Port Scanning: A Detailed Guide on Why and How
Port scanning is one of the main task when you are doing a Penetration testing engagement. After the initial reconnaissance is done, the next thing I would do in a pentest is starting the port scan. It reveals what ports are open in the server and what services are running on those ports. Those ports are the entry points to the server.
To learn port scanning you should know what computer port is and how does they work.
What is a port?
A port is the virtual network entry point of the computer. Like any other machine computer also needs inputs in order to do the processing and produce output, it has physical entry points or inputs like keyboard or mouse. But when it comes to network, you can not send inputs directly to computer using IP, you have to use a port along with the IP. The combination of port and the IP is called a Socket.
There are two types of ports exist in computers,
1. TCP
2. UDPTCP communication is connection oriented where UDP is connection less.
TCP Connection Establishment
TCP connection establishes by invoking several connections within two computers. Number of connections and types of connections changes depends on the port status(OPEN/CLOSE). Let’s see how TCP handshake on OPEN and CLOSED ports happen.
TCP Handshake: Open Port
Once client sends a TCP SYN packet the listening computer(Server) sends a SYN/ACK packet as response and then the client sends an ACK packet. If all these three connections happen then the TCP connection establishes.
TCP Handshake: Close Port
If the server port is closed then server will responds with RST/ACK packet.
How TCP handshake can be used to do the port scanning?
By analyzing the response packet you receive from a computer to a initial SYN packet you can understand whether the port is open or not. Below are the response you should receive to an initial SYN packet based on port status,
OPEN => SYN/ACK
CLOSE => RST/ACKHow UDP Works?
Since UDP is connection less protocol, it does not do any sort of handshake before sending data like TCP. In UDP it just send data packets to the receiver and do not even check whether receiver got it properly or not. This makes it harder to perform a port scan. But there are few aspects we can use to check port status in UDP. Once you send a empty UDP packet to the receiver to response like below depends on port status,
OPEN => Any UDP response from target port
CLOSE => ICMP port unreachable errorThis is how we can identify whether the specific UDP port is open or not.
All right now have the theoretical understanding of how port scanning works, let’s do some practical port scanning. To do this I’m using nmap port scanner. Which is the best port scanning tool and used by almost all the security professionals.
Let’s first see how to do TCP port scanning.
TCP Port Scanning
Port Status: OPEN
nmap -p22 -sT -Pn 45.33.32.156Here I scanned TCP port 22(-p22) and do not perform any ICMP pinging(-Pn) which nmap do default to check whether the target is alive or not. The IP I used here is the example IP given by nmap itself.
Here is the output,
Here are the connection flow,
As we learned there are three packets went in the flow.
SYN => SYN/ACK => ACKPort Status: CLOSE
If the port is closed then the target responds with below packets
SYN => RST/ACKUDP Port Scanning
Port Status: OPEN
Here I mentioned a port 111 to scan(-p111) and specify UDP scan(-sU) and the tool decides the port is open because it received some response from the target.
Here is the network flow,
Two UDP packets send by the host and we receives a response from the target.
Port Status: CLOSE
Here is the tool output for closed UDP port,
Here is the network flow,
As you can see the host sends an empty UDP packet and receives an ICMP packet that says Destination Unreachable. That means the UDP port is closed.
In this blog serious I’m going to explore offensive security concepts in a more detailed manner.
Need a clarification?
You can connect with me via twitter https://twitter.com/janithSmalinga
