Port scanning is the process of checking for open TCP or UDP ports on a machine.Please note port scanning is illegal in many countries and should be performed inside virtual labs.
TCP Port Scanning Basics
TCP port scanning is based on the 3 way handshaking. The TCP RFC states that when a SYN flag is sent to an open port, an ACK flag should be sent back. So the process of port scanning involves attempting to establish a 3 way handshaking with given ports. If they respond and continue the handshake, the port is open – otherwise, an RST flag is sent back. In the last post we use Netcat and examined its behavior to read and write to TCP ports. In fact, Netcat can be used as a simple port scanner as well. The following syntax is used to perform a port scan using Netcat. I'll scan ports 24-26 on 192.168.159.129 (my mail server):
Nmap
Nmap is probably one of the most effective port scanners. Looking at the Nmap usage might be intimidating at first. However, once you start scanning you will get familiar to the syntax. In BackTrack, the Nmap configuration files (such as the default port scan list) are located in /usr/local/share/nmap/.
We've identified many open ports on 192.168.159.129. Let's try port scanning all of the available ports on this machine by explicitly specifying the ports to be scanned:
Notice how we've discovered some open ports which were not initially scanned because they are not present in the Nmap default port configuration file (/usr/local/share/nmap/nmap-services).
Scanning across the network
Rather than scanning a single machine for all ports, let's scan all the machines for one port (139.) This example could be useful for identifying all the computers running Netbios / SMB services:
We've found several IP addresses with open port 139. However we still do not know which operating systems are present on these IPs.
Nmap has a wonderful feature called "OS Fingerprinting" (-O) and "Banner grabbing" (-sV). This feature attempts to guess the underlying operating system by inspecting the packets received from the machine.
Scanning across the network
Rather than scanning a single machine for all ports, let's scan all the machines for one port (139.) This example could be useful for identifying all the computers running Netbios / SMB services:
We've found several IP addresses with open port 139. However we still do not know which operating systems are present on these IPs.
Nmap has a wonderful feature called "OS Fingerprinting" (-O) and "Banner grabbing" (-sV). This feature attempts to guess the underlying operating system by inspecting the packets received from the machine.
Nmap has several other options – take the time to review and practice them.
No comments:
Post a Comment