Basics: Port Scanning.

Topics including TCP/IP, OSI, Netbios, exploiting share, proxies and much more
Post Reply
User avatar
swine_flu
n00b
Posts: 4
Joined: Wed Nov 18, 2009 12:17 am

Basics: Port Scanning.

Post by swine_flu » Tue Nov 24, 2009 4:43 am

Hey HTD0rg, this is my first guide-thingy i've ever written on anything. This is really just went to help n00bs like myself understand what port scanning is. So here it goes. (ALSO: If anybody sees anything wrong with this please PM me so I can change it!)

Originally posted on my blog: http://swin3flu.wordpress.com

Basics: Port scanning.

Here I will go into detail on port scanning. Below I will tell you what it is, the different types of scans you can use and how you can identify security holes.

First you need to know the basics.

TCP/IP:
The internet uses the Internet Protocol Suite, also known as TCP/IP as a means of communication. Hosts are referred to by an address. Services are referred to by ports. There are 65536 different usable port numbers, although most services use a small range of numbers.

To port scan a host, you first need to know its address. After you have the address of your host, you can decide which services you want to scan for.

Although some port scanners only scan for the most common services, or ports most commonly associated with vulnerable services.

Here is a list of TCP and UDP port numbers(and their assigned services):

http://en.wikipedia.org/wiki/List_of_TC ... rt_numbers

Say you wanted to scan your host to see if they have the FTP service running, your input would look like: 127.0.0.1(address) 21(ftp services assigned port)

The result of your scan would be either one of three categories:

Open or Accepted: The host has sent a reply saying that a service is listening on the port.
Closed or Denied or Not Listening: The host sent a reply saying that connections are denied to the port.
Filtered, Dropped or Blocked: You recieved NO reply from the host.

What you are looking for is obviously an Open port. Why? Because this means that if there is a flaw(and there usually is) in the service listening on this open port, you can exploit it.

So now that you know the basics we can move on.

Some types of TCP scans:

TCP connect(): This is a basic form of the TCP scan. Named after the UNIX “connect()” system call. This scan uses the connect() call to attempt to open a connection to a port on the host machine. If the port is Open, connect() will work, or else the port is Closed or Blocked. This type of scan is easily noticed(and blocked by firewall) by the host since logs will show a connection and error message for each service that take the connection and immediately close it.

TCP SYN a.k.a “half-open”: The reason its also known as a “half-open” scan is because you don’t actually open a full TCP connection. First you send a SYN packet, then a SYN|ACK will tell you the port is listening or an RST will most likely mean its not listening or Closed. So if you get a SYN|ACK back you will send an RST to close the connection. This type of scan isn’t as noticeable as the previous.

There are about 7 more types of port scan techniques other than these but there is no need for me to go into great detail seeing as this post is aimed at n00bs and I just wanted to get the general idea across.

General:
The information that can be gathered by using a port scan can be used for many things. For example; A network admin would use port scans to test the security of his network. But as we all know it can also be used for more malicious purposes, like compromising the security of a network. A port scan is seen as the first step in most attacks.

Legal or Illegal?:
The question of “Is it illegal to port scan?” is a tricky one. It really depends where you are and who you are gathering information on, since the internet has an ‘open’ structure and isn’t centralized in any one place. My advice is DO NOT port scan government servers with the intent of compromising them. Hey, if you have only good intentions then what do you have to fear, but really just follow that advice.

Some port scanning software:
NMAP – This is a multi-platform scanner with a lot of different scanning options. (I recommend this one and also that you read the user guide.)
ScanMeTender – Also multi-platform.
Superscan – Only for Windows.
Angry IP Scanner – Only for Windows.

Linkiography:
http://nmap.org/nmap_doc.html
http://nmap.org/book/man-port-scanning-basics.html
http://en.wikipedia.org/wiki/Port_scanning

User avatar
Aiden
Administrator
Posts: 1080
Joined: Tue Oct 31, 2006 11:11 pm
Location: /usr/bin/perl

Re: Basics: Port Scanning.

Post by Aiden » Tue Nov 24, 2009 4:51 am

Looks good for the basics, dude. You might want to expand further on the legitimate uses though. There's definitely more than just testing security. ;)

Moved to Networking Tutorials.
"When it takes forever to learn all the rules, no time is left for breaking them."

User avatar
sr4k
n00b
Posts: 2
Joined: Sun Mar 28, 2010 9:47 am

Re: Basics: Port Scanning.

Post by sr4k » Mon Apr 05, 2010 7:03 pm

Good guide.

Post Reply