Port Scanning - Service and OS Discovery
Find out what services are running on a particular target host.
Discovery of open ports and services can be performed via various port scanning techniques. Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network.
At the risk of oversimplification, we can classify ports in two states:
Open port indicates that there is some service listening on that port.
Closed port indicates that there is no service listening on that port.
However, in practical situations, we need to consider the impact of firewalls. For instance, a port might be open, but a firewall might be blocking the packets.
Nmap port states
Nmap considers the following six states:
Open: indicates that a service is listening on the specified port.
Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan
-sA.Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
| Option | Purpose |
|---|---|
| all ports |
| scan ports 1 to 1023 |
| 100 most common ports |
| scan ports in consecutive order |
| -T0 being the slowest and T5 the fastest |
| rate <= 50 packets/sec |
| rate >= 15 packets/sec |
| at least 100 probes in parallel |
You might consider adding --reason if you want Nmap to provide more details regarding its reasoning and conclusions.
Service Version Discovery: the -sV option is used to detect service versions.
-sV option is used to detect service versions.You can control the intensity with --version-intensity LEVEL where the level ranges between 0, the lightest, and 9, the most complete. -sV --version-light has an intensity of 2, while -sV --version-all has an intensity of 9.
It is important to note that using -sV will force Nmap to proceed with the TCP 3-way handshake and establish the connection. The connection establishment is necessary because Nmap cannot discover the version without establishing a connection fully and communicating with the listening service. In other words, stealth SYN scan -sS is not possible when -sV option is chosen.
TCP Connect/Full-Open Scan
Sends in SYN packets for request. If SYN+ACK packet response - Port is open. If RST packet response - Port is closed.
Disadvantage: Easily detectable and filterable. The logs in the target system disclose the connection.
Stealth Scan (Half-Open Scan)
Sends in a single SYN packet. Bypasses firewall rules and logging mechanisms.
Inverse TCP Flag Scan
Sends in a probe packet (FIN/URG/PSH/NULL). If no response is received port is open. If RST packet response is received port is closed. Avoids many IDS and logging systems; highly stealthy.
Disadvantage: Not effective against Microsoft Windows hosts, in particular.
The -sF flag is used for FIN scan and -sN is for NULL scan.
Xmas Scan
Avoids IDS and the TCP three-way handshake. Sends a probe packet (FIN + URG + PSH). No response - Port is open. RST packet response - Port is closed. Works only when systems are compliant with the RFC 793–based TCP/IP implementation and the Unix platform only.
ACK Scanning
Can evade IDS in most cases Helps in checking the filtering systems of target networks. But it can be extremely slow and can exploit only older OSes with vulnerable BSD-derived TCP/IP stacks.
ACK Flag Probe Scan |
| ACK probe packets |
|
TTL-Based ACK Flag Probe Scan |
| ACK probe packets (several thousands) to different TCP ports |
|
Window-Based ACK Flag Probe Scan |
| ACK probe packets (several thousands) to different TCP ports |
|
TCP Maimon Scan
Uriel Maimon first described this scan in 1996. In this scan, the FIN and ACK bits are set. The target should send an RST packet as a response. However, certain BSD-derived systems drop the packet if it is an open port exposing the open ports. This scan won’t work on most targets encountered in modern networks.
To select this scan type, use the -sM option.
Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.
UDP Scan
Less informal with regard to an open port because there is no overhead of a TCP handshake. Microsoft-based OSes do not usually implement any ICMP rate limiting; hence, this scan operates very efficiently on Windows-based devices.
SCTP Scans
SCTP INIT Scan
Sends a INIT chunk. An INIT scan is performed quickly by scanning thousands of ports per second on a fast network not obstructed by a firewall, offering a strong sense of security. Can clearly differentiate between various ports such as open, closed, and filtered states.
INIT+ACK chunk - Port is open. ICMP unreachable exception - Port is filtered. ABORT chunk - Port is closed
SCTP Cookie ECHO Scan
Sends in a COOKIE ECHO chunk. The COOKIE ECHO chunk is not blocked by non-stateful firewall rule sets. Only an advanced IDS can detect an SCTP COOKIE ECHO scan. No response Port is open ABORT chunk Port is closed.
Cannot differentiate clearly between open and filtered ports, showing the output as open filtered in both cases.
OS Discovery
Based on TTL
| Operating System | Time To Live | TCP Window Size |
|---|---|---|
Linux | 64 | 5840 |
FreeBSD | 64 | 65535 |
OpenBSD | 255 | 16384 |
Windows | 128 | 65,535 bytes to 1 Gigabyte |
Cisco Routers | 255 | 4128 |
Solaris | 255 | 8760 |
AIX | 255 | 16384 |
Wireshark or unicornscan can be used to find the TTL and derive the OS being used by the target.
Nmap
In Nmap, the -O option is used to perform OS discovery, providing OS details of the target machine.
The nmap scripting engine can also be used to find OS versions based on certain services like SMB. For example, in Nmap, smb-os-discovery is an inbuilt script that can be used for collecting OS information on the target machine through the SMB protocol.
Scripting with Nmap
A part of Nmap, Nmap Scripting Engine (NSE) is a Lua interpreter that allows Nmap to execute Nmap scripts written in Lua language.
The --script option is used to specify the category or script name.
| Script Category | Description |
|---|---|
| Authentication related scripts |
| Discover hosts by sending broadcast messages |
| Performs brute-force password auditing against logins |
| Default scripts, same as |
| Retrieve accessible information, such as database tables and DNS names |
| Detects servers vulnerable to Denial of Service (DoS) |
| Attempts to exploit various vulnerable services |
| Checks using a third-party service, such as Geoplugin and Virustotal |
| Launch fuzzing attacks |
| Intrusive scripts such as brute-force attacks and exploitation |
| Scans for backdoors |
| Safe scripts that won’t crash the target |
| Retrieve service versions |
| Checks for vulnerabilities or exploit vulnerable services |
Recap
| Port Scan Type | Example Command |
|---|---|
TCP Null Scan |
|
TCP FIN Scan |
|
TCP Xmas Scan |
|
TCP Maimon Scan |
|
TCP ACK Scan |
|
TCP Window Scan |
|
Custom TCP Scan |
|
Spoofed Source IP |
|
Spoofed MAC Address |
|
Decoy Scan |
|
Idle (Zombie) Scan |
|
Fragment IP data into 8 bytes |
|
Fragment IP data into 16 bytes |
|
| Option | Purpose |
|---|---|
| specify source port number |
| append random data to reach given length |
| Option | Purpose |
|---|---|
| explains how Nmap made its conclusion |
| verbose |
| very verbose |
| debugging |
| more details for debugging |
Last updated
