Scanning 101: How to see what' on your network

This is what I am dreading. Something I know a little bit about. This may get longer than the previous posts. Be warned.

NOTE: This post is not taking laws into account. I don’t take any responsibility for what you do with this knowledge, but I assume you will take local laws into account.

Intro to scanning - Ports

Scanning is often seen as an offensive act used by attackers to do reconnaissance (or recon) on a target host or network. The depths you can go into depends on what tools are available on the device you are scanning from and the results may be different depending on what is between you and the target system you are scanning.

The way computers communicate with the outside world is through ports. There are 65535 ports in total. This number is 2 to the 16th power, by the way. Ports 0-1024 are known as well-known ports, reserved for very well known services. From 1024 to 49151 we have registered ports, which are used by specific programs upon requesting these from the IANA and can be assigned these for general use. Upwards from 49152, we have private ports. These cannot be assigned to a specific service. These are also called ephemeral or dynamic ports, and are usually used for temporary purposes.

This may seem like a lot to take in, but we’ll see how this is useful to attackers and defenders alike. Soon, you’ll be able to crack those “port 4444 open” jokes as much as I do, i.e. a lot.

How do these ports work?

If you want to check a website for any news, the system asks the server on a specific IP address for information through a certain port. This port (for web) is usually 80 (unencrypted HTTP) or 443 (HTTPS). I say usually, since a server maintainer could always put the webserver on port 10443 or 8000. But let’s talk usual. If the port is open, we can connect to it and send/receive data. On our side (the client), we usually open an ephemeral port used for sending and receiving data to that particular server. These ports are closed once we close the connection (close the browser or disconnect from the website).

So far so good.

Why do we want to scan these ports?

Information gathering. There are two motivations leading to the same outcome: scanning ports.

  • Red-team (attackers): We want to see what’s open to find a service we can exploit/break into/attack.
  • Blue-team (defenders): We want to see what’s open to make sure only what we need is open and that nothing suspicious is going on.

Whatever your team may be, you may want to scan a server or network you are assigned to in order to see what’s running. The results may surprise you!

How do we scan these! It must take a very long time!

Luckily for us, people much smarter than me thought of this and made tools. Remember: A computer is dumb, but it can do the same thing over and over very quickly.

One of the first tools I want to show you is called Nmap.

Nmap was created by a person known as Fyodor, and over time it has become a standard tool to use if you need to scan ports. You can just give it a command and off it goes, checking any range of ports you throw at it. This tool will serve you well.

Installation on linux is quite easy. For example installing on Debian is as easy as running sudo apt install nmap. Other Linux systems may differ in the apt bit, but they are every bit as easy.

Once you have nmap installed, you can just run nmap scanme.nmap.org. This is a special server created and maintained by the nmap creator, but it has rules:

  1. don’t run exploits on the server.
  2. don’t run too many scans that would exhaust/overload the server.

So, heeding his advice, we run the command I indicated and in a few seconds/minutes, depending on your internet speed, we get a result in the following format:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Starting Nmap 7.80SVN ( https://nmap.org ) at 2022-02-28 20:35 CET
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.23s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9929/tcp open nping-echo
16993/tcp filtered amt-soap-https
31337/tcp open Elite
40911/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 25.37 seconds

This may seem daunting, but let’s go line by line, starting at line 2.

scan report for scanme.nmap.org (45.33.32.156)``` tells us the target we scanned and what its IP address is. In this case, scanme.nmap.org is hosted at 45.33.32.156.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

```Host is up``` is pretty self-explanatory. Host is receiving connections and answering to ping requests Nmap sends. If the host does not reply to nmap's ping requests, it is considered "down", so no scans go through. We can tune this by using **-Pn**, which will scan all ports without first checking for live systems.

We can skip other addresses, but it may be useful if you want to specifically scan a certain IP address of many possible ones. Usually not needed.

Next, we get to the scan results. We can see that 991 ports are closed. The rest are shown below. By default, nmap scans the top 1000 ports listed in its database by frequency of use. This, too, can be tuned by using the **--top-ports** flag. If we want to scan just the top 10 ports, we can run ```nmap --top-ports 10 scanme.nmap.org```.

Below, we can see that nmap sorts ports as closed (not shown), open and filtered. Filtered means that the port replies, but we cannot be certain. It may be either way.

The three columns give us the port number, protocol (TCP or UDP), the state (open, closed, filtered), and then the service that is most likely to be running on the port.

## Which ports should we remember?

I will try to use the nmap scan as an example for some known ports, but remember, there are 1024 of those, so if you want to learn more, I suggest googling around. just putting in "port [NUMBER] service" will give you good results, at least for the first 1024.

The first port we can see is 22/TCP. This is a well-known port used by SSH, or the secure shell. If you have a server in the cloud and want to connect, SSH is the way to go. It is encrypted, can be set to use keys instead of passwords, the whole nine yards. Usually seen in UNIX systems, however it can be set up on Windows as well.

The next one down the line is 80/TCP. By default, this is the unencrypted HTTP port. If you have a website running, 80 is the default port this runs on. Again, can be changed, but browsers usually go for port 80. An alternative to 80 is 443/TCP, which is HTTPS. A site can use TLS (like this one) and encrypt communication between user and server.

Ports 135, 139 and 445 are usually seen on Windows systems, as the service column tells us. If you see these on a computer in the wild, it's a good chance it may be Windows. Note that as with 22, these may also be set up on Linux systems.

The other ports are above 1024, so we consider them registered. These may be used by any program, so not sure what they are running, we may want to check further to see what's on them. One nod to hackers is the 31337 port, which in leetspeek spells "eleet". Hence the "elite" service name.

## Okay, but what exactly is on there?

Not really. Nmap has a **huge** number of scripts and settings we can show to scan for specific ports, recognize services, or even try to guess what the operating system is.

I'll name several of these, however if you check ```nmap --help``` or Fyodor's website, you will find a HUGE number of settings you can try on your own.

The first one we could talk about is -sV. This flag uses different methods to find what port is actually running which service. If we run ```nmap -sV scanme.nmap.org```, we get something a little different:

Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1007/tcp filtered unknown
1244/tcp filtered isbconference1
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
34573/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

Some services stay the same, however note the column VERSION. That wasn't there before! This column tells us more about what service is running by actually trying to access the service and "banner grabbing". A banner is something a server advertises so the computer connecting to it knows how to speak to it. We can see that there is *OpenSSH 6.6.1p1 Ubuntu* running on port 22. So now we know it really is SSH. Port 80 runs *Apache 2.4.7 ((Ubuntu))*, so an HTTP server. The last is Nping echo. Not much we can say about that, but feel free to find out more about it.

Furthermore, we can see that Nmap tried to guess the version the system is running on! OS appears to be Linux.

This leads us to a split in the road for defenders and attackers.

### How a defender may use this information

If you're a SOC analyst or an administrator of a huge network of devices, running nmap on this particular machine just told you several things:

1) This is a Linux server. You may want to check if that should be there and if it is in your asset list.
2) There are numerous ports open. Should they be open? If not, why are they open?
3) Port 22 is running OpenSSH 6.6.1. Should it be running? Is this version of the system secure? If not, why is it there? Should it be updated? Can it be updated?
4) Port 80 is running Apache. Is this supposed to be running? Is this version secure? Should it be updated? What's on there?

As defenders, it's our responsibility to make sure all the systems are secure. If you see the versions and there are vulnerabilities known about them, you may want to update, if possible.

### How an attacker may use this information

As a pentester or ethical hacker, the questions turn a little darker:

1) This is a Linux server. Is Linux secure? If not, how can we get in?
2) Port 22 is OpenSSH 6.6.1. Does this version have any vulnerabilities? Is there a weak password? Who are the users that can connect to it?
3) Port 80 is Apache 2.4.7. Are there any exploits/vulnerabilities for version 2.4.7? If so, can we run them or do we need more information? What's on there? Any information we may find?

## Okay, I found 273 possible exploits. Which one will work?

Lucky you! You found some exploits, but you're not sure if they will work. Maybe you need more information from the server, maybe you're missing some fields to find. Luckily for us, nmap also includes a basic script scanner. By using *-sC*, nmap runs basic scripts against the web server, checking the ports for more information. These scripts are written in Lua, so if you're a Lua fan, you can write your own!

Let's run ```nmap -sC scanme.nmap.org``` to see what we get!

Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp open http
|_http-title: Go ahead and ScanMe!
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
9929/tcp open nping-echo
31337/tcp open Elite

Nmap done: 1 IP address (1 host up) scanned in 35.80 seconds


This may seem confusing, but let's talk about the result.

Port 22 is running SSH. we know that. Nmap also found that out, and as such ran the script *ssh-hostkey* to find us a fingerprint of the server. 

- Defenders: If this does not match your regular documented lists, please check again. If it's still different, it may be a different server, or a modified server. Check and make sure you know what happened. 
- Attackers: This confirms the server is running SSH. Are these ciphers not secure enough? Can this information be used in a different way to find more?

Port 80 was discovered as HTTP, and as such, nmap ran a scan called *http-title*. This takes the title tags of a website (the text shown in the tab when you open a browser) and presents it to you. 

- Defenders: If this information is different to what you expect, could it be an error in the webserver? Could it be a defaced website? Why is this information different?
- Attackers: Is this the correct server you want to attack? Does the title say something you may use?