1. Port & Port Scanning
Port & Port Scanning
1. What is port?
- 端口是计算机与外界进行通讯和数据交换的接口。
- 物理端口
- 虚拟端口:计算机内部或交换机路由器内的端口。TCP和UDP协议使用16bits的端口号来表示和区别网络中的不同应用程序
- 为什么关注端口:如果将服务器比作一个房子,那么端口就像通向不同房间(服务)的门。通过对端口进行扫描,可以确定那些端口是开放的,从而可以猜测目标主机大致提供了哪些服务,进而猜测可能存在的漏洞。
2. 端口扫描具体细节
-
TCP端口原理:According to the original TCP specification, if a service is listening on a TCP port and a packet with the SYN Control Bit set arrives at that port, the TCP software must respond with a SYN-ACK packet. This response must be sent, regardless of the payload of the SYN packet. Which means even if we don’t know what service is listening on the target port, we can still measure whether it is open by simply sending it a SYN packet. That gives us a reliable method for determining whether a TCP port is open or closed.
-
Different Scenarios While TCP Scanning:
- The first scenario: The attacker machine send a SYN packet, and receives a SYN-ACK from the target. This means that the port is open and we move on to a different port. There is a very unlikely chance that there is a software sending a SYN-ACK packet for every port to trick the attacker but that is unlikely.
- The second scenario: The attacker sends a SYN packet and receives an ICMP port Unreachable message back, this most likely means that there is firewall that is blocking the connection. These ports are also called filtered ports.
- The third scenario: The attacker machine sends SYN packet and receives an RST-ACK packet back, this means that we cannot reach the port, its either closed or a firewall is not letting us access it.
- The fourth scenario: The attacker machine sends SYN packet and get nothing in response, usually the port scanning tools retry before moving on and the port is marked filtered. In this case either there is nothing listening on the end system (which has been configured via a personal firewall to silently drop all packets to closed ports) or a firewall is blocking our inbound SYN packet (again, silently rejecting it).
- Sum up: These are the most likely scenarios you will encounter while port scanning, the last scenario can cause the tool run for a long time, because it retries and then mark it as filtered after the timeout. This technique is also called half-open scanning. We don’t establish a full connection.
- UDP Scanning & Scenarios:
As we all know UDP is a connection less protocol, so there is no state of connection and no control bits, and because of this there is less option of scanning , often slower scanning and less reliable scanning and a lot of uncertainty from the results . Some scenarios you might encounter in UDP scanning are :
- Scenario A: The attacker machine sends a UDP packet and the target machine responds with a UDP packet. this means that there is something listening on that UDP port, which means the port is open.
- Scenario B: The attacker machine send a UDP packet and the target machine responds with a ICMP port unreachable, This means the port is close, but this is also one of the reasons of the UDP scanning being slow because some of the systems have a rate-limit for ICMP Packets, which makes the scan even more slow.
- Scenario C: The attacker machine sends a UDP packet and nothing comes back, now there could a lot of reasons why, some of the reason could be:
a. Port Closed
b. The firewall is blocking the packet coming in
c. The firewall is blocking the packet coming to us
d. The port is open but the service requires a specific payload in the packet
- Reference
- Sum up: 本节主要包括TCP/UDP端口扫描原理和扫描时可能遇到的情况。
3.Nmap端口扫描
- 端口扫描的基本过程:
The basic nmap syntax is nmap scantype options target. The simplest way to run nmap is to provide the target host address after nmap. Address can be supplied as an ip address or as a domain name. Addresses can also be supplied as **a range of ip addresses **(eg: 127.0.0.1–125)
nmap 127.0.0.1
The result this yields is as follows:
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 14:28 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
631/tcp open ipp
5432/tcp open postgresql
Thus we can see that there are 2 ports open at the target host.
Nmap can also be used to determine the OS running on the target host. This can be done simply adding a -O flag to the previous command
nmap -O 127.0.0.1
This returns a more detailed result:
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 14:34 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
631/tcp open ipp
5432/tcp open postgresql
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.19 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.19, Linux 3.8–4.4
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.14 seconds
The result now shows the OS running on the host.
The -v flag can be used to get verbose information about the scan. The -sV flag can be used to show the software versions running on the open ports.
nmap -v -sV hostname
This will return the following:
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 14:55 IST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 14:55
Scanning 104.236.66.200 [4 ports]
Completed Ping Scan at 14:55, 0.62s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:55
Completed Parallel DNS resolution of 1 host. at 14:55, 3.90s elapsed
Initiating SYN Stealth Scan at 14:55
Scanning (104.236.66.200) [1000 ports]
Discovered open port 22/tcp on 104.236.66.200
Discovered open port 443/tcp on 104.236.66.200
Discovered open port 3000/tcp on 104.236.66.200
Completed SYN Stealth Scan at 14:57, 97.05s elapsed (1000 total ports)
Initiating Service scan at 14:57
Scanning 4 services on (104.236.66.200)
Completed Service scan at 14:57, 16.07s elapsed (4 services on 1 host)
NSE: Script scanning 104.236.66.200.
Initiating NSE at 14:57
Completed NSE at 14:57, 4.00s elapsed
Initiating NSE at 14:57
Completed NSE at 14:57, 0.00s elapsed
Nmap scan report for (104.236.66.200)
Host is up (0.34s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7
443/tcp open ssl/http Apache httpd 2.4.7
3000/tcp open http Node.js Express framework
Service Info: Hosts: 104.236.66.200, localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.40 seconds
Raw packets sent: 1795 (78.956KB) | Rcvd: 1118 (44.740KB)
This test shows the port number, the state of the port (open,closed), the service (ssh, ssl, http, etc) and the version of the service. Also this test shows more details about the nmap connection, A -p flag can be used to check if a particular port is open or closed. The -p flag can be used to check the port by port number or port name. (Ports can also be specified in range, eg: 1–40)
nmap -p ssh 127.0.0.1
This will return the state of the ssh port of the host. It returns the port number, state and the service:
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
PORT STATE SERVICE
22/tcp closed sshNmap done: 1 IP address (1 host up) scanned in 0.03 seconds
This test can also be run using the port number as nmap -p 22 127.0.0.1
A -sn flag is used to check if a host is alive or not. Running this on a range of addresses will show the following result:
nmap -sn 127.0.0.1–25Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 15:33 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000074s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00015s latency).
Nmap scan report for 127.0.0.3
Host is up (0.000093s latency).
Nmap scan report for 127.0.0.4
Host is up (0.000079s latency).
Nmap scan report for 127.0.0.5
Host is up (0.000069s latency).
….
Nmap scan report for 127.0.0.24
Host is up (0.000095s latency).
Nmap scan report for 127.0.0.25
Host is up (0.000085s latency).
Nmap done: 25 IP addresses (25 hosts up) scanned in 0.00 seconds
Nmap allows multiple flags to be used together, i.e. a command such as
nmap -v -sV -O 127.0.0.1
is valid and so is the command
nmap -sV -p 1–65535 192.168.1.1/24
(Here /24 is the network mask)
Nmap comes with a GUI Zenmap for those who are not comfortable working with the command line.