PhiloCyber | Cybersecurity Together

Introduction

Welcome to the third episode of our comprehensive Nmap course! In this module, we'll focus on port scanning - the core functionality that made Nmap famous. You'll learn various scanning techniques, understand how to interpret different port states, and develop strategies for effective scanning in different environments.

Port scanning is like checking all the doors and windows of a building to see which ones are open, locked, or alarmed. By mastering these techniques, you'll be able to create detailed maps of network services that reveal potential entry points and security weaknesses that others might miss.

The Port Scanning Workflow

Port scanning is typically part of a larger security assessment workflow:

Reconnaissance: Gather information about the target network
Host Discovery: Identify active hosts (covered in Episode 2)
Port Scanning: Determine open ports and services (this episode)
Service Enumeration: Identify specific service versions (Episode 4)
Vulnerability Assessment: Identify potential security weaknesses
Exploitation: Test identified vulnerabilities (in ethical hacking)

In this episode, we'll focus on step 3, but understanding how it fits into the broader process is crucial for effective security assessment.

Port Scanning Fundamentals

What is Port Scanning?

Port scanning is the process of connecting to TCP and UDP ports on a target system to determine what services are running and accessible. It's the foundation of network security assessment, answering the critical question: "What services are exposed on this network?"

Port Ranges and Categories

Well-known ports: 0-1023 (require privileged access on Unix systems)
Registered ports: 1024-49151 (assigned by IANA but can be used by any application)
Dynamic/private ports: 49152-65535 (used for temporary connections)

Common services include HTTP (80), HTTPS (443), SSH (22), FTP (21), SMTP (25), DNS (53), and many others.

Understanding Port States

When Nmap scans a port, it classifies it into one of six states:

Open: An application is actively accepting connections on this port
Closed: The port is accessible, but no application is listening on it
Filtered: Nmap cannot determine if the port is open because a firewall or filter is blocking probes
Unfiltered: The port is accessible, but Nmap cannot determine if it's open or closed
Open|Filtered: Nmap cannot determine if the port is open or filtered
Closed|Filtered: Nmap cannot determine if the port is closed or filtered

Understanding these states is crucial for accurate interpretation of scan results.

Port State Decision Tree

Nmap uses this decision-making process to determine port states:

Send probe
  |
  +---> Response received? --No--> Filtered or Open|Filtered
  |      |
  |      Yes
  |      |
  +---> SYN-ACK received? --Yes--> Open
         |
         No
         |
         +---> RST received? --Yes--> Closed
                |
                No
                |
                +---> ICMP unreachable? --Yes--> Filtered
                       |
                       No
                       |
                       +---> Unfiltered or Closed|Filtered

Different scan types may follow slightly different logic paths.

The Science Behind Port Scanning

To understand port scanning, we need to understand how TCP/IP connections work:

TCP Three-Way Handshake

Client sends SYN packet
Server responds with SYN-ACK
Client sends ACK to complete the connection

Different scan types manipulate this process in various ways:

SYN scans only send the first packet and analyze the response
Connect scans complete the full handshake
FIN, NULL, and Xmas scans use unusual flag combinations to evade detection

TCP Flags Used in Scanning

SYN: Synchronize

ACK: Acknowledge

FIN: Finish

RST: Reset

PSH: Push

URG: Urgent

UDP Connectionless Nature

Unlike TCP, UDP has no handshake process:

Open ports may not respond at all
Closed ports should send an ICMP "port unreachable" message
This makes UDP scanning slower and less reliable

TCP vs UDP Scanning Challenges

TCP Scanning:

Clear response patterns
Reliable state determination
Faster results

UDP Scanning:

Ambiguous responses
False positives/negatives
Much slower (often 10x)

Real-World Applications

The port scanning techniques learned in this episode are fundamental to many cybersecurity tasks:

Penetration Testing

Identifying open ports and services is a primary step in finding potential vulnerabilities during penetration tests. Understanding different scan types helps bypass defenses.

Vulnerability Management

Regular port scanning helps organizations identify exposed services, unauthorized applications, and configuration weaknesses as part of their vulnerability management program.

Network Auditing

Administrators use port scanning to verify firewall rules, ensure only authorized services are running, and maintain an accurate inventory of network services.

Incident Response

During an incident, port scanning can help identify compromised systems, understand the scope of an attack, and verify containment measures.

Key Takeaways

Port scanning identifies open, closed, and filtered ports on target systems.
Understanding TCP/IP fundamentals (handshake, flags) is crucial for interpreting scan results.
TCP SYN Scan (-sS) is fast and stealthy but requires root privileges.
TCP Connect Scan (-sT) is reliable and doesn\u2019t need root, but is slower and noisier.
NULL, FIN, and Xmas scans attempt to bypass simple firewalls but are less reliable, especially against Windows.
UDP scanning (-sU) is important but slower and requires careful interpretation due to UDP\u2019s connectionless nature.
Interpreting port states (open, closed, filtered, etc.) accurately is key to understanding the target\u2019s security posture.

Next Steps

In the next episode, we will delve deeper into more advanced scanning techniques:

Advanced TCP scan types (ACK, Window, Maimon) for firewall analysis.
Specialized scans like IP Protocol, FTP Bounce, and Idle Scan.
Techniques for optimizing UDP scan performance and accuracy.
Strategies for combining different scan types for comprehensive results.
Port selection strategies beyond scanning all 65535 ports.

Additional Resources

Nmap Book: Port Scanning Basics

Nmap Book: Port Scanning Techniques

IANA Service Name and Port Number Registry

Wikipedia: Port Scanner

Video Demonstration

Watch the video demonstration to see these port scanning techniques in action.

Knowledge Check Quiz

Knowledge Check

1. What is the primary goal of port scanning?

2. Which Nmap scan type is often called \"stealth scan\" because it doesn\u2019t complete the TCP three-way handshake?

3. If an Nmap scan reports a port state as \"filtered\", what does this typically indicate?

4. Why is UDP scanning generally slower and less reliable than TCP scanning?

5. Which basic Nmap scan type does NOT require root or administrator privileges to run?

Introduction

The Port Scanning Workflow

Port scanning is typically part of a larger security assessment workflow:

Reconnaissance: Gather information about the target network
Host Discovery: Identify active hosts (covered in Episode 2)
Port Scanning: Determine open ports and services (this episode)
Service Enumeration: Identify specific service versions (Episode 4)
Vulnerability Assessment: Identify potential security weaknesses
Exploitation: Test identified vulnerabilities (in ethical hacking)

In this episode, we'll focus on step 3, but understanding how it fits into the broader process is crucial for effective security assessment.

Port Scanning Fundamentals

What is Port Scanning?

Port Ranges and Categories

Well-known ports: 0-1023 (require privileged access on Unix systems)
Registered ports: 1024-49151 (assigned by IANA but can be used by any application)
Dynamic/private ports: 49152-65535 (used for temporary connections)

Common services include HTTP (80), HTTPS (443), SSH (22), FTP (21), SMTP (25), DNS (53), and many others.

Understanding Port States

When Nmap scans a port, it classifies it into one of six states:

Open: An application is actively accepting connections on this port
Closed: The port is accessible, but no application is listening on it
Filtered: Nmap cannot determine if the port is open because a firewall or filter is blocking probes
Unfiltered: The port is accessible, but Nmap cannot determine if it's open or closed
Open|Filtered: Nmap cannot determine if the port is open or filtered
Closed|Filtered: Nmap cannot determine if the port is closed or filtered

Understanding these states is crucial for accurate interpretation of scan results.

Port State Decision Tree

Nmap uses this decision-making process to determine port states:

Send probe
  |
  +---> Response received? --No--> Filtered or Open|Filtered
  |      |
  |      Yes
  |      |
  +---> SYN-ACK received? --Yes--> Open
         |
         No
         |
         +---> RST received? --Yes--> Closed
                |
                No
                |
                +---> ICMP unreachable? --Yes--> Filtered
                       |
                       No
                       |
                       +---> Unfiltered or Closed|Filtered

Different scan types may follow slightly different logic paths.

The Science Behind Port Scanning

To understand port scanning, we need to understand how TCP/IP connections work:

TCP Three-Way Handshake

Client sends SYN packet
Server responds with SYN-ACK
Client sends ACK to complete the connection

Different scan types manipulate this process in various ways:

SYN scans only send the first packet and analyze the response
Connect scans complete the full handshake
FIN, NULL, and Xmas scans use unusual flag combinations to evade detection

TCP Flags Used in Scanning

SYN: Synchronize

ACK: Acknowledge

FIN: Finish

RST: Reset

PSH: Push

URG: Urgent

UDP Connectionless Nature

Unlike TCP, UDP has no handshake process:

Open ports may not respond at all
Closed ports should send an ICMP "port unreachable" message
This makes UDP scanning slower and less reliable

TCP vs UDP Scanning Challenges

TCP Scanning:

Clear response patterns
Reliable state determination
Faster results

UDP Scanning:

Ambiguous responses
False positives/negatives
Much slower (often 10x)

Real-World Applications

The port scanning techniques learned in this episode are fundamental to many cybersecurity tasks:

Penetration Testing

Identifying open ports and services is a primary step in finding potential vulnerabilities during penetration tests. Understanding different scan types helps bypass defenses.

Vulnerability Management

Regular port scanning helps organizations identify exposed services, unauthorized applications, and configuration weaknesses as part of their vulnerability management program.

Network Auditing

Administrators use port scanning to verify firewall rules, ensure only authorized services are running, and maintain an accurate inventory of network services.

Incident Response

During an incident, port scanning can help identify compromised systems, understand the scope of an attack, and verify containment measures.

Key Takeaways

Port scanning identifies open, closed, and filtered ports on target systems.
Understanding TCP/IP fundamentals (handshake, flags) is crucial for interpreting scan results.
TCP SYN Scan (-sS) is fast and stealthy but requires root privileges.
TCP Connect Scan (-sT) is reliable and doesn\u2019t need root, but is slower and noisier.
NULL, FIN, and Xmas scans attempt to bypass simple firewalls but are less reliable, especially against Windows.
UDP scanning (-sU) is important but slower and requires careful interpretation due to UDP\u2019s connectionless nature.
Interpreting port states (open, closed, filtered, etc.) accurately is key to understanding the target\u2019s security posture.

Next Steps

In the next episode, we will delve deeper into more advanced scanning techniques:

Advanced TCP scan types (ACK, Window, Maimon) for firewall analysis.
Specialized scans like IP Protocol, FTP Bounce, and Idle Scan.
Techniques for optimizing UDP scan performance and accuracy.
Strategies for combining different scan types for comprehensive results.
Port selection strategies beyond scanning all 65535 ports.

Video Demonstration

Watch the video demonstration to see these port scanning techniques in action.

Knowledge Check Quiz

Knowledge Check

1. What is the primary goal of port scanning?

2. Which Nmap scan type is often called \"stealth scan\" because it doesn\u2019t complete the TCP three-way handshake?

3. If an Nmap scan reports a port state as \"filtered\", what does this typically indicate?

4. Why is UDP scanning generally slower and less reliable than TCP scanning?

5. Which basic Nmap scan type does NOT require root or administrator privileges to run?

Episode 3: Port Scanning Techniques and Strategies

Introduction

The Port Scanning Workflow

Port Scanning Fundamentals

What is Port Scanning?

Port Ranges and Categories

Understanding Port States

Port State Decision Tree

The Science Behind Port Scanning

TCP Three-Way Handshake

TCP Flags Used in Scanning

UDP Connectionless Nature

TCP vs UDP Scanning Challenges

Real-World Applications

Penetration Testing

Vulnerability Management

Network Auditing

Incident Response

Key Takeaways

Next Steps

Additional Resources

Nmap Book: Port Scanning Basics

Nmap Book: Port Scanning Techniques

IANA Service Name and Port Number Registry

Wikipedia: Port Scanner

Video Demonstration

Knowledge Check Quiz

Knowledge Check

Loading courses...

Episode 3: Port Scanning Techniques and Strategies

Introduction

The Port Scanning Workflow

Port Scanning Fundamentals

What is Port Scanning?

Port Ranges and Categories

Understanding Port States

Port State Decision Tree

The Science Behind Port Scanning

TCP Three-Way Handshake

TCP Flags Used in Scanning

UDP Connectionless Nature

TCP vs UDP Scanning Challenges

Real-World Applications

Penetration Testing

Vulnerability Management

Network Auditing

Incident Response

Key Takeaways

Next Steps

Additional Resources

Nmap Book: Port Scanning Basics

Nmap Book: Port Scanning Techniques

IANA Service Name and Port Number Registry

Wikipedia: Port Scanner

Video Demonstration

Knowledge Check Quiz

Knowledge Check