Is the port opened?

People have been telling me that Port scanning is the basic for any security enthusiasts. Port Scanning is normally done on the "Reconnaissance" phase of the Hacking cycle. So port scanning knowledge should be covered in the beginning of this blog.
The most famous and widely used port scanner is NMAP. So Nmap will be discussed here.

Nmap is a free port scanner that can be downloaded from insecure.org. It runs on various unix such as Linux, Solaris, BSD, etc. It also runs on windows and Mac OS.
Nmap was used on several movies such as Swordfish and Matrix Reloaded.

In the movie "Matrix Reloaded", Trinity was using the Nmap to hack the system (shown in the picture).

After using Nmap, you may find that there are several different port state such as Open, Closed and filtered. Following are the description for each state.
Open – There is a process running that listens for a connection on that port.
Closed – There is no process running that listens on that port. Normally, a TCP RST packet will be received as the response.
Filtered – The packet is likely to be blocked and dropped by a firewall and no response is received. Note: the status of a filtered port is unknown as it could be either open or closed.

Nmap have three main functions, Port Scanning, Host discovery and OS fingerprinting. Below are some of the general usage of Nmap:

Port Scanning
- TCP ping
An ACK packet is sent to port 80 (by default) of the destination host. If the host responds with a RST packet, nmap will consider the host alive and will perform a port scan immediately.

The following syntax to perform TCP ping:
nmap -PT[port_number] host
Example:
nmap -PT 192.168.1.1

- TCP Connect
The TCP Connect scan complete the three-way handshake, those listening destination port will respond to the connection attempt. This method is not stealthy as the connection will be logged.
The following syntax to perform TCP connect scan:
nmap -sT host
Example:
nmap -sT 192.168.1.1

- TCP SYN / Half-Open
The SYN packet is sent out to the destination host. If the target host is listening on a particular port, it will respond with a SYN+ACK. If the host is alive but not listening on a particular port, a RST packet will be received. This scan will be stealthy as it does not complete the TCP three-way handshake.
The following syntax to perform TCP SYN scan:
nmap -sS host
Example:
nmap -sS 192.168.1.1

- FIN
The FIN packet is sent out to the destination host. If the target host is alive but not listening on a particular port, it will respond with a RST packet. However if the host is listening on a particular port, it will not respond.
Note: Microsoft Windows hosts will send RST packets in all cases.
The following syntax to perform FIN scan:
nmap -sF host
Example:
nmap -sF 192.168.1.1

- UDP
The UDP packet is sent to the port. IF the target port is not listening on the particular UDP port, an ICMP port unreachable packet is received. However, if the target host is listening on the particular port, no such packet is received. Since UDP is not a connection-oriented, UDP scanning is unreliable.
The following syntax to perform UDP scan:
nmap -sU host
Example:
nmap -sU 192.168.1.1

- Specific or range of ports
By default, it will only scans for the commonly known ports (1 - 1024). You can specific or a range of ports.
The following syntax to perform scan on specific port:
nmap -sS -p [port/range] host
Example to scan on port 25:
nmap -sS -p 25 192.168.1.1
Example to scan on range of ports:
nmap -sS -p 1-65535 192.168.1.1

Host Discovery
- Ping Sweep
It will ping for numerous hosts. It is useful to determine a large number of alive hosts that respond to ICMP echo requests.
Note: If Firewall block ICMP echo, hosts in your network will not respond.
The following syntax to perform ping sweep:
nmap -sP hosts
Example:
nmap -sP 192.168.1.*
nmap -sP 192.168.1.0/32

OS fingerprinting
- OS and Version detection
It can perform OS fingerprinting and detection based on the characteristic of the TCP stack. Various OS uses specific TCP/IP stack and settings. Use -A flag for both OS and application version detection.
The following syntax to perform OS detection:
nmap -O host
Example:
nmap -O 192.168.1.1

You've got spoofed mail

Have you ever receive mails that claims to be from "microsoft" or "paypal", which is actually a spoofed mail?

Do you know that you can easily send a spoofed email without even using any special software or application?

For people who understand SMTP, it is very easy to send an spoofed email using simple SMTP commands. You will see how it can be done with a few simple steps below.

For any mail server or application that needs to send out emails, they will need to know the address of the destination mail server.

A DNS query on the MX (Mail Exchange) record is required to know the address of the mail server of the recipent domain (e.g Disney.com - shown in the picture).

From the command prompt, type nslookup, to query the DNS. (You can see that the DNS server i am accessing was from Maxonline)
You can query the IP address by simpling typing the URL (eg. http://www.disney.com/).
To query the MX record, type set type=mx, to change the DNS query mode. Then follow with the domain (disney.com)

From the MX record of "disney.com", you can see 4 mail servers' name and also their IP address
-mx1.disney.com
-mx2.disney.com
-mx3.disney.com
-mx4.disney.com

After getting the mail servers' address, you can use some simple SMTP command to send a spoofed mail.

Connect to Disney mail server
- telnet mx1.disney.com 25

When connected, you will see the banner that "welcome" you. Type "helo" to initiated the SMTP service with the server. you will see your IP address in the reply (covered in the picture). It will be logged in the Disney's mail server.
To set the sender address, you can use any address, even a spoofed one (like the example below)
- mail from:hacker@hacker.org
For the Recipient address, make sure you type in the correct recipient address.
- rcpt to:mickeymouse@disney.com
To send Subject and email message, use "data" command and enter them after it. Use a "." on an empty line to end the email.

Open Relay
If you notice, even if your have spoofed the sender address of the email, the recipient mail server have already logged your system IP address. One of the ways to hide the your IP is to use an open relay to forward your email to the actual recipient mail server.

To see whether the mail server is an open relay, you can try to send to the recipient of another domain (e.g. sending to "openrelay@hacker.org" using Disney.com mail server).

Make sure your mail server is configured to only allow recipients of your domain. If your mail server is use for Disney.com, it will only allow recipient for Disney.com.
If you want to further protect it, you can configure to query your email directory to only allow valid recipient. This will protect against Footprinting.