People have been telling me that Port scanning is the basic for any security enthusiasts. Port Scanning is normally done on the "Reconnaissance" phase of the Hacking cycle. So port scanning knowledge should be covered in the beginning of this blog.
The most famous and widely used port scanner is NMAP. So Nmap will be discussed here.
Nmap is a free port scanner that can be downloaded from insecure.org. It runs on various unix such as Linux, Solaris, BSD, etc. It also runs on windows and Mac OS.
Nmap was used on several movies such as Swordfish and Matrix Reloaded.
In the movie "Matrix Reloaded", Trinity was using the Nmap to hack the system (shown in the picture).
After using Nmap, you may find that there are several different port state such as Open, Closed and filtered. Following are the description for each state.
Open – There is a process running that listens for a connection on that port.
Closed – There is no process running that listens on that port. Normally, a TCP RST packet will be received as the response.
Filtered – The packet is likely to be blocked and dropped by a firewall and no response is received. Note: the status of a filtered port is unknown as it could be either open or closed.
Nmap have three main functions, Port Scanning, Host discovery and OS fingerprinting. Below are some of the general usage of Nmap:
Port Scanning
- TCP ping
An ACK packet is sent to port 80 (by default) of the destination host. If the host responds with a RST packet, nmap will consider the host alive and will perform a port scan immediately.
The following syntax to perform TCP ping:
nmap -PT[port_number] host
Example:
nmap -PT 192.168.1.1
- TCP Connect
The TCP Connect scan complete the three-way handshake, those listening destination port will respond to the connection attempt. This method is not stealthy as the connection will be logged.
The following syntax to perform TCP connect scan:
nmap -sT host
Example:
nmap -sT 192.168.1.1
- TCP SYN / Half-Open
The SYN packet is sent out to the destination host. If the target host is listening on a particular port, it will respond with a SYN+ACK. If the host is alive but not listening on a particular port, a RST packet will be received. This scan will be stealthy as it does not complete the TCP three-way handshake.
The following syntax to perform TCP SYN scan:
nmap -sS host
Example:
nmap -sS 192.168.1.1
- FIN
The FIN packet is sent out to the destination host. If the target host is alive but not listening on a particular port, it will respond with a RST packet. However if the host is listening on a particular port, it will not respond.
Note: Microsoft Windows hosts will send RST packets in all cases.
The following syntax to perform FIN scan:
nmap -sF host
Example:
nmap -sF 192.168.1.1
- UDP
The UDP packet is sent to the port. IF the target port is not listening on the particular UDP port, an ICMP port unreachable packet is received. However, if the target host is listening on the particular port, no such packet is received. Since UDP is not a connection-oriented, UDP scanning is unreliable.
The following syntax to perform UDP scan:
nmap -sU host
Example:
nmap -sU 192.168.1.1
- Specific or range of ports
By default, it will only scans for the commonly known ports (1 - 1024). You can specific or a range of ports.
The following syntax to perform scan on specific port:
nmap -sS -p [port/range] host
Example to scan on port 25:
nmap -sS -p 25 192.168.1.1
Example to scan on range of ports:
nmap -sS -p 1-65535 192.168.1.1
Host Discovery
- Ping Sweep
It will ping for numerous hosts. It is useful to determine a large number of alive hosts that respond to ICMP echo requests.
Note: If Firewall block ICMP echo, hosts in your network will not respond.
The following syntax to perform ping sweep:
nmap -sP hosts
Example:
nmap -sP 192.168.1.*
nmap -sP 192.168.1.0/32
OS fingerprinting
- OS and Version detection
It can perform OS fingerprinting and detection based on the characteristic of the TCP stack. Various OS uses specific TCP/IP stack and settings. Use -A flag for both OS and application version detection.
The following syntax to perform OS detection:
nmap -O host
Example:
nmap -O 192.168.1.1
Thursday, September 20, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment