SMT 2-5 Port Scan
Summary
TLDRThis video script offers an insightful look into port scanning techniques, a critical method for identifying open ports on a network that could serve as entry points for attackers. It highlights the importance of open ports, the use of nmap as a versatile open-source tool for port scanning, and discusses various scanning methods including TCP open scan, SYN scan, and stealth scans like FIN, NULL, and Xmas scans. The script also emphasizes the ethical considerations of port scanning, urging to only perform scans within one's own network or with proper permissions.
Takeaways
- đ Port scanning is a technique used to determine which ports on a device are open or closed, which is crucial for identifying potential access points for attackers.
- đȘ An open port acts as a potential 'door' for gaining access to a system, hence the analogy of knocking on all doors to see which ones are open.
- đ The purpose of port scanning is to find ports that may have been unintentionally left open by administrators, which could be exploited by attackers.
- đĄïž From a defender's perspective, port scanning helps identify unintended exposure to attacks and allows for proactive measures to be taken.
- đ§ Nmap is a well-known and widely used open-source tool for port scanning and network vulnerability assessment.
- đ Nmap's popularity stems from its ease of acquisition, extensive options, and rich functionality compared to other tools.
- đ Port scanning has evolved to include stealth techniques that avoid leaving traces in logs, such as TCP stealth scans, to evade detection.
- đ The script demonstrates practical port scanning using Nmap in a controlled virtual environment, emphasizing the importance of ethical scanning practices.
- đ The script provides a detailed walkthrough of different port scanning methods, including TCP open scan, SYN scan, and various stealth scans like FIN, NULL, and Xmas scans.
- đ”ïžââïž Analyzing packet captures with Wireshark is an essential skill for understanding the behavior of different port scanning techniques.
- đ The script concludes by reiterating the importance of port scanning for both attackers to identify targets and defenders to secure their networks.
Q & A
What is port scanning?
-Port scanning is a method used to determine which ports on a device in a network are open or closed. It helps in identifying potential access points to a system.
Why is finding an open port important?
-Finding an open port is important because it can serve as a conduit for gaining access to the system, either for legitimate security testing or malicious activities.
What is the purpose of port scanning from an attacker's perspective?
-From an attacker's perspective, port scanning helps to identify open ports that can be exploited, reducing the attack vector by focusing only on accessible services.
How can port scanning assist a network defender?
-Port scanning can assist a network defender by identifying unintentionally open ports that could be a security risk, allowing them to take preventive measures.
What is nmap and why is it widely used for port scanning?
-Nmap is an open-source program used for network scanning, including port scanning and vulnerability detection. It is widely used due to its availability, extensive options, and functionality.
What is a TCP open scan and how does it work?
-A TCP open scan is a basic method of port scanning that uses the three-way handshake process to verify if a port is open. It involves sending a SYN packet and waiting for a SYN-ACK response, indicating an open port.
What is a SYN scan and how does it differ from a TCP open scan?
-A SYN scan, also known as a half-open scan, sends SYN packets to a target and waits for a SYN-ACK response to identify open ports. Unlike a TCP open scan, it sends an RST packet to terminate the connection, leaving no logs behind.
What are stealth scans and why are they used?
-Stealth scans are scanning techniques designed to avoid detection by not leaving logs on the target system. They are used to minimize the trace of a scan, making it harder for defenders to identify the scanning activity.
What are the differences between FIN, NULL, and Xmas scans?
-FIN scan sets the FIN flag in packets, NULL scan sends packets without setting any flags, and Xmas scan sets the FIN, PSH, and URG flags. All three methods interpret no response as an open port and an RST packet as a closed port.
What does the 'filtered' state in port scanning indicate?
-The 'filtered' state in port scanning indicates that no response was received from the target port, but it does not provide a clear indication of whether the port is open or closed due to a firewall or filtering device blocking the response.
Why is it important to practice port scanning in a controlled environment?
-Practicing port scanning in a controlled environment, like a virtual machine or a personal network, is important to avoid legal issues and potential damage to real servers. It ensures ethical and safe learning and testing of scanning techniques.
Outlines
đ Introduction to Port Scanning Techniques
The video introduces the concept of port scanning, a technique used to identify open or closed ports on a network device. It emphasizes the importance of open ports as potential access points for attackers and the necessity for administrators to identify and secure them. The video also highlights the use of nmap, an open-source tool for vulnerability and port scanning, and discusses the evolution of port scanning to avoid detection. A basic scan is demonstrated in a virtual environment, using nmap commands to scan ports and analyze the results, including the identification of services running on open ports.
đ”ïžââïž Analyzing TCP Open and SYN Scans with nmap
This section delves into the specifics of TCP open and SYN scans, two methods used to determine the status of network ports. The TCP open scan is explained as a full connection scan that leaves logs, while the SYN scan is a stealthier method that does not establish full connections, thus reducing the time required for scanning. The video demonstrates these scans using nmap, showing the commands used and the results obtained, including the identification of open ports and the services associated with them. It also discusses the use of Wireshark to analyze the packets exchanged during the scanning process.
đĄïž Stealth Scans and Their Impact on Network Security
The final paragraph discusses various stealth scanning methods, such as FIN, NULL, and Xmas scans, which are designed to avoid leaving traces in logs. These methods are similar in that they send packets with specific flags set and interpret the responses (or lack thereof) to determine if a port is open or closed. The video shows how to perform these scans using nmap and interprets the results, including the appearance of the 'filtered' keyword, which indicates that a response was not received but the port may still be open. The importance of understanding these stealth techniques is highlighted for both attackers looking to minimize their detection and defenders seeking to secure their networks.
Mindmap
Keywords
đĄPort Scanning
đĄOpen Port
đĄVulnerable Port
đĄNmap
đĄStealth Scan
đĄThree-Way Handshake
đĄAttack Vector
đĄNetstat
đĄPacket Analysis
đĄFiltered
đĄFIN Scan, NULL Scan, and XMAS Scan
Highlights
Port scanning is a technique for determining the status of ports on a device within a network, identifying open ports which can be exploited for access.
Open ports serve as potential entry points for gaining access to a system, making their identification crucial for both attackers and defenders.
Nmap is introduced as a well-known open-source tool for port scanning and network vulnerability assessment.
Port scanning methods have evolved to avoid detection, with stealth scans leaving no trace in logs.
Basic port scans can be tracked through logs, which is why stealthier methods like SYN scan have been developed.
A demonstration of port scanning using nmap in a virtual environment is provided to ensure safe practice.
The importance of conducting port scans within one's own network to avoid legal issues is emphasized.
Netstat command with specific options is used to list ports currently in use by the target, showcasing open ports and their services.
TCP open scan is explained as the basic method using three-way handshake to verify port status, leaving logs behind.
SYN scan, a stealth method, is detailed, which performs half of the three-way handshake without establishing a full connection.
A comparison of scanning times between TCP open scan and SYN scan shows SYN scan to be faster.
Wireshark analysis is used to illustrate the packet exchange during port scanning, showing the differences between open and closed ports.
The concept of 'filtered' state in port scanning is introduced, indicating no response but potential openness due to scanning method.
Advanced stealth scanning methods like FIN, NULL, and Xmas scans are introduced, which behave similarly for both open and closed ports.
FIN scan is explained as sending packets with the FIN flag to determine if a port is open based on the lack of response.
NULL and Xmas scans are detailed, where the absence of flags or specific flag combinations indicate open ports.
The video concludes by reiterating the importance of port scanning for network security and the evolution of scanning techniques to avoid detection.
Transcripts
in this video we will look at the port
scan techniques and practice
process Port scanning is a method of
determining whether the ports are open
or closed on a specific device of a
network finding an open port is
important because it serves as a conduit
for gaining access to the system Port
scanning is like knocking on all open
doors if a door opens it's a door that
you can use the way it works is simple
you can request a response to all ports
of
65,535 ports once and wait for the
response the reason for checking the
ports is to find any port that is opened
unintentionally by the administrator a
vulnerable Port left open for
convenience or a port on which the
vulnerable service is running an
attacker can navigate the attack surface
via port scan this reduces the attack
vector by only attacking open ports on
the other hand from the defender's point
of view a port search can help to
determine if there is an unintended
surface and take an action in
advance there are many tools that you
can use to scan the port and nmap is a
well-known tool for this nmap is an
open-source program that can check for
vulnerabilities in your network as well
as Port scanning the reason why nmap is
best known is that it is easy to acquire
as an open source program and so there
are many options and functions compared
to other tools Port scanning is simply
to check if the port is open and there
are many other resources and ways to do
it the reason why Port scans have
evolved in so many ways is in order to
avoid attack detection basic Port scans
can be tracked through logs Port
scanning has evolved in a way that
leaves no Trace these attacks that scan
a port without leaving a log or cold
stealth scans nmap supports these
different port scanning methods and is
available with simple
options however it is not recommended
that you try a commercial server that is
actually running when you're working
with mmap
a simple scan alone could even bring the
server down and scanning a
non-administrator port can be seen as an
attack in this curriculum we will show
you the practice process using
nmap I will proceed with the scanning
process in a separate virtual
environment if anyone wants to practice
please build a virtual environment of
your own and proceed only within your
own network if it is difficult to build
an environment please scan your device
using a loop pack IP is written in the
sub title as I said earlier scans of
commercial servers without proper
permission in advance can be seen as
attacks therefore be aware of external
scanning attacks now let's take a look
at the configuration of my environment
Target's IP address is 1 192 1 168 123
110 while the Hacker's IP address is 192
1 1681 123
106 the image below shows a list of
ports currently serving the target you
can check it with the netstat command
and with the nltp
option option n is the option to Output
a number of Port serviced option L is an
option that filters only the listening
State option T is an option that filters
only the TCP protocol option P prints
the program name associated with that
Port therefore the above result is a
port list that uses the TCP protocol
being listened to if you look closely
you can see that Port 22 is connected to
the SSH program you can also see that
Port 23 is connected to a web server
called in it and Port 80 is Apache to
thus an attacker can perform a port scan
before attacking the server to ensure
that ports 22 23 and 80 are open an
attacker who identifies an open port can
reduce the scope of the attack vector by
targeting only services that operate on
that
Port TCP open scan is the most basic
method of Port scanning it uses the
three-way handshaking to verify that the
port is open it is also called TCP
connection scan because it forms a
connection through three-way handshaking
however a connection leaves a log of
session establishment in the Target
which can be an important clue during
Post tracking request syy end packet is
the first step of the 3way handshaking
for Port scanning if the port is open Sy
YN AK packets will will be answered and
the last AK will be sent on the other
hand if the port is closed the rst AK
packet is
answered this is a TCP open scan
practice I ran an nmap application on
hackers PC I use the St option which
means it is for TCP open scan for the
Target IP address I entered 192 1 168
123 110 the results are successful we
have identified that the previously
checked ports 22 23 and 0 are open we
also identified the services that
operate on every listed Port
additionally the more interesting part
is the scanning time in the last line
you can see that it took a total of 2.3
seconds to navigate the port with TCP
open
scan this time when the port scan is in
progress I will check on the packets the
left side is the screen that shows the
list of wies shock packets and the right
side is the action that we want to
understand in wies shock let's start by
looking at the Port when they are closed
if the port is closed nsyn request is
made as shown on the right and the rst a
packet is answered now let's take a look
at the
packets to facilitate analysis it is
recommended that you know both the
hackers and the target's IP addresses
also it will be helpful to analyze if
you know the IP addresses of the source
and destination and where the packet is
directed when you view the packet note
the direction of the packets by
referring to the IPS in the source and
the destination columns along with the
info column on the right first of all if
you look at the gray packets you can see
that Hacker's device sent the packet to
the target's device as shown in the info
column we are requesting SN packets for
several well known ports now let's look
at the red packet as opposed to the
previous one you can see that it is a
packet scent from the target to the
Hacker's device if you look at the info
column you can see that rst AK packets
are being answered on the ports that you
requested
earlier this time the port is open in
the TCP open scan as I explained when
the port is open it will perform the
three-way shaking process as it is pause
the image and analyze the packet let's
move on to the left wire shock screen
focus on the packets in lines 3 4 and 7
The Hacker sent SN packets to the Target
via ports 22 23 and 8 respectively
because ports 22 23 and8 are opened you
must respond with an syn a packet to the
AK packet the fifth sixth and eighth
packets are those sent from Target to
the hacker and syn AK packets were sent
from 22 23 and 80 as I just requested it
doesn't end here it should eventually
send an NE packet to establish a session
if you look at the 9th 11th and 13
packets you can see that the C packet is
being sent back to the port that is
serving the attacker as
expected next one of the stealth scans
is the SN scan because it is classified
as a stealth scan it does not leave
behind any logs the principle is simple
similar to TCP open scan it initially
sends SN packets if the port is closed
it receives an rst a response just like
the TCP open scan if the port is open
the server responds with an syn A C
packet to proceed with the three-way
handshake if it was a TCP open scan it
would have sent an packet here but the S
YN scan sends an rst packet to terminate
the communication it's also called the
CP half open scan because it uses a
three-way hand but it's not fully
established this is a practice of SN
scan the hacker PC used the SS command
option in mmap which means s YN scan for
the Target IP I entered
192
16823 110 which is the IP of a Target
the result was also successful this time
we have also identified that the
previously checked ports 22 23 and 80
are open we also identified the services
that operate on that Port as
well let's check out the time again you
can see that it took a total of 1.4
seconds to navigate through the port
with syn scan you can see that it is
much faster than the 2.3 seconds
required for the TCP open scan during
the previous TCP open scan we sent the a
CK packet and terminated the connection
immediately with the rst a packet in
contrast syn scan is the one that sends
the rst packets instead this means that
there is no connection process so the
scan process is simplified and the time
is
shortened when the SN scan is in
progress I will check on the packets if
the port is closed and S YN request is
made as shown on the right and the rst
AK packet is answered now let's take a
look at the packets first of all if you
look at the gray packets you can see
that hackers device sent the packets to
the targets device as shown in the info
column we are requesting syn packets for
several well-known ports now let's look
at the red packet as opposed to the
previous one you can see that it is a
packet scent from the target to the
Hacker's device if you look at the info
column you can see that rst CK packets
are being answered on the ports that you
requested
earlier this time the port is open in
syn scan as I explained the principle is
that when the port is open only half of
the threeway handshake process is
performed pause the image and analyze
the packets let's look at the left wire
shark screen focus on the packets on the
third fifth and sixth lines the hacker
sent Sy YN packets to the Target through
ports 22 23 and 80 respectively since
the three ports are actually open ports
they will respond with SN AK packets
look at the fourth seventh and eighth
packets this is the packet sent from the
target to the hacker and the S YN AK
packets are sent from ports 22 23 and 80
just as I just requested now that you
have verified that the port is open
there is no longer a need to continue
communicating look at the bottom three
lines of packets you can see the hacker
sent the rst packets to the Target to
end the session
next I would like to introduce many of
the famous methods of stealth scanning
there are the fin scan n scan and xmus
scan these three scanning methods are
grouped together because they behave
very similar for both open and closed
ports first a fin scan is literally
setting a fin flag and sending it to the
Target if the port is open no response
is received but if the port is closed
the rst packet is received the no scan
also declares that the port is open when
there is no response and that the port
is closed when it receives an rst
response when you scan the transmitting
packets it sends without setting any
Flags the XMS scan sends packets with
Fin psh and urg flag set similarly if
there is no response it is considered
open and if an rst packet is received it
is considered
closed these are the images of
practicing the three stealth scans
hackers PC used the SF SN and SX command
options in nmap which stands for Finn
null and XM scan respectively for the
Target IP I entered
192 168 123 110 the results are all
successful we have identified that the
previously checked ports 22 23 and 80
are all open we also have a good
understanding of the services that work
on the ports one and new usual thing is
that Port scanning is a method of
determining whether the ports are open
or closed on a specific device of a
network finding an open port is
important because it serves as a conduit
for gaining access to the system Port
scanning is like knocking on all open
doors if a door opens it's a door that
you can use the way it works is simple
you can request a response to all ports
up to
65,535 Ports once and wait for the
response
the reason for checking the ports is to
find any port that is opened
unintentionally by the administrator a
vulnerable Port left open for
convenience or a port on which the
vulnerable service is running an
attacker can navigate the attack surface
via port scan this reduces the attack
vector by only attacking open ports on
the other hand from the defender's point
of view a port search can help to
determine if there is an unintended
surface and take an action in advance
the keyword filtered was added to the
state entry the filtered keyword is a
keyword that appears when you don't
receive a response but if you think
about the scanning method you can see
why the keyword appears all fin no XMS
scans do not respond to determine that
they are open therefore we decided that
the port was open because there was no
response but we specified the keyword
filtered because there was no response
Voir Plus de Vidéos Connexes
5.0 / 5 (0 votes)