Port Scanning is the next phase in an Ethical Hacking Reconnaissance Plan and follows on from the footprinting phase.
Traditional ethical hacking plans have ‘Scanning’ follow ‘Reconnaissance’ which is quite confusing. The key differentiation to take note of here is the contrast between port scanning and vulnerability scanning.
Port scanning is a reconnaissance activity as it assists us in identifying the services the target is running. For example, if a port scan reveals port 80 TCP is open we know there is a web service running on a target device. Vulnerability scanning takes this one step further. In a vulnerability scan we use automated tools to scan specific applications and services for known vulnerabilities. So, to be clear, ‘Port Scanning’ is a reconnaissance scanning activity. ‘Vulnerability Scanning’ generally takes place during the next phase of reconnaissance which is the Enumeration phase.
The primary goal of the port scanning phase is to identify open ports. This information is used to enumerate the target during the next phase of reconnaissance.
Here is a summary of the commands used in the detailed descriptions below, in the event you do not want to read the rest of this post:
Nmap Scan Types
SYN / Stealth Scan = nmap -sS –top-ports 1000 <Target IP>
Connect Scan = nmap -sT –top-ports 1000 <Target IP>
UDP Scan = nmap -sU –top-ports 1000 <Target IP>
NULL Scan = nmap -sN –top-ports 1000 <Target IP>
FIN Scan = nmap -sF –top-ports 1000 <Target IP>
Xmas Scan = nmap -sX –top-ports 1000 <Target IP>
nmap Scan Types Detailed
We have already covered two primary tools used in a port scanning activity, nmap and masscan. In this blog post we will delve deeper into nmap and look at the different scans one can perform to identify services running on a target network.
nmap scan types
There are several different nmap scans which one can utilise to identify open ports on target devices. The full list can be found on the nmap website under the section port scanning techniques. In this post I will only highlight the more popular scan types. It is always a good idea to know that other scan types exist and how they can be used to circumvent security measures such as Intrusion Detection Systems (IDSs) or help identify ports that regular scans would not pick up.
TCP SYN scan -sS
The TCP SYN scan is the most popular scan. It is semi-stealthy in that it does not complete the full TCP handshake and extremely fast allowing you to scan thousands of ports per second. To run a TCP SYN scan use the -sS switch as per the example below where we are running a scan on the top 1,000 TCP ports.
nmap -sS –top-ports 1000 <Target IP>
TCP connect scan -sT
The TCP Connect scan makes a full TCP connection to the target i.e. it completes the TCP three-way handshake. As this is a full connection it is not as stealthy as the SYN scan and is only used if the TCP SYN scan is not an option or is not returning any results. A TCP connect scan uses the -sT switch as shown below where we are running a scan on the top 1,000 TCP ports as we did for the SYN scan.
nmap -sT –top-ports 1000 <Target IP>
UDP scan – sU
Although many services run on the TCP protocol one must not neglect to scan for open UDP ports on target devices to ensure you obtain as much information about the target as possible. Services such as DNS, DHCP and even VPN’s run on UDP so scanning for open UDP ports is an important step during the reconnaissance phase. The nmap switch for a UDP scan is -sU and below is an example of the nmap syntax to run a UDP scan on the top 1,000 ports.
nmap -sU –top-ports 1000 <Target IP>
NULL (-sN), FIN(-sF) and Xmas(-sX) Scans
NULL, FIN and Xmas Scans take advantage of specifications stated in the TCP RFC. In essence, when scanning targets with a SYN, RST or ACK bit set on the packet, a compliant TCP system will return a RST if the port is closed and nothing id the port is open. Below are examples of the nmap syntax for these scan types for the top 1,000 ports.
NULL = nmap -sN –top-ports 1000 <Target IP>
FIN = nmap -sF –top-ports 1000 <Target IP>
Xmas = nmap -sX –top-ports 1000 <Target IP>