Read: Class 02 Network scanning with NMAP - VascoLucas01/networking-reading-notes GitHub Wiki

Introduction

This topic is largely based on a documentation, like the other topics, that I often used (see REFERENCES, 2) to explain better, which I definitely recommend for consult.

First of all, it was consider important to explain what is a port scanner, and then what is the Nmap command.

Additionally, I focus a bit on security and ending with three examples.

What is a port scanner?

It is known for the majority of the population that, normally, a server process waits patiently on an open port for a request/contact by a remote client. Some ports are reserved for well-known applications - from 0 to 1023 - (e.g., Web, FTP, DNS,...), other ports are used by convention by popular applications (e.g., the Microsoft 2000 SQL server listens for requests on UDP port 1434). Thus, if we determine that a port is open on a host, we may be able to map that port to a specific application running on the host. This is very useful for system administrators, who are often interested in knowing which network applications are running on the hosts in their networks. But attackers, in order to "case the joint," also want to know which ports are open on target hosts. If a host is found to be running an application with a known security flaw, then that host is ripe for attack. Determining which applications are listening on which ports is a relatively easy task. Indeed there are a number of public domain programs, called port scanners, that do just that. Perhaps the most widely used of these is Nmap, freely available at http://nmap.org and included in most Linux distributions. For TCP, Nmap sequentially scans ports, looking for ports that are accepting TCP connections. For UDP, nmap again sequentially scans ports, looking for UDP ports that respond to transmitted UDP segments. In both cases, Nmap returns a list of open, closed, or unreachable ports. A host running nmap can attempt to scan any target host anywhere in the Internet.

What is Nmap?

Nmap is a free and open-source network exploration and security auditing powerful tool that can "case the joint" not only for open TCP ports, but also for open UDP ports, for firewalls and their configurations, and even for the versions of applications and operating systems. At the end of this topic I'll give some examples of how to use the Nmap command. From the command "man nmap" at Linux distributions (specifically Kali Linux):

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed.

Apart from all of the information mention above there are a several port scanning techniques that we can use:

  • Ping Scan
  • TCP Half Open
  • TCP Connect
  • UDP
  • Stealth Scanning
  • TCP ACK Scan
  • TCP Window Scan
  • -scanflags

For more detail information we can use the REFERENCE below (see 3 and 4).

Most Common Ports

imagem

FOCUS ON SECURITY

This section, "FOCUS ON SECURITY", was created due to a brief text/example (next paragraph) that I read in "Computer Networking, "A Top-Down Approach", KUROSE ROSS, SEVENTH EDITION" (see REFERENCES, 2) and I found it quite interesting and opportune to mention. It talks about port scans and some ways to how to prevent malicious attacks with firewalls, Intrusion Detections Systems (IDSs) and even Intrusion Preventing Systems (IPSs).

Suppose you are assigned the task of administering a home, departmental, university, or corporate network. Attackers, knowing the IP address range of your network, can easily send IP datagrams to addresses in your range. These datagrams can do all kinds of devious things, including mapping your network with ping sweeps and port scans, crashing vulnerable hosts with malformed packets, scanning for open TCP/UDP ports on servers in your network, and infecting hosts by including malware in the packets. As the network administrator, what are you going to do about all those bad guys out there, each capable of sending malicious packets into your network? Two popular defense mechanisms to malicious packet attacks are firewalls and intrusion detection systems (IDSs).

As a network administrator, you may first try installing a firewall between your network and the Internet. (Most access routers today have firewall capability.) Firewalls inspect the datagram and segment header fields, denying suspicious datagrams entry into the internal network. For example, a firewall may be configured to block all ICMP echo request packets, thereby preventing an attacker from doing a traditional port scan across your IP address range. Firewalls can also block packets based on source and destination IP addresses and port numbers. Additionally, firewalls can be configured to track TCP connections, granting entry only to datagrams that belong to approved connections.

Additional protection can be provided with an IDS. An IDS, typically situated at the network boundary, performs “deep packet inspection,” examining not only header fields but also the payloads in the datagram (including application-layer data). An IDS has a database of packet signatures that are known to be part of attacks. This database is automatically updated as new attacks are discovered. As packets pass through the IDS, the IDS attempts to match header fields and payloads to the signatures in its signature database. If such a match is found, an alert is created. An intrusion prevention system (IPS) is similar to an IDS, except that it actually blocks packets in addition to creating alerts.

Can firewalls and IDSs fully shield your network from all attacks? The answer is clearly no, as attackers continually find new attacks for which signatures are not yet available. But firewalls and traditional signature-based IDSs are useful in protecting your network from known attacks.

From this text and what we are talking about, we can reflect and understand that we should run port scans proactively to detect and close all possible vulnerabilities that attackers might exploit.

Examples of usage of nmap command

First example:

imagem

The output of a Nmap scan shows that the host at 142.250.200.110 is up. It is interesting that it also says that 998 TCP ports were scan and if we scroll up there's something that tell us what is the reason of a filtered port, which is "Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.". Futhermore, there are two ports that respond, which are port 80 (HTTP) and port 443 (HTTPS) because the host is running web servers.

Second example:

imagem

Indeed, I consider this example a bit more interesting. We already know that the host at 104.18.21.126 is up. However, we have here something different... HTTP-proxy on port 8080. This suggest that the host is running a proxy service over HTTP-proxy protocol. Technically, we don't know what is the specific reason why they are running this service by just viewing this output, but HTTP-proxy server are normally used to enforcing security policies. In fact, there are the well-known proxies - used to protect the clients - and reverse proxies - used to protect the servers so that they only accept client requests.

Third example:

It is even possible to get a different view of how the process of scanning a port at a specific host works by using the switch -v. See the figure below:

imagem

As we can seen in the figure above, the first step of the scan is a ping scan, that is used to detect if the target host is up by sending an ICMP request. After discovering the host, then it is made a parallel DNS resolution, which resolves the domain name to an IP address. The last step, it was finding how many services are running at the target host.

REFERENCES

1 - https://nmap.org/book/man.html

2 - Computer Networking, "A Top-Down Approach", KUROSE ROSS, SEVENTH EDITION

3 - https://www.varonis.com/blog/port-scanning-techniques

4 - https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/preventing-malicious-hacks-with-port-scanning-techniques/

THINGS THAT I WANT TO KNOW MORE ABOUT

What about scanning large networks without being detected?

Is it possible to perform a 100% intensive and 0% aggressive scan?