefore to connect to a remote service we need two bits of information, the address, and the port
Addresses
Each device on a network should have a unique IP address, this maps a address string to a device.
While IPv4 has been superseded by IPv6 for years now, it still refuses
to die, and is something you should be familiar with. An IPv4 Address
is made up of 4, 8bit (0-254) integers (for example 192.168.1.1).
IPv6, aims to deal with limitations to the number of addresses
available under IPv6. It uses 128bits for addressing and is usually
shown as 8 byte pairs (for example 1111:2222:3333:444:5555:6666:7777:8888)
If you need a refresher on how IP addressing works, there is plenty of material online (or go back and look at last years Networking)
Ports
As well as each of the individual machines on a network having their own address, ports are used to identify services running on an machine. Ports can have a value between 0 and 65535. Ports can be for both TCP and UDP services, with both protocols having their own range of 65536 ports.
The first 1024 ports are called the system ports, these are reserved for well known system services (such as SSH). For example TCP system ports can include
- 20: FTP
- 22: SSH
- 80: HTTP
- 443: HTTPS
Ports between 1024 and 49151 are the registered ports. These are used for common user applications. For example 8000 is commonly used as an alternative to HTTP, by web servers built into an application.
Finally, between 49152 and 65535 are the dynamic ports. These are either used by user level processes, or opened as the users side of a connection to a well known service.
Depending on the system, we may need admin rights to open a listening port on a machine. For example on Linux you will need root, to open a listener on port 80 or 443. The admin rights needed are less stringent with the registered and dynamic ports.
Connect Scans
In its basic form a port scanner simply tries to connect to each port in a specified list. If we get a response from the port, then we know it is open. This is known as a connect scan, and is the default in NMAP (if you run without elevated privileges)
A basic, port scanner might look like this.
for port in PORTLIST:
connect to port
if conection accepted:
port is open
else:
port is closed
While the connect scan is useful (and sometimes you cant beat rolling your own python based port scanner), it does have a few drawbacks.
- We use the Full connection to each possible port. Depending on the network stack, and things like timeouts on closed ports, this can take some time.
- It generates a lot of traffic and noise, as the full TCP handshake takes place, a connection is established.
However, It also has the advantage of not needing any elevated permissions, as we are just connecting out.
"Stealth" Scans
To reduce traffic, NMAP has a "stealth" (otherwise known as SYN or half open) scanning option. This is the default used when you run with permission to mangle the network stack.
The stealth scan only makes use of the first part of the TCP handshake.
So rather than complete the connection, the port scan sends a SYN packet, then infers a ports status based on the response.
- ACK Acknowledgement that the port is open and ready for communication
- RST Reset Shows that the port is closed.
Detecting Firewalls
The half open scan also gives us an interesting way to detect firewalls, and ports filtered by the firewall.
- We know that the server should respond with either a ACK or RST
- If we try to open the request and nothing comes back, one of two things are happening:
- There is a network issue
- Something is filtering the network traffic to this port.
Nmap will flag a port as Filtered if the second part of the handshake doesn't come back.
Depending on the firewall config this can give us some useful information. For example, if the filtering is based on a list of known ports. Then we can expect closed services to return a RST, while the filtered ports return nothing.
However, if the firewall has a default rule to filter all traffic, except allowed ports, the information may be less useful. In this situation ALL non-approved ports will be filtered.
Other Scanning Types
As well as the SYN scan. There are a couple of other scan types available, again these misuse the network stack to try and work around issues like firewalls and IDS. Its less common to have to use these, but they can help if you want to check the strength of your firewall rules.
To work around firewalls detecting the SYN elements of the TCP handshake, The FIN scan sends the closing part the handshake. If a Port is closed then the TCP specification states is should respond with a RST. Otherwise, we may get an ICMP error, or nothing back
| Return Value | Meaning |
|---|---|
| RST | Port is Closed |
| Nothing | Port is open or filtered |
| ICMP Error | Port is filtered |
This means that we can tell if a port is closed, and depending on the number of results returned, infer the state of the other ports. For example, if we get 10 results from a FIN scan, it is likely that these ports are open, but filtered. If we get 1000 it is impossible to tell.
Similarly, a NUL scan sets none of the flags in the header, again this may work around firewall restrictions.
Finally, the XMAS TREE scan, sets the FIN, PSH and URG flags in the TCP header. This is like a FIN scan, but with PSH and URG (push and urgent) flags also set.
Summary
Here we have had a brief overview of port scanning technique's. The traditional connect scan attempts to connect to a given service to see if is open. The more complex, SYN (stealth) scan modifies the scanning process, to only use part of the 3 way handshake. The benefits of the SYN scan are that it can run quicker as it removes the overhead of establishing a full TCP connection. It can also avoid detection by some of the more simple IDS.
Finally we looked at options for port scanning setting different flags in the TCP header. Its a nice trick being able to bypass the TCP handshake and get a response. However, the accuracy of the responses may vary.