Port Scanning - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

Goals of scanning: looking for targets to analyze for vulnerabilities. Find live hosts on the network with ping or TCP/UDP network scans Open ports on live hosts with TCP/udp host port scans. Use scanning tools to examine IPS/IDS and firewalls.

ICMP/PING: Ping sweep good for a first pass, but very obvious to system defenders, and is commonly blocked by network security systems or even normal Windows 10 OS, meaning you're missing out on valid targets.

TCP/UDP Scanning: used if icmp is blocked. can be more reliable and less noisy if you target well known ports, but is very slow.

NMAP: well known and versatile scanning tool. Can determine the computers that are active on the target network, listening ports, what service is running on those ports (e.g. HTTP not on port 80), operating system, user credentials.

Command structure: nmap <timing options(how agressive the scan is, tX where the higher X is, the more aggressive the scan is)> <target(s)> Note: run nmap as sudo and regular user Ports can be open, closed, or filtered (means nmap doesn't know)

Nmap does discovery with

• an ICMP echo request,
• a TCP SYN packet to port 443,
• a TCP ACK packet to port 80,
• and an ICMP timestamp request.

Then performs a 1,000 port scan NMAP has an option to do host discovery without a full port scan -sn will only send pings and a few tcp packets to try and determine if a host is available -sS Syn Scan -T3 Normal timing

Standard output (to monitor) Simple port mapping to a list of services nmap-services

(–sS) SYN Scan The SYN scan is the default scan option used by Nmap when no scan option is defined. The SYN scan can also be intentionally initiated when the –sS option is set in the command string. This scan initiates a TCP connection with the target but never completes the three-way handshake.

AKA SYN Scan: It sends a SYN but does not send the final ACK

(–sU) UDP Scan Unlike scanning TCP ports, UDP scans expect to receive replies back from systems that have the tested ports closed. If the packet sent elicits a response from the target, then the port being probed is open. If no response is received, then the port could be open or could be filtered by a device like a firewall. Closed UDP ports can be identified by an ICMP response with a type 3 and code 3 response (port unreachable). Ports that are confirmed to be filtered will have an ICMP response of type 3 with codes of 1, 2, 9, 10, or 13, indicating various unreachable errors

Nmap port options (-p) (only scan specific ports) (-p-) scans all port numbers

Host Discovery vs Port Scanning: Recon has two goals: find live hosts, find ports and services on that host.

Arp Ping-Host Discovery on the local subnet, nmap will do arp (address resolution protocol) pings converts IP to MAC addresses with layer 2 broadcasts matches IPs to individual machines

Port Scan only with NMAP separate host discovery and port scans to perform port scans without discovery: (-Pn) no ping (aka no host discovery) option (-sL) use target list instead of discovery

t4-5 scans are not permitted on the SEC335 network

Identifying service on port is better than knowing the port is open

(-sV) service detection

Nmap OS detection is bad.

for i in $(seq 2 50) fping 10.0.5.$i | grep "alive" | cut -d " " -f 1 >> sweep2.txt

for i in $(seq 2 50)
sudo nmap -sn --open 10.0.5.$i | grep 10.0.5 | cut -d " " -f 5 >> sweep3.txt

for i in $(seq 2 50); do ping 10.0.5.$i | grep "64" | cut -d " " -f 4 >> sweep.txt; done