Port Scanning on Linux and Windows

Port scanning is essential for penetration testers and red teams to identify potential vulnerabilities in networks and systems. It is the process of scanning a range of ports on a target system to determine which ones are open or closed. Attackers can exploit an open port to gain access to a system or network, whereas a closed port is inaccessible to external connections. This article will cover the basics of port scanning on Linux and Windows operating systems and explore some of the commonly used tools and techniques.

Port Scanning on Linux

Linux is one of the most popular operating systems for server and networking environments, making it a prime target for attackers. Here are some of the commonly used tools for port scanning on Linux:

Nmap

Nmap is a free and open-source tool for scanning for open ports and discovering network services running on a target system.

It is a powerful and versatile tool that supports various scanning techniques, including TCP, UDP, and ICMP scans.

To scan a target system using Nmap, you can use the following command:

nmap <target IP>

Using the default TCP scan, this command will scan the target system for open ports. You can also specify the port range to be scanned using the -p option. For example, to scan for ports 80 and 443 on a target system, you can use the following command:

nmap -p 80,443 <target IP>

Netcat

Netcat is a versatile networking tool that can be used for various tasks, including port scanning. It is a command-line tool that allows you to send and receive data across network connections.

To perform a port scan using Netcat, you can use the following command:

nc -zv <target IP> <start port>-<end port>

This command will scan the target system for open ports between the specified range. The -z option specifies no data should be sent, and the -v option provides verbose output.

Masscan

Masscan is a high-speed port scanner that can scan entire networks in minutes. It is designed to be faster and more efficient than other port scanners, making it an ideal tool for large-scale scanning operations.

To scan a network using Masscan, you can use the following command:

masscan -p1-65535 <target IP>

This command will scan all 65535 ports on the target system. You can also specify a port range to be scanned using the -p option.

Tool-less Scanning on Linux

These are some additional techniques for port scanning on Linux that use only built-in functionality. These techniques include scanning with Telnet, Bash Sockets, and Python.

Scanning with Telnet

Telnet is a command-line tool that allows you to connect to a remote system using the Telnet protocol. It can also be used for port scanning by attempting to connect to each port and checking if it is open or closed.

To perform a port scan using Telnet, you can use the following command:

for i in $(seq <start port> <end port>); do echo "" | telnet <target IP> $i 2>/dev/null | grep Connected; done

This command will attempt to connect to each port between the specified range on the target system using Telnet. If the connection succeeds, the output will show “Connected”, indicating the port is open.

Scanning with Bash Sockets

Bash Sockets is a built-in feature in Bash that allows you to create network connections using sockets. It can be used for port scanning by attempting to connect to each port and checking if it is open or closed. To perform a port scan using Bash Sockets, you can use the following command:

for i in $(seq <start port> <end port>); do (echo >/dev/tcp/<target IP>/$i) &>/dev/null && echo "Port $i is open"; done

This command will attempt to connect to each port between the specified range on the target system using Bash Sockets. If the connection is successful, the output will show “Port <port number> is open”, indicating that the port is open.

Scanning with Python

Python is a powerful programming language that can be used for various tasks, including port scanning. Its built-in socket library allows you to create network connections and check for open ports.

To perform a port scan using Python, you can use the following code:

import socket

target_ip = "<target IP>"
start_port = <start port>
end_port = <end port>

for port in range(start_port, end_port+1):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    result = sock.connect_ex((target_ip, port))
    if result == 0:
        print("Port " + str(port) + " is open")
    sock.close()

This code will attempt to connect to each port between the specified range on the target system using Python. If the connection is successful, the output will show “Port <port number> is open”, indicating that the port is open.

Port Scanning on Windows

While many of the port scanning tools used on Windows are the same as those used on Linux, some techniques and tools are unique to Windows. This section will cover some of these unique techniques and tools.

Windows Management Instrumentation (WMI)

WMI is a powerful framework that allows administrators to manage and monitor Windows systems. It can also be used for port scanning by querying the target system for information about open ports and services. To perform a port scan using WMI, you can use the following PowerShell command:

Get-WmiObject -Class Win32_Service -ComputerName <target IP> -Impersonation 3 -Credential (Get-Credential)

This command will query the target system for information about the running services and their associated ports.

Windows Remote Management (WinRM)

WinRM is a service that allows remote management of Windows systems. It can be used for port scanning by querying the target system for information about open ports and services. To perform a port scan using WinRM, you can use the following PowerShell command:

Invoke-Command -ComputerName <target IP> -ScriptBlock { Test-NetConnection -Port <port number> }

This command will test the specified port on the target system using the Test-NetConnection cmdlet.

Microsoft Baseline Security Analyzer (MBSA)

MBSA is a free tool from Microsoft that can scan Windows systems for security vulnerabilities, including open ports and services. To perform a port scan using MBSA, you can use the following steps:

1. Download and install MBSA from the official website.
2. Launch the application and select the “Scan a computer” option.
3. Enter the IP address of the target system and select the scan options.
4. Click on the “Start Scan” button to begin the scan.

The application will scan the target system for open ports and services and provide a report of any vulnerabilities found.

Common Port Scanning Techniques

Port scanning can be performed using various techniques, each with strengths and weaknesses. Here are some of the commonly used methods:

1. TCP Connect Scan: TCP Connect Scan is the most basic and widely used scanning technique. It involves establishing a TCP connection with each port to determine whether it is open or closed.
2. SYN Scan: SYN Scan is a stealthier scanning technique that sends a SYN packet to each port and waits for a response. If the port is open, it will respond with a SYN-ACK packet; if it is closed, it will respond with a RST packet.
3. UDP Scan: UDP Scan is used to scan for open UDP ports. It involves sending a UDP packet to each port and waiting for a response. If the port is open, it will respond with an ICMP packet; if it is closed, it will not.
4. Null Scan: Null Scan is a scanning technique that involves sending a packet with no flags set to each port. If the port is open, it will not respond; if it is closed, it will respond with a RST packet.
5. Xmas Scan: Xmas Scan is a scanning technique that involves sending a packet with the FIN, URG, and PUSH flags set to each port. If the port is open, it will not respond; if it is closed, it will respond with a RST packet.

Conclusion

Port scanning is essential for penetration testers and red teams to identify potential vulnerabilities in networks and systems. This article covers the basics of port scanning on Linux and Windows operating systems and explores some commonly used tools and techniques. We have also provided real-world examples of how port scanning has been used in high-profile attacks. It is important to note that port scanning can be used for legitimate and malicious purposes, and using it responsibly and ethically is crucial.