Port Scanning with Nmap

Port Scanning

its the process of checking the open ports on a network or a single host. 

What is a port?


Port is a communication endpoint. it’s the identity of a specific service/protocol running on a smart machine.


There total number of 65535 port numbers of TCP and UDP. 
from 0 - 1024 ports are called well-known ports because they are assigned for the most commonly used services like: 



TCP
  • HTTP 80 / HTTPS 443
  • FTP - 20, 21  File Transmission Control/Command Control
  • SSH     -  22
  • Telnet   -  23
  • SMTP   - 25
  • POP3   - 110
  • SMB    - 139 + 445
  • IMAP   - 143

UDP
  • DNS    - 53
  • DHCP - 67, 68
  • TFTP  - 69
  • SNMP - 161


What is TCP/IP?

it stands for Transmission Control Protocol / Internet Protocol. It determines how a computer or device should be connected to the internet and how
data should be transmitted between two computers.

In simple words, when you want to visit a company so will get a Visitor ID card same as that, we you want to connect to the internet your computer or
mobile devices get an ID (IP Address).

It checks for errors that if any packet is dropped during the transmission, if so, it will resend the packet. for example when you send a text message on watsup or facebook,
your friends receives the same text as you sent him there’s no lost portion in you text message.
A TCP connection is established by the help of 3-way handshake so when you upload or download, a TCP connection establishes and the connection 
will be closed when uploading/downloading is done. That’s why TCP is called reliable or connection oriented.


What is UDP?

It stands for User Datagram Protocol. Datagram is a transfer unit.
we use UDP for broadcasting and multicasting like video call, voice call playing online video games etc.
UDP focuses on delivering it doesn’t check for errors that if any data is lost during the transmission for Example: Facebook and Watsup messenger
uses UDP for video and voice calling so when you have slow internet connection you’ll not hear or see clearly because the data or packets are lost during the transmission.


2 methods to scan TCP ports


  1. Connect
    it completes 3 way handshake on a specific port.
  2. SYN/Stealth Scan
    it is a TCP port Scanning method that involves only SYN packet without completing 3 way handshake.


    What is a 3 way Handshake?

    — Complete handshake means that whenever you scan a machine actually you send a SYN packet and if the port is open you’ll get SYN+ACK packet
    reply from target machine and again you send ACK 

    — if the port is open it should send SYN + ACT packet.

    we call it Stealth because it used to open halfway connection in the old firewalls and it was not able to log the scanning or traffic but new firewall are able to detect the scanning.


Complete Handshake is 3-way handshake



 TCP is connection-oriented and UDP is stateless so it doesn’t involve 3-way handshake mechanism. if the UDP port is open, there should be no reply coming back to target but we will get a ICMP packet instead.

UDP port scanning is unreliable because firewalls and routers have the option to drop UDP packets so it will mislead us.


How 3-way handshake terminates? 

client sends FIN packet then the server sends FIN+ACK packet to client then clients replies back with ACK packet and the connection is terminated.


Tool for port scanning: 

Nmap tool is one of the most popular scanning tool with enormous features.

The default Nmap scanning scans 1000 popular ports which generates 7 KBs of traffic but if we want to scan all the ports (65535), it will generate 4MB of traffic.


Options
Name
Description
Usage
-sS
TCP SYN scan
It is a half-open scanning. The quickest way to scan 1000 ports. 
nmap -sS 192.168.0.1
-sT
TCP Connection scan
3way handshake completes
nmap -sT 192.168.0.1
-sU
UDP scan
sends UPD packet to every port
nmap -sU 192.168.0.1
-sN
TCP NULL scan
NULL packet or zero flag set
nmap -sN 192.168.0.1
-sn
Ping/sweep scan
it pings if the target is up
nmap -sn 192.168.0.1
-v
verbosity
it gives you more information after the scan completes
nmap -sV 192.168.0.1 -v
-O
Check OS
it shows the Operating System version. 
nmap -O 192.168.0.1
-T4
Timing 
-T0 = paranoid, -T1 = sneaky, -T2 polite, -T3 = Normal,
 -T4 aggressive, -T5 = insane. higher is faster
nmap -T4 192.168.0.1
-sV
Enumerate
if an open port is found, it will detect that which service is running on that.
nmap -sV 192.168.0.1
-A
OS + Services
it checks the OS as well as Services
nmap -A 192.168.0.1
-Pn
Skip discovery
it means not to check if a port is open or close just  assume that its up and open
nmap -Pn 192.168.0.1

Comments

Popular posts from this blog

Solving Computer Forensics Case Using Autopsy

Pentesting - Exploitation Guide Metasploitable 1

The Main Cyber Threats Facing the Aviation Industry