Question

A port scan is a way to figure out which ports on a network are open and which are listening and possibly show whether there are any security devices such as firewalls between the sender and receiver. This process is called fingerprinting.

Ports are numbered from 0 to 65,535, but the lower range of 0 to 1,023 consists of the “well‐known” ones. A port scan will carefully craft a packet to each destination port. There are some basic techniques to choose from, depending on the network topology and scanning goals.

• Vanilla scan : This is the most basic scan, fully connecting to 65,536 ports. It's accurate but easily detectable.
• SYN scan : This scan sends a SYN but does not wait for a response. It's faster, but you still learn if the port is open.
• Strobe scan : This selectively attempts to connect to only a few ports, typically fewer than 20.

There are some other techniques that penetration testers use, such as Stealth, FTP Bounce, and XMAS, which are scans that were developed so the sender could scan undetected. The sender's location can be obfuscated so that an attacker can get the information while not being tracked.

Now that you know a machine is alive on the network, it's time to determine which ports are open on that host. From a security viewpoint, it is vital to the health and well‐being of your network to know exactly which of the 65,536 ports might be exposed. There are six port states that are currently recognized by Nmap.

• Open : An application is actively listening for a connection.
• Closed : A probe has been received, but no application is listening.
• Filtered : It's unknown if port is open; packet filtering typically from a firewall has prevented a probe from reaching the port. Sometimes you get an error response, and sometimes filters will just drop the probe.
• Unfiltered : A port is accessible, but Nmap hasn't a clue if the port is open or closed.
• Open/filtered : The port is filtered or open, but no state is established.
• Closed/filtered : Nmap is unable to determine whether the port is closed or filtered.

The most popular port scan to use by default is the ‐sS , or SYN, scan you see in Figure 3.2 . It is a fast scan, scanning thousands of ports per second relatively stealthily since it's not waiting around for an acknowledgment.

Figure 3.2 : Nmap SYN scan

To launch a port scan on a network segment, use the following command:

>nmap -sS <target addresses>