The act of Identifying open Port Scanning on a target system is the next step to defining the attack surface of target computer ports, most often by hackers for malicious purposes. Port Scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. Although Port Scanning isn’t inherently hostile, it is often the first step of reconnaissance used by hackers when trying to infiltrate a network or steal/destroy sensitive data. Cybercriminals use a port scanner to find potential weak points they could exploit, with malware or a Trojan on that system, or to use that computer to connect to other systems in your network.
Types of Port Scans
- TCP connect scanning –TCP connect scanning is the most basic form of TCP scanning. The connect() system call provided by the operating system is used to open a connection to any port on the target machine. If the port is listening, connect() scanning will succeed, otherwise the port will not be reachable.
- TCP SYN scanning –SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
- TCP FIN Scan – Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in the BSD code. Since most OS is based on BSD or derived from BSD, this was a scan that can return a good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not to be applied.
- Fragmentation scanning – Fragmentation scanning is performed for evading the firewalls and other packet filtering devices by sending the TCP headers in small tiny fragments, which may confuse the firewalls and other devices when processing packets. While many firewalls can queue the packets for assembling, this type of scanning can consume the processing power of the victim host or the devices which are in the front of the victim IP addresses.
- UDP port scanning – the natural tendency to overlook UDP services, it is absolutely critical that these services be enumerated to acquire a complete understanding of the attack surface of any given target. UDP scanning can often be challenging, tedious, and time-consuming. The first three recipes in this chapter will cover how to perform a UDP port scan with different tools in Kali Linux.
Methods of Port Scanning
Now that the network scan has been completed and a list of available hosts has been compiled, a port scan can be used to identify the in use on specific ports by the available hosts. Port scanning will typically classify ports into one of three categories:
- Open: The target host responds with a packet indicating it is listening on that port. It also indicates that the service that was used for the scan (typically TCP or UDP) is in use as well.
- Closed: The target host received the request packet but responds back with a reply indicating that there is no service listening on that port.
- Filtered: A port scan will categorize a port as filtered when a request packet is sent but no reply is received. This typically indicates that the request packet has been filtered out and dropped by a firewall.