Skip to content

02. Port Scanning

Port scanning is a critical step in network reconnaissance, which helps identify open ports, the operating systems, and services running on target hosts. Here's a detailed breakdown with examples and tools:

Port Scanning Commands

1. Identify Operating System and Services

  • Command:

    nmap -iL test.txt
    • Explanation: This scans the hosts listed in test.txt for open ports.
    • Example Usage: If test.txt contains a list of IP addresses (e.g., 192.168.1.1), this command scans those IPs for open ports.
    • Output: Lists open ports for each host.
    • Command:
    nmap -iL test.txt -sV -O
    • Explanation:
      • -sV: Enables version detection to identify running services and their versions.
      • -O: Performs OS detection using TCP/IP stack fingerprinting.
    • Example Usage:
      • Input: test.txt with IPs.
      • Command: nmap -iL test.txt -sV -O.
    • Output: Displays detected OS and running services for each host.
    • Command:
    nmap -iL test.txt -sV -O -sC
    • Explanation:
      • -sC: Runs Nmap's default scripts for additional vulnerability detection.
    • Example Usage: Combines port scanning, OS detection, service detection, and script-based analysis.
    • Output: Provides detailed host information, including service vulnerabilities.

Graphical Tools and Automation

1. Zenmap

  • Description: Graphical user interface (GUI) for Nmap, suitable for beginners and visualization.
  • Usage Example:
    • Load a target or range of IPs.
    • Choose a scan type (e.g., quick, intense).
    • View results in graphical format, including topology.

2. Nmap Automator

  • Description: A script that automates Nmap scans based on predefined options.

  • Usage Example:

    ./nmapAutomator.sh 192.168.1.1 All
    • Automates scans like reconnaissance, port scanning, and vulnerability checks.

3. Masscan

  • Description: High-speed port scanner for large networks.

  • Usage Example:

    masscan -p0-65535 192.168.1.0/24 --rate=1000
    • -p0-65535: Scans all ports.
    • --rate=1000: Limits packets per second.

4. Rustscan

  • Description: A fast and efficient port scanner built with Rust.

  • Usage Example:

    rustscan -a 192.168.1.1 -- -sV
    • Combines speed and detailed service detection.

5. AutoRecon

  • Description: Multi-tool automation framework for reconnaissance.

  • Usage Example:

    autorecon 192.168.1.1
    • Combines tools like Nmap, Nikto, Gobuster for extensive reconnaissance.

Examples in Action

Scenario:

You want to scan a network (192.168.1.0/24) for open ports, identify the OS, and find running services.

  1. Basic Scan:

    nmap -iL test.txt
    • Input: test.txt with 192.168.1.1, 192.168.1.2.
    • Output: Open ports per host.
    • OS and Service Detection:
    nmap -iL test.txt -sV -O
    • Output: OS (e.g., Windows, Linux) and running services (e.g., SSH, HTTP).
    • Automated Vulnerability Checks:
    nmap -iL test.txt -sV -O -sC
    • Output: Identifies vulnerabilities using Nmap's script engine.
    • High-Speed Scanning:
    masscan -p22,80,443 192.168.1.0/24 --rate=1000
    • Output: Lists open ports for SSH (22), HTTP (80), HTTPS (443).

Best Practices

  • Use masscan or Rustscan for large networks where speed is critical.
  • Combine -sV, -O, and -sC in Nmap for detailed analysis.
  • Automate repetitive tasks with tools like Nmap Automator and AutoRecon.
  • Take note of key findings such as:
    • OS type (e.g., Windows 10, Ubuntu 20.04).
    • Services running (e.g., Apache 2.4.51, OpenSSH 8.9).
    • Vulnerabilities found (e.g., outdated services).