Port Scanning

1
Port Scanning

• Yiqian Zhang
• CS 265 Project

2
What is Port Scanning?

• port scanning is equivalent to knocking on the
  walls to find all the doors and windows.
• determine what systems are listening reachable
  from the Internet .
• Analyzing underlying weaknesses.
• Using the weakness for later use.

3
Port Numbers

• Well Known Ports
• 0 1023
• Echo 7/tcp ftp-data 20/udp
• Non Standard Ports
• 1023 and above
• Yahoo 5010 Yahoo! Messenger

4
Port Scanning Techniques

• Vanilla
• Simplest form of port scan.
• Tries each of the ports 65535 on the victim.
• sending a carefully constructed packet.
• with a chosen port number.

5
Stealth Scan

• Port scanning is easily logged by the services
  listening at the ports.
• Designed to go undetected by auditing tools. 
• Scanning at a slow pace.
• inverse mapping
• Generating "host unreachable" ICMP-messages for
  IPs that do not exist.

6
TCP Scanner

• TCP connect scan
• Complete a three-way handshake.
• TCP SYN scan
• Half-open scanning.
• A SYN packet is sent.
• A listening target respond with a SYNACK.
• A non-listening target respond with a RST.
• TCP FIN scan
• Scanner sends a FIN packet.
• Closed ports reply with a RST.
• Open ports ignore the packet entirely.

7
Bounce Scans

• The ability to hide tracks is important to
  attackers.
• FTP bounce scan
• allows the hacker to force the FTP server to do
  the port scan and send back the results. This
  bouncing through an FTP server hides where the
  attacker comes from.
• The advantage to this approach is harder to
  trace. The disadvantages are that it is slow.

8
UDP Scanning

• In order to find UDP ports, the attacker
  generally sends empty UDP datagrams. If
• The port is listening, the service should send
  back an error message or ignore the incoming
  datagram.
• The port is closed, then most operating systems
  send back an "ICMP Port Unreachable" message.
  Thus determine which ports are open.
• Neither UDP packets nor the ICMP errors are
  guaranteed to arrive, so UDP scanners must also
  implement retransmission of packets that appear
  to be lost.

9
Port Scanning Tools

• Strobe
• TCP port scanning utility.
• One of the fastest and most reliable TCP scanners
  available.
• Only looking for those services the attacker
  knows how to exploit.
• CMD Strobe 192.168.1.10
• Output 192.168.1.10 ssh 22/tcp secure shell

10
Port Scanning Tools

• nmap
• Widely known port scanner.
• Utility for port scanning large networks,
  although it works fine for single hosts.
• The guiding philosophy for the creation of nmap
  was TMTOWTDI (There's More Than One Way To Do
  It).
• CMD nmap sS 192.168.1.1
• Output Port State Protocol Service
• 21 open tcp
  ftp

11
Port Scanning Tools

• netcat
• The Swiss army knife in our security toolkit.
• Provides basic TCP and UDP port scanning
  capabilities. By default, netcat uses TCP ports,
  so for UDP scanning, we need to specify the u
  option. For example,
• CMD netcat v z w2 192.168.1.1 1-140
• Output 192.168.1.1 25 (smtp) open

12
Conclusion

• Has legitimate uses in managing networks.
• Can also be malicious in nature if someone is
  looking for a weakened access point to break into
  your computer.
• It is rude to scan someone else's hosts or
  networks without the explicit permission of the
  owner.
• Always ask if it'd be okay to scan outside of
  your own networks.