301 Reading 2 Port Scans - marsecguy/reading-notes-cyberops GitHub Wiki

Network scanning with NMAP and Common Ports

Network Scanning

A common practice for hackers to gain initial entry into a system is to scan for open TCP/UDP ports. One of the primary tools for this is the NMAP scanner. The below questions are important for understanding how this tool works:

  1. What is a port? Describe it with an analogy that would help a family member understand.
  • A port is an an entryway for a computer to communicate externally. If one were to view a computer as being like a house, doors and windows could be considered analogous to ports. If they are open and unguarded, people can get in and out of them with relative ease. Likewise, an open port can allow easy flow of communication that a hacker can exploit to gain entry to the computer.
  1. What does a port scanner send to a port to check the current status?
  • There are several things a port scanner can send to check on the current status of a port. The first is a simple ping request to see if ports are active. Next, is the SYN request of the three-way handshake. If the port sends an ACK (acknowledgement), then the scanner knows the port is open and accepting communication. Third is the full three-way handshake (SYN, SYN/ACK, ACK). This establishes a full TCP connection. It is more likely to be detected, but is easier because it requires fewer permissions. Finally, there is the UDP scan, which works best if sending a full load of packets to see if they are accepted.
  1. When a port scanner sends a request to connect, what are the three possible responses? Describe them. A. Open, Accepted: The computer responds and asks if there is anything it can do for you. B. Closed, Not Listening: The computer responds that “This port is currently in use and unavailable at this time.” C. Filtered, Dropped, Blocked: The computer doesn’t even bother to respond.

What is the difference between TCP and UDP?

  • TCP is more orderly, It requires the three-way handshake and includes verification of receipt. It also checks for packet errors to replace any packets that are missed.
  • UDP is faster, but does not require the handshake, error checking or verification, It just sends the packets in a flood and ny that are missed will not be replaced.

Source: Michael Buckbee

Common Ports

List and describe the ports used for the following:

Telnet - Port 23. Allows a computer to access a console screen from a remote device.

SSH - Secure Shell, Port 22. Works similarly to Telnet, but encrypts the data for security.

DNS - Domain Name Service, Port 53. Converts domain names (google.com, msn.com, etc.) into an IP address to establish communication with the correct domain server.

SMTP - Simple Mail Transfer Protocol, Port 25 (unencrypted), or Port 587. Used for outgoing email. Port 110 (unencrypted) and Port 995 (encrypted) are commonly used for inbound email.

HTTP - Hypertext Transfer Protocol, Port 80. Used for accessing unsecured websites.

HTTPS - Hypertext Transfer Protocol Secure, Port 443. Used for accessing secure websites.

RDP - Remote Desk Protocol, Port 3389. Allows one computer to access and control the desktop of another computer.

Ping - Ping is a method of sending a signal to a port to see if it responds, letting you know it is possible to establish a connection with it if all requirements for the connection are met.

Source: Professor Messer

Things I'd like to learn more about:

  • The Cyber Kill Chain