SMT 2-5 Port Scan

00:00

in this video we will look at the port

00:02

scan techniques and practice

00:05

process Port scanning is a method of

00:08

determining whether the ports are open

00:10

or closed on a specific device of a

00:12

network finding an open port is

00:14

important because it serves as a conduit

00:16

for gaining access to the system Port

00:19

scanning is like knocking on all open

00:21

doors if a door opens it's a door that

00:24

you can use the way it works is simple

00:27

you can request a response to all ports

00:29

of

00:31

65,535 ports once and wait for the

00:34

response the reason for checking the

00:36

ports is to find any port that is opened

00:38

unintentionally by the administrator a

00:41

vulnerable Port left open for

00:43

convenience or a port on which the

00:45

vulnerable service is running an

00:47

attacker can navigate the attack surface

00:49

via port scan this reduces the attack

00:52

vector by only attacking open ports on

00:55

the other hand from the defender's point

00:57

of view a port search can help to

00:59

determine if there is an unintended

01:01

surface and take an action in

01:04

advance there are many tools that you

01:06

can use to scan the port and nmap is a

01:09

well-known tool for this nmap is an

01:11

open-source program that can check for

01:13

vulnerabilities in your network as well

01:15

as Port scanning the reason why nmap is

01:18

best known is that it is easy to acquire

01:20

as an open source program and so there

01:22

are many options and functions compared

01:24

to other tools Port scanning is simply

01:27

to check if the port is open and there

01:29

are many other resources and ways to do

01:30

it the reason why Port scans have

01:33

evolved in so many ways is in order to

01:35

avoid attack detection basic Port scans

01:37

can be tracked through logs Port

01:39

scanning has evolved in a way that

01:41

leaves no Trace these attacks that scan

01:43

a port without leaving a log or cold

01:46

stealth scans nmap supports these

01:48

different port scanning methods and is

01:50

available with simple

01:53

options however it is not recommended

01:55

that you try a commercial server that is

01:57

actually running when you're working

01:59

with mmap

02:00

a simple scan alone could even bring the

02:02

server down and scanning a

02:04

non-administrator port can be seen as an

02:06

attack in this curriculum we will show

02:09

you the practice process using

02:12

nmap I will proceed with the scanning

02:14

process in a separate virtual

02:16

environment if anyone wants to practice

02:19

please build a virtual environment of

02:21

your own and proceed only within your

02:22

own network if it is difficult to build

02:25

an environment please scan your device

02:27

using a loop pack IP is written in the

02:29

sub title as I said earlier scans of

02:32

commercial servers without proper

02:34

permission in advance can be seen as

02:36

attacks therefore be aware of external

02:39

scanning attacks now let's take a look

02:41

at the configuration of my environment

02:44

Target's IP address is 1 192 1 168 123

02:49

110 while the Hacker's IP address is 192

02:53

1 1681 123

02:56

106 the image below shows a list of

02:59

ports currently serving the target you

03:01

can check it with the netstat command

03:03

and with the nltp

03:06

option option n is the option to Output

03:09

a number of Port serviced option L is an

03:12

option that filters only the listening

03:14

State option T is an option that filters

03:17

only the TCP protocol option P prints

03:20

the program name associated with that

03:21

Port therefore the above result is a

03:24

port list that uses the TCP protocol

03:27

being listened to if you look closely

03:29

you can see that Port 22 is connected to

03:32

the SSH program you can also see that

03:34

Port 23 is connected to a web server

03:37

called in it and Port 80 is Apache to

03:40

thus an attacker can perform a port scan

03:43

before attacking the server to ensure

03:44

that ports 22 23 and 80 are open an

03:49

attacker who identifies an open port can

03:52

reduce the scope of the attack vector by

03:54

targeting only services that operate on

03:56

that

03:58

Port TCP open scan is the most basic

04:01

method of Port scanning it uses the

04:03

three-way handshaking to verify that the

04:05

port is open it is also called TCP

04:08

connection scan because it forms a

04:09

connection through three-way handshaking

04:12

however a connection leaves a log of

04:14

session establishment in the Target

04:16

which can be an important clue during

04:19

Post tracking request syy end packet is

04:22

the first step of the 3way handshaking

04:24

for Port scanning if the port is open Sy

04:27

YN AK packets will will be answered and

04:30

the last AK will be sent on the other

04:33

hand if the port is closed the rst AK

04:37

packet is

04:39

answered this is a TCP open scan

04:42

practice I ran an nmap application on

04:45

hackers PC I use the St option which

04:48

means it is for TCP open scan for the

04:50

Target IP address I entered 192 1 168

04:55

123 110 the results are successful we

05:00

have identified that the previously

05:01

checked ports 22 23 and 0 are open we

05:06

also identified the services that

05:08

operate on every listed Port

05:11

additionally the more interesting part

05:13

is the scanning time in the last line

05:16

you can see that it took a total of 2.3

05:18

seconds to navigate the port with TCP

05:20

open

05:22

scan this time when the port scan is in

05:26

progress I will check on the packets the

05:28

left side is the screen that shows the

05:30

list of wies shock packets and the right

05:32

side is the action that we want to

05:34

understand in wies shock let's start by

05:36

looking at the Port when they are closed

05:39

if the port is closed nsyn request is

05:41

made as shown on the right and the rst a

05:45

packet is answered now let's take a look

05:47

at the

05:49

packets to facilitate analysis it is

05:52

recommended that you know both the

05:53

hackers and the target's IP addresses

05:56

also it will be helpful to analyze if

05:58

you know the IP addresses of the source

06:00

and destination and where the packet is

06:02

directed when you view the packet note

06:05

the direction of the packets by

06:06

referring to the IPS in the source and

06:08

the destination columns along with the

06:10

info column on the right first of all if

06:13

you look at the gray packets you can see

06:15

that Hacker's device sent the packet to

06:17

the target's device as shown in the info

06:20

column we are requesting SN packets for

06:23

several well known ports now let's look

06:26

at the red packet as opposed to the

06:29

previous one you can see that it is a

06:31

packet scent from the target to the

06:32

Hacker's device if you look at the info

06:35

column you can see that rst AK packets

06:38

are being answered on the ports that you

06:40

requested

06:42

earlier this time the port is open in

06:45

the TCP open scan as I explained when

06:48

the port is open it will perform the

06:50

three-way shaking process as it is pause

06:53

the image and analyze the packet let's

06:55

move on to the left wire shock screen

06:58

focus on the packets in lines 3 4 and 7

07:01

The Hacker sent SN packets to the Target

07:03

via ports 22 23 and 8 respectively

07:08

because ports 22 23 and8 are opened you

07:12

must respond with an syn a packet to the

07:15

AK packet the fifth sixth and eighth

07:19

packets are those sent from Target to

07:21

the hacker and syn AK packets were sent

07:25

from 22 23 and 80 as I just requested it

07:29

doesn't end here it should eventually

07:32

send an NE packet to establish a session

07:35

if you look at the 9th 11th and 13

07:38

packets you can see that the C packet is

07:40

being sent back to the port that is

07:42

serving the attacker as

07:45

expected next one of the stealth scans

07:48

is the SN scan because it is classified

07:51

as a stealth scan it does not leave

07:53

behind any logs the principle is simple

07:57

similar to TCP open scan it initially

07:59

sends SN packets if the port is closed

08:03

it receives an rst a response just like

08:07

the TCP open scan if the port is open

08:10

the server responds with an syn A C

08:13

packet to proceed with the three-way

08:14

handshake if it was a TCP open scan it

08:18

would have sent an packet here but the S

08:20

YN scan sends an rst packet to terminate

08:23

the communication it's also called the

08:26

CP half open scan because it uses a

08:28

three-way hand but it's not fully

08:32

established this is a practice of SN

08:35

scan the hacker PC used the SS command

08:38

option in mmap which means s YN scan for

08:41

the Target IP I entered

08:43

192

08:45

16823 110 which is the IP of a Target

08:49

the result was also successful this time

08:52

we have also identified that the

08:54

previously checked ports 22 23 and 80

08:58

are open we also identified the services

09:01

that operate on that Port as

09:04

well let's check out the time again you

09:07

can see that it took a total of 1.4

09:09

seconds to navigate through the port

09:11

with syn scan you can see that it is

09:14

much faster than the 2.3 seconds

09:17

required for the TCP open scan during

09:20

the previous TCP open scan we sent the a

09:22

CK packet and terminated the connection

09:25

immediately with the rst a packet in

09:28

contrast syn scan is the one that sends

09:31

the rst packets instead this means that

09:34

there is no connection process so the

09:36

scan process is simplified and the time

09:38

is

09:40

shortened when the SN scan is in

09:43

progress I will check on the packets if

09:45

the port is closed and S YN request is

09:48

made as shown on the right and the rst

09:51

AK packet is answered now let's take a

09:54

look at the packets first of all if you

09:56

look at the gray packets you can see

09:58

that hackers device sent the packets to

10:00

the targets device as shown in the info

10:03

column we are requesting syn packets for

10:05

several well-known ports now let's look

10:09

at the red packet as opposed to the

10:11

previous one you can see that it is a

10:13

packet scent from the target to the

10:15

Hacker's device if you look at the info

10:18

column you can see that rst CK packets

10:21

are being answered on the ports that you

10:23

requested

10:25

earlier this time the port is open in

10:28

syn scan as I explained the principle is

10:31

that when the port is open only half of

10:33

the threeway handshake process is

10:35

performed pause the image and analyze

10:38

the packets let's look at the left wire

10:40

shark screen focus on the packets on the

10:43

third fifth and sixth lines the hacker

10:46

sent Sy YN packets to the Target through

10:48

ports 22 23 and 80 respectively since

10:53

the three ports are actually open ports

10:55

they will respond with SN AK packets

10:59

look at the fourth seventh and eighth

11:02

packets this is the packet sent from the

11:05

target to the hacker and the S YN AK

11:08

packets are sent from ports 22 23 and 80

11:13

just as I just requested now that you

11:16

have verified that the port is open

11:18

there is no longer a need to continue

11:20

communicating look at the bottom three

11:22

lines of packets you can see the hacker

11:25

sent the rst packets to the Target to

11:27

end the session

11:30

next I would like to introduce many of

11:33

the famous methods of stealth scanning

11:35

there are the fin scan n scan and xmus

11:38

scan these three scanning methods are

11:41

grouped together because they behave

11:42

very similar for both open and closed

11:44

ports first a fin scan is literally

11:47

setting a fin flag and sending it to the

11:49

Target if the port is open no response

11:52

is received but if the port is closed

11:55

the rst packet is received the no scan

11:57

also declares that the port is open when

11:59

there is no response and that the port

12:01

is closed when it receives an rst

12:04

response when you scan the transmitting

12:06

packets it sends without setting any

12:08

Flags the XMS scan sends packets with

12:11

Fin psh and urg flag set similarly if

12:16

there is no response it is considered

12:18

open and if an rst packet is received it

12:21

is considered

12:23

closed these are the images of

12:25

practicing the three stealth scans

12:28

hackers PC used the SF SN and SX command

12:32

options in nmap which stands for Finn

12:35

null and XM scan respectively for the

12:37

Target IP I entered

12:40

192 168 123 110 the results are all

12:46

successful we have identified that the

12:49

previously checked ports 22 23 and 80

12:53

are all open we also have a good

12:56

understanding of the services that work

12:57

on the ports one and new usual thing is

12:59

that Port scanning is a method of

13:01

determining whether the ports are open

13:03

or closed on a specific device of a

13:05

network finding an open port is

13:08

important because it serves as a conduit

13:10

for gaining access to the system Port

13:12

scanning is like knocking on all open

13:14

doors if a door opens it's a door that

13:18

you can use the way it works is simple

13:21

you can request a response to all ports

13:23

up to

13:25

65,535 Ports once and wait for the

13:27

response

13:30

the reason for checking the ports is to

13:31

find any port that is opened

13:33

unintentionally by the administrator a

13:36

vulnerable Port left open for

13:38

convenience or a port on which the

13:40

vulnerable service is running an

13:42

attacker can navigate the attack surface

13:44

via port scan this reduces the attack

13:47

vector by only attacking open ports on

13:50

the other hand from the defender's point

13:52

of view a port search can help to

13:54

determine if there is an unintended

13:56

surface and take an action in advance

13:58

the keyword filtered was added to the

14:00

state entry the filtered keyword is a

14:03

keyword that appears when you don't

14:04

receive a response but if you think

14:06

about the scanning method you can see

14:08

why the keyword appears all fin no XMS

14:12

scans do not respond to determine that

14:14

they are open therefore we decided that

14:17

the port was open because there was no

14:19

response but we specified the keyword

14:21

filtered because there was no response