Port scanning is an essential tool for penetration testers and red teams to identify potential vulnerabilities in networks and systems. It is the process of scanning a range of ports on a target system to determine which ones are open and which are closed. An open port can be exploited by attackers to gain access to a system or network, whereas a closed port is inaccessible to external connections. In this article, we will cover the basics of port scanning on Linux and Windows operating systems and explore some of the commonly used tools and techniques.
Port Scanning on Linux
Linux is one of the most popular operating systems for server and networking environments, making it a prime target for attackers. Here are some of the commonly used tools for port scanning on Linux:
Nmap
Nmap is a free and open-source tool that can be used to scan for open ports and discover network services running on a target system.
It is a powerful and versatile tool that supports a wide range of scanning techniques, including TCP, UDP, and ICMP scans.
To scan a target system using Nmap, you can use the following command:
nmap <target IP>
This command will scan the target system for open ports using the default TCP
scan. You can also specify the port range to be scanned using the -p option.
For example, to scan for ports 80 and 443 on a target system, you can use the
following command:
nmap -p 80,443 <target IP>
Netcat
Netcat is a versatile networking tool that can be used for a wide range of tasks, including port scanning. It is a command-line tool that allows you to send and receive data across network connections.
To perform a port scan using Netcat, you can use the following command:
nc -zv <target IP> <start port>-<end port>
This command will scan the target system for open ports between the specified
range. The -z option specifies that no data should be sent, and the -v
option provides verbose output.
Masscan
Masscan is a high-speed port scanner that can scan entire networks in minutes. It is designed to be faster and more efficient than other port scanners, making it an ideal tool for large-scale scanning operations.
To scan a network using Masscan, you can use the following command:
masscan -p1-65535 <target IP>
This command will scan all 65535 ports on the target system. You can also
specify a port range to be scanned using the -p option.
Tool-less Scanning on Linux
These are some additional techniques for port scanning on Linux that use only built-in functionality. These techniques include scanning with Telnet, Bash Sockets, and Python.
Scanning with Telnet
Telnet is a command-line tool that allows you to connect to a remote system using the Telnet protocol. It can also be used for port scanning by attempting to connect to each port and checking if it is open or closed.
To perform a port scan using Telnet, you can use the following command:
for i in $(seq <start port> <end port>); do echo "" | telnet <target IP> $i 2>/dev/null | grep Connected; done
This command will attempt to connect to each port between the specified range on the target system using Telnet. If the connection is successful, the output will show “Connected”, indicating that the port is open.
Scanning with Bash Sockets
Bash Sockets is a built-in feature in Bash that allows you to create network connections using sockets. It can be used for port scanning by attempting to connect to each port and checking if it is open or closed. To perform a port scan using Bash Sockets, you can use the following command:
for i in $(seq <start port> <end port>); do (echo >/dev/tcp/<target IP>/$i) &>/dev/null && echo "Port $i is open"; done
This command will attempt to connect to each port between the specified range on
the target system using Bash Sockets. If the connection is successful, the
output will show “Port <port number> is open”, indicating that the port is
open.
Scanning with Python
Python is a powerful programming language that can be used for a wide range of tasks, including port scanning. The built-in socket library in Python allows you to create network connections and check for open ports.
To perform a port scan using Python, you can use the following code:
import socket
target_ip = "<target IP>"
start_port = <start port>
end_port = <end port>
for port in range(start_port, end_port+1):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((target_ip, port))
if result == 0:
print("Port " + str(port) + " is open")
sock.close()
This code will attempt to connect to each port between the specified range on
the target system using Python. If the connection is successful, the output will
show “Port <port number> is open”, indicating that the port is open.
Port Scanning on Windows
While many of the port scanning tools used on Windows are the same as those used on Linux, there are some techniques and tools that are unique to Windows. In this section, we will cover some of these unique techniques and tools.
Windows Management Instrumentation (WMI)
WMI is a powerful framework that allows administrators to manage and monitor Windows systems. It can also be used for port scanning by querying the target system for information about open ports and services. To perform a port scan using WMI, you can use the following PowerShell command:
Get-WmiObject -Class Win32_Service -ComputerName <target IP> -Impersonation 3 -Credential (Get-Credential)
This command will query the target system for information about the running services and their associated ports.
Windows Remote Management (WinRM)
WinRM is a service that allows remote management of Windows systems. It can be used for port scanning by querying the target system for information about open ports and services. To perform a port scan using WinRM, you can use the following PowerShell command:
Invoke-Command -ComputerName <target IP> -ScriptBlock { Test-NetConnection -Port <port number> }
This command will test the specified port on the target system using the Test-NetConnection cmdlet.
Microsoft Baseline Security Analyzer (MBSA)
MBSA is a free tool from Microsoft that can be used to scan Windows systems for security vulnerabilities, including open ports and services. To perform a port scan using MBSA, you can use the following steps:
- Download and install MBSA from the official website.
- Launch the application and select the “Scan a computer” option.
- Enter the IP address of the target system and select the scan options.
- Click on the “Start Scan” button to begin the scan.
The application will scan the target system for open ports and services and provide a report of any vulnerabilities found.
Common Port Scanning Techniques
Port scanning can be performed using a variety of techniques, each with its strengths and weaknesses. Here are some of the commonly used techniques:
- TCP Connect Scan: TCP Connect Scan is the most basic and widely used scanning technique. It involves attempting to establish a TCP connection with each port to determine whether it is open or closed.
- SYN Scan: SYN Scan is a stealthier scanning technique that sends a SYN packet to each port and waits for a response. If the port is open, it will respond with a SYN-ACK packet, and if it is closed, it will respond with a RST packet.
- UDP Scan: UDP Scan is used to scan for open UDP ports. It involves sending a UDP packet to each port and waiting for a response. If the port is open, it will respond with an ICMP packet, and if it is closed, it will not respond.
- Null Scan: Null Scan is a scanning technique that involves sending a packet with no flags set to each port. If the port is open, it will not respond, and if it is closed, it will respond with a RST packet.
- Xmas Scan: Xmas Scan is a scanning technique that involves sending a packet with the FIN, URG, and PUSH flags set to each port. If the port is open, it will not respond, and if it is closed, it will respond with a RST packet.
Conclusion
Port scanning is an essential tool for penetration testers and red teams to identify potential vulnerabilities in networks and systems. In this article, we have covered the basics of port scanning on Linux and Windows operating systems and explored some of the commonly used tools and techniques. We have also provided real-world examples of how port scanning has been used in high-profile attacks. It is important to note that port scanning can be used both for legitimate and malicious purposes, and it is crucial to use it responsibly and ethically.