Penetration Testing Scanning 101.3

In part three of his series on penetration testing security researcher Hozaifa Owaisi covers port scanning and the tools used to get the job done.

Penetration Testing Scanning 101.3

In part three of my series on penetration testing I am going to cover port scanning. I introduced this topic in an earlier article for the series, if you haven’t read it I would recommend it because it gives a good overview of scanning as a whole. I would also recommend reading article two in this series which covers network tracing. This article will cover how port scanning works in practice, the tools used for port scanning, and useful tips for the most popular tools.

Concepts That You Need To Understand To Follow This Article

There are some basic concepts that you first need to be able to understand in order to follow this article, I have listed them below with some links to sources where you can learn more about these concepts in case you needed a refresh on them.

The Three Way Hand Shake

Every TCP connection begins with a TCP handshake, used to exchange sequence numbers to every lost packet, it can be retransmitted and also put in proper order.

If machine A wants to initiate a connection with machine B with the SYN Control Bit set. This packet will include an initial sequence number (which we' ll call ISNA because it comes from machine A), which is 32-bits long and typically generated in a pseudo-random fashion by the TCP software on machine A. The ACK number (another 32 bits in the TCP header) is typically set to zero because it is ignored in this initial SYN.

If the destination port is open (which means something is listing it will on that port like a webserver on port 80) then machine B will respond with a SYN-ACK packet back. This packet will have a sequence number of ISNB, a pseudo-random number assigned by machine B for this connection. The SYN-ACK packet will have an acknowledgment number of ISNA+1, indicating that machine B has acknowledged the SYN packet from machine A.

To complete the three-way handshake, machine A responds with an ACK packet, which has a sequence number of ISNA+ 1. (It's the next packet, so the sequence number has to change from the value in the original SYN packet.) The acknowledgment number field is set to ISNB+ 1, thereby acknowledging the SYN-ACK packet.

According to the original TCP specification, if a service is listening on a TCP port and a packet with the SYN Control Bit set arrives at that port, the TCP software must respond with a SYN-ACK packet. This response must be sent, regardless of the payload of the SYN packet. Which means even if we don't know what service is listening on the target port, we can still measure whether it is open by simply sending it a SYN packet. That gives us a reliable method for determining whether a TCP port is open or closed.

4 Different Scenarios (Behaviors) While TCP Scanning

The first scenario: The attacker machine send a SYN packet, and receives a SYN-ACK from the target. This means that the port is open and we move on to a different port. There is a very unlikely chance that there is a software sending a SYN-ACK packet for every port to trick the attacker but that is unlikely.

The second scenario: The attacker sends a SYN packet and receives an ICMP port Unreachable message back, this most likely means that there is firewall that is blocking the connection. These ports are also called filtered ports.

The third scenario: The attacker machine sends SYN packet and receives an RST-ACK packet back, this means that we cannot reach the port, its either closed or a firewall is not letting us access it.

The fourth scenario: The attacker machine sends SYN packet and get nothing in response, usually the port scanning tools retry before moving on and the port is marked filtered. In this case either there is nothing listening on the end system (which has been configured via a personal firewall to silently drop all packets to closed ports) or a firewall is blocking our inbound SYN packet (again, silently rejecting it).

These are the most likely scenarios you will encounter while port scanning, the last scenario can cause the tool run for a long time, because it retries and then mark it as filtered after the timeout. This technique is also called half-open scanning. We don’t establish a full connection.

UDP Scanning & Scenarios

As we all know UDP is a connection less protocol, so there is no state of connection and no control bits, and because of this there is less option of scanning , often slower scanning and less reliable scanning and a lot of uncertainty from the results . Some scenarios you might encounter in UDP scanning are :-

Scenario A: The attacker machine sends a UDP packet and the target machine responds with a UDP packet. this means that there is something listening on that UDP port, which means the port is open.

Scenario B: The attacker machine send a UDP packet and the target machine responds with a ICMP port unreachable, This means the port is close, but this is also one of the reasons of the UDP scanning being slow because some of the systems have a rate-limit for ICMP Packets, which makes the scan even more slow.

Scenario C: The attacker machine sends a UDP packet and nothing comes back, now there could a lot of reasons why, some of the reason could be:-

  • Port Closed
  • The firewall is blocking the packet coming in
  • The firewall is blocking the packet coming to us
  • The port is open but the service requires a specific payload in the packet.

The Tool: NMAP

Nmap is a very common and amazingly powerful tool for port scanning. Lets see the nmap options that are useful to us.

Nmap timing options are very useful. The format for the timing options is
# nmap -T [timing options] [other options]

  • 0: avoid detection by IDS systems, falling outside of their time-sampling window. It sends packets approximately every 5 minutes. No packets are sent in parallel, they
  • 1: ends packets every 15 seconds, also no parallel packets.
  • 2: a packet every 0.4 seconds, again one-by-one (no parallel sending). No pressure on network.
  • 3: designed to run quickly, but without overwhelming the sending machine or the network. maximize the chance of successfully identifying target. -T3 option actually doesn't change in any way the fashion that Nmap runs because it simply selects the default timing model, which is used even if you don't specify-T3.
  • 4: Will never wait more than 1.25 seconds for a response, and it scans in parallel. The Nmap documentation recommends using -T4 for "reasonably modem and reliable networks."
  • 5: 15 minutes per target host and waits only 0.3 seconds for a response to each probe. [PLEASE USE IT CAREFULLY, HIGLY LIKELY TO CRASH SYSTEMS]

Nmap runtime interactions are useful for quick actions after running the scan.

  • P : Used to turn on packet tracer mode. Will show you the whole network activity after scanning. [SHIFT-P to turn off]
  • V : Increasing verbosity, to show more information as you are scanning (increase by one every time pressed ) [SHIFT-V to decrease]
  • D :Increase debugging level, show more debugging information .

Nmap more specific timing options.

• --host timeout: The maximum time in millisecond spend on a single host
• --max_rtt_timeout: The maximum time to wait for probe packet [DEFAULT-9]
• --min_rtt_timeout: The minimum time to wait for probe packet
• --max_parallelism: set the number of probes nmap will send in parallel.
• --scan_delay: sets the minimum time nmap waits between sending probe packets.

Nmap network sweeping/probe options

  • -Pn: Don’t send probes
  • -PE: Send ICMP Echo request
  • -PS[PORT_NUMBER or LIST]: Use TCP SYN only to the specified fort in the port list.
  • -PP : Send ICMP Timestamp request to find targets.
  • -PR: Use ARP to identify hosts.
  • -p : port list or individual port scan. Ex- [-p 0-65535 or -p 25,80,22,23,445]

Nmap custom control bits scan

• --scanflags [URG | ACK | PSH | RST | SYN | FIN | ECE | CWR | ALL | NONE]

Nmap Output options

• -oN [Filename] : Stores the normal human-readable output typically displayed on the screen in a fi le called "filename."
• -oG [Filename] : Specification is highly useful, as it causes Nmap to store its results in a greppable format
• -oX [Filename] : Causes Nmap to place its results in an XML format, which may be used as an import option for other tools.
• -oS [Filename] : TRY THIS ONE YOURSELF.

Thanks for reading this article, I hope you liked it. School has been kinda hectic and I had exams so this article is my comeback after not writing for a while. If you liked it, please share it and if you have any questions find me on twitter @k4b00m.

The awesome GIF used in this article is called "Cupid Penetration" and was created by VET ORSO.