MODULE 5
PORT SCANNING
What is Port Scanning?
Port scanning is a method used for determining which ports on a network are open. Ports on a
computer are the place where information is sent and received. Hence, port scanning is
analogous to knocking on doors to see if someone is home. Running a port scan on a network
or server reveals which ports are open and listening (receiving information), as well as revealing
the presence of security devices such as firewalls that exist between the sender and the target.
This technique is known as fingerprinting. It is also valuable to test network security and the
strength of the system’s firewall. Due to this application, it is also a popular reconnaissance tool
for attackers looking for a weak point of access to break into a computer.
Ports vary in their services offered. They are numbered from 0 to 65535, but certain ranges are
more frequently used. Ports 0 to 1023 are known as as the “well-known ports” or standard
ports. They have been assigned services by the Internet Assigned Numbers Authority (IANA).
Some of the most prominent ports and their assigned services include:
Port 20 (udp) – File Transfer Protocol (FTP) for data transfer
Port 22 (tcp) – Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
Port 23 (tcp) – Telnet protocol for unencrypted text commutations
Port 53 (udp) – Domain Name System (DNS) translates names of all computers on
internet to IP addresses
Port 80 (tcp) – World Wide Web HTTP
There are standard services offered on ports after 1023 as well. Open ports indicate an infected
system due to its popularity with some far-reaching Trojans and viruses. A port scan sends a
carefully prepared packet to each destination port number.
Test Parameters
Scan all ports when performing a test, not just the standard ports (1 - 1023)
Many programs use port numbers outside the range of standard ports
For instance, if port 655301 is open it is possible to check the information at the CVE
website for a possible vulnerability.
NMAP
Nmap (Network Mapped) is a network scanning and host detection tool that is very useful
during several steps of penetration testing. Nmap is not limited to merely gathering information
and enumeration, but it is also powerful utility that can be used as a vulnerability detector or a
security scanner. So Nmap is a multipurpose tool, and it can be run on many different operating
systems including Windows, Linux, BSD, and Mac. Nmap is a very powerful utility that can be
used for:
Host discovery: To detect the live host on the network
Port discovery or Enumeration: To detect the open ports on the host
Service discovery: To detect the software and the version to the respective port
Nmap scripts: To detect the vulnerability and security holes
Detecting the operating system, hardware address, and the software version
Nmap is a free, open-source port scanner available for both UNIX and Windows. NmapFE is an
optional graphical front-end and it supports a wide variety of scan types, each one with
different benefits and drawbacks.
Features of NMAP
1. Improved NSE Functionality
2. IPv6 Support
3. Faster network scanner
4. Better TLS/SSL scanning
5. OS detection
6. Service Discovery
Zenmap
Zenmap is an free and open source GUI designed to be used with Nmap. It is multiplatform tool
which supports Linux, Ubuntu, Mint, Kali, Fedora, CentOS, Windows, Mac OS X, BSD and many
more. While Nmap is very powerful tool for network scanning and vulnerability discovery, it is
completely command line based. Zenmap can be used by beginners to scan network and
discover vulnerabilities.
BASIC COMMANDS FOR NMAP
Scan a single host or an IP address (IPv4):
### Scan a single ip address ###
nmap 192.168.1.1
## Scan a host name ###
nmap server1.cyberciti.biz
## Scan a host name with more info###
nmap -v server1.cyberciti.biz
Scan multiple IP address or subnet (IPv4) :
Turn on OS and version detection scanning script (IPv4):
Find out if a host/network is protected by a firewall:
Scan a host when protected by the firewall:
Scan a network and find out which servers and devices are up and running:
This is known as host discovery or ping scan:
Show all packets sent and received:
For more commands you can refer to the official site of the NMAP.
TYPES OF PORT SCANS
Vanilla - An attempt to connect to all ports (there are 65,536)
Strobe - An attempt to connect to only selected ports (typically, under 20)
Stealth scan - Several techniques for scanning that attempt to prevent the request for
connection being logged
FTP Bounce Scan - Attempts that are directed through an File Transfer Protocol server to
disguise the cracker's location
Fragmented Packets - Scans by sending packet fragments that can get through simple
packet filters in a firewall
UDP - Scans for open User Datagram Protocol ports
Sweep - Scans the same port on several computers
Types of Port Scans commands
Scan using TCP connect : nmap -sT 192.168.1.1
Scan using TCP SYN scan (default) : nmap -sS 192.168.1.1
Scan UDP ports : nmap -sU -p 123,161,162 192.168.1.1
Scan selected ports - ignore discovery : nmap -Pn -F 192.168.1.1
References:
What is a port scan? –
https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan
Nmap.docx – College of Engineering, Trivandrum
https://www.coursehero.com/file/35745216/NMAPdocx/