The first step in vulnerability assessment is to define the scope (“Pre-engagement,” n.d.). After the scope is defined, the next step is information gathering, which defines the intelligence gathering activities of a vulnerability test. Depending on the scope of the engagement, there are many aspects to performing reconnaissance. In this post, I address active footprinting using basic port scanning with Nmap (“Intelligence Gathering,” n.d.) (See my Nmap Cheat Sheet).
Developed by Gordon “Fyodor” Lyon Nmap (“Network Mapper”) is the industry standard for port scanning. Port scanning is an important step in vulnerability assessment because it determines which ports are open and services a host is running. Today’s firewalls and intrusion prevention systems (IPS) often block port scan traffic, which makes external penetrating much more difficult. This post assumes an internal pentest against one host called “Metasploitable” (See my post Six Steps to Install Metasploitable in VirtualBox). There are many nmap port scanning techniques. In this post, we will cover the three most popular nmap port scans the SYN Scan, The TCP Connect Scan, and the UDP Scan.
What is a Port?
There are physical and logical ports. For instance, physical ports are the hardware ports that you find on the side or back of your computer, and you use to connect devices (e.g., USB port). From an application layer perspective, logical ports are virtual ports opened in software that a client (e.g., Windows 10) or a server (Windows 2016) use to communicate with each other across a network. In this example, an Internet Protocol (IP) network.
Service names and port numbers are used to distinguish between different service (“Service Name,” n.a.). Each port (AKA service) is assigned a number. Port numbers range from 0 to 65535, but port numbers 0 to 1024 are reserved for privileged services and designated as well-known ports. RFC 1700 specifies the list of port numbers.
Port States According to Nmap
Nmap see ports as either open, closed, filtered, unfiltered, open/filtered, or closed/filtered. For this post I will address open, closed, and filtered (“Port Scanning,” n.d.):
- open: An application is actively accepting TCP connections, UDP datagrams or SCTP associations.
- closed: A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.
- filtered: Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.
TCP Three-Way Handshake Basics (SYN, SYN-ACK, ACK)
There are two types of Internet Protocol (IP) traffic. They are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is connection oriented. UDP is not. To communicate, TCP establishes first exchanges setup information between a client and a serve. Data can flow bidirectionally, once a connection is established, UDP is a connectionless Internet Protocol. UDP does not need to exchange setup information between a client and a server to establish a connection. UDP can send a message from one endpoint to another without prior arrangement.
As mentioned above, from an application layer perspective, client and servers communicate via virtual ports. The Transmission Control Protocol (TCP) is the language they use to establish a Connection oriented conversation across an Internet Protocol (IP) network. TCP allows one side (i.e., the client) to request that a connection be established and the other side (i.e., the server) to accept the request and setup a connection or not. As mentioned above, from an application layer perspective, the side that makes the request is the client, and the side that accepts the request and or not is the server.
In this client-server example, the TCP Three-Way Handshake begins when a client sends a TCP segment with the SYN control bit flag set to the server. This is the first step in a TCP Three-Way Handshake. Based on the RFC 793, if a server port is open and listening to the server is able it will respond with an SYN/ACK (i.e., Request-Acknowledgment), acknowledging that it has received the request and is ready to connect. This is the second step in a TCP Three-Way Handshake. Next, the client responds with an ACK (i.e., Request-Confirmation) and the connection is established. If the server port is closed and not listening, it sends an RST (reset) to the client. These are the basics of a TCP Three-Way Handshake.
There are three basic Nmap port scanning techniques. The first is called the TCP SYN scan. The second is called the TCP connect scan. The third is called the UDP scan. From a penetration testing perspective, the purpose of these scans is to identify which ports are open and services are running a target system (In our case Metasploitable), to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases.
Nmap TCP SYN Scan (-sS)
This is the default and most popular Nmap scan. It is called the half-open scan because it only completes the first two steps of the TCP Three-Way Handshake (See above). Nmap sends a TCP segment with the SYN control bit flag set to the target to request a connection. Based on the RFC, if the target’s port is open (i.e., listening) it responds with an SYN/ACK, or if it is closed an RST (reset). Either way, Nmap does not send the final ACK to establish a connection to complete the TCP Three-Way Handshake. Finally, if no response is received, Nmap marks the port as filtered. The Nmap TCP SYN scan is fast and more “stealthy” than other scanning methods since it does not complete the TCP Three-Way Handshake and establish a connection.
Nmap TCP Connect Scan (-sT)
According to Fyodor, the TCP connect scan is the default TCP scan type when SYN scan is not an option. Nmap’s TCP Connect Scan (-sT) is a full-connection scan, meaning that it completes the TCP 3-Way Handshake (SYN,SYN-ACK,ACK). This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. When SYN scan is available, it is usually a better choice (“Port Scanning Techniques,” n.d.).
Nmap UDP Scan (-sU)
The most popular Internet services run over the TCP, services that use UDP are also in use (e.g., DNS Port 53 UDP). Many security professional or auditors ignore these ports.
NOTE: Security Scanning Rule #1: Do not scan networks or hosts you do not have implicit permission to scan. We recommend that you seek legal advice from an attorney before doing security scanning. Proceed at your own risk.
The Scanme.Nmap.Org run by Nmap has setup a server to help folks learn about Nmap. According to Fyodor “You are authorized to scan this machine with Nmap or other port scanners. Try not to hammer on the server too hard. A few scans in a day is fine, but don’t scan 100 times a day or use this site to test your ssh brute-force password cracking tool” (“scanme.nmap.org,” n.d.).
First, I run an Nmap TCP SYN Scan (-sS). But because we are working as a non-privilege user I do not have raw packet privileges, I am not allowed to run the scan:
$ nmap -T4 -sS <target>
So I use sudo to run Nmap with root privileges. To learn sudo see my blog post “How to Configure Kali Linux sudo Access”:
$ sudo nmap -T4 -sS <target>
Figure 2: Nmap TCP SYN Scan
By default Nmap scan the top 1000 ports for each protocol (“Port Specification,” n.d.), which are specified in the nmap-services file. According to Fyodor “This file was originally based off the IANA assigned ports list at http://www.iana.org/assignments/port-numbers, though many other ports have been added over the years. The IANA does not track trojans, worms and the like, yet discovering them is important for many Nmap users” (“Well Known Port List,” n.d.)
I open Wireshark to capture the traffic. First, we see a TCP segment with the SYN control bit flag set to 1 from my Kali box to scame.nmap.org IP address 184.108.40.206 to destination port 1. Because port 1 is closed, scame.nmap.org IP address 220.127.116.11 responds with a RST:
But since port 22 is open we see SYN, SYN-ACK, RST and Nmap records the port as open and service as SSH (See Figure 2 above):
Second, I run an Nmap TCP Connect Scan (-sT):
Third, I run an Nmap UDP scan and find more open ports and services:
Note: -T4 is one of Nmap’s timing options. If you are on a decent broadband network and stealth (e.g., low slow scanning) Fyodor recommends using T4 (“Timing,” n.d.).
Finally, I turn our attention to the Metasploitable target. We combine the the TCP SYN scan and the UDP scan options and add the port specification option to make sure we scan all ports (“Port Specification,” n.d.). I issue this command (“Option summary,” n.d):
$ sudo nmap -n -T4 -sS -sU -r p1-65535 <target>
Then option instructs Nmap not to resolve DNS. The -T4 option tells Nmap to use Aggressive timing. The -sS asks Nmap to use the SYN Scan for TCP. The -sU option instructs Nmap to scan for UDP. The -r option tells Nmap to scan the ports in order (rather than randomly which it Nmap’s default). The -p option asks Nmap to scan all 65535 ports. Below are the TCP and UDP ports we find open and the services listening on Metasploitable 2. This scan took 18 hours:
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
Intelligence gathering. (n.d.). Retrieved October 14th, 2017 from http://www.pentest-standard.org/index.php/Intelligence_Gathering
Port scanning basics. (n.d.). Retrieved October 14th, 2017 from https://nmap.org/book/man-port-scanning-basics.html
Port scanning techniques. (n.d.). Retrieved October 14th, 2017 https://nmap.org/book/man-port-scanning-techniques.html
Port specification and scan order. (n.d.). Retrieved October 14th, 2017 https://nmap.org/book/man-port-specification.html
Pre-engagement. (n.d.). Retrieved October 14th, 2017 from http://www.pentest-standard.org/index.php/Pre-engagement
Options summary. (n.d.). Retrieved October 15th, 2017 from https://nmap.org/book/man-briefoptions.html
scanme.nmap.org. (n.d.). Retrieved October 14th, 2017 from http://scanme.nmap.org/
Service name and transport protocol port number registry. Retrieved October 14th, 2017 from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Timing and Performance. (n.d.). Retrieved October 14th, 2017 from https://nmap.org/book/man-performance.html
Well known port list: nmap-services. (n.d.). Retrieved October 14th, 2017 from https://nmap.org/book/nmap-services.html