Podcast
Questions and Answers
What is the primary goal of port scanning in ethical hacking?
What is the primary goal of port scanning in ethical hacking?
Which of the following port scanning tools is known for its speed?
Which of the following port scanning tools is known for its speed?
What happens when a scanner sends a SYN packet to an open port during a TCP SYN port scan?
What happens when a scanner sends a SYN packet to an open port during a TCP SYN port scan?
What would an nmap scan return if a port is closed?
What would an nmap scan return if a port is closed?
Signup and view all the answers
Why is it essential to obtain authorization before conducting a port scan?
Why is it essential to obtain authorization before conducting a port scan?
Signup and view all the answers
What is the purpose of the TCP 3-way handshake?
What is the purpose of the TCP 3-way handshake?
Signup and view all the answers
What happens when a scanner receives a RST-ACK packet during a TCP SYN port scan?
What happens when a scanner receives a RST-ACK packet during a TCP SYN port scan?
Signup and view all the answers
Why is it important to use port scanning tools responsibly?
Why is it important to use port scanning tools responsibly?
Signup and view all the answers
What type of scan is being performed when an ICMP type 0,1,2,9, or 13 is sent to the target?
What type of scan is being performed when an ICMP type 0,1,2,9, or 13 is sent to the target?
Signup and view all the answers
What is the purpose of the vulners.nse script in NSE?
What is the purpose of the vulners.nse script in NSE?
Signup and view all the answers
What is the characteristic of UDP port scanning?
What is the characteristic of UDP port scanning?
Signup and view all the answers
What is the purpose of the Nmap Scripting Engine (NSE)?
What is the purpose of the Nmap Scripting Engine (NSE)?
Signup and view all the answers
What is the result of a TCP SYN Port Scan when the target does not respond?
What is the result of a TCP SYN Port Scan when the target does not respond?
Signup and view all the answers
What is the purpose of the payload scanning technique in UDP port scanning?
What is the purpose of the payload scanning technique in UDP port scanning?
Signup and view all the answers
What is the name of the Linux netfilter?
What is the name of the Linux netfilter?
Signup and view all the answers
What is the purpose of the ACK Scan?
What is the purpose of the ACK Scan?
Signup and view all the answers
Study Notes
Port Scanning
- Discover open ports and services listening on them
- Other ways to discover open ports exist, instead of scanning from the attacker's host
- Scanning can get you blocked if noisy, and it's essential to ensure authorization
Port Scanning Tools
- Nmap
- Zenmap (Nmap with GUI)
- Masscan (Fast)
- Rustscan
- hping3
- In the absence of tools, sometimes rolling your own using Python or PowerShell is possible
TCP 3-Way Handshake
- SYN packet sent by Host X to Host Y
- SYN-ACK packet sent by Host Y to Host X
- ACK packet sent by Host X to Host Y
Open, Closed & Filtered Port
- An nmap scan returns open, closed, or filtered based on the response
- TCP SYN Port Scan can determine the port status
TCP SYN Port Scan
- Used to be considered stealthy
- Response scenarios:
- SYN-ACK: open port
- RST-ACK: closed port
- ICMP type 3: filtered port
- ICMP type 0,1,2,9,10 or 13: filtered port
- no response: filtered port
Firewall
- Linux netfilter: iptables, nftables, firewalld, ufw
- Windows: netsh advfirewall
Other TCP Port Scan
- Connect Scan
- Xmas Scan
- NULL Scan
- FIN Scan
- ACK Scan
- Idle Scan
UDP Port Scanning
- UDP is connectionless, making scans slower and harder
- Some important services run on UDP (e.g., DNS, DHCP, SNMP, TFTP)
- Common techniques:
- Negative scanning (infer open ports based on ICMP unreachable response for closed port)
- Payload scanning (craft datagram to elicit response from specific service, e.g., DNS)
Other Scanning
- ICMP (Ping) Sweep: scan large block of IP to discover active hosts in subnet
- IPv6 Scanning
- SCTP: provide transport of telephony data over IP
Nmap Scripting Engine (NSE)
- Powerful and flexible
- Enables automation of many network tasks with simple scripts
- Categories of built-in scripts:
- Auth, DoS, Malware, Broadcast, Exploit, Safe, Brute, External, Vuln, Default, Discovery, Fuzzer, Intrusive
NSE Vulnerability Scanner
- Vulners.nse script uses the database in vulners.com to scan for vulnerability
- Other projects exist, such as https://github.com/scipag/vulscan
- One can write custom NSE script to scan for vulnerability not currently supported by existing scripts
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about port scanning in ethical hacking and penetration testing. This lecture covers the techniques and knowledge required for ethical hacking.