Port Scanning Technique OSCP

Port Scanning
Port scanning is a type of active information gathering. It is the process of scanning for
open ports on a particular host or network. It is worth to mention that this type of scanning
is illegal in several countries and should only be conducted on authorized systems. I will be
using the lab from the book to perform the scan.
Manual port scanning:
The simpliest TCP port scanning technique is called CONNECT scanning and relied on 3-
way handshake. This can be done using netcat, telnet or even putty if you have installed.
The output below shows that we are able to connect to port 25 and the SMTP server
announced itself SLmail 5.5.0.4433.
root@kali:/scripts# nc -nvv 192.168.0.112 25

Ncat: Version 7.70 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-
certificates.crt.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.168.0.112:25 (IOD #1) EID
8
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8
[192.168.0.112:25]
Ncat: Connected to 192.168.0.112:25.
libnsock nsock_read(): Read request from IOD #1 [192.168.0.112:25] (timeout: -1ms) EID
18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID
26
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18
[192.168.0.112:25] (66 bytes): 220 bookxp SMTP Server SLmail 5.5.0.4433 Ready ESMTP
spoken here..
220 bookxp SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken here
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #1 [192.168.0.112:25] EID
34
UDP Scan:
As we know UDP is a stateless protocol. So it has no 3-way handshake and reliability. The
output below shows a manual port scan on port UDP 69.
root@kali:/# nc -nvv -u 192.168.0.112 69

Ncat: Version 7.70 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-
certificates.crt.
libnsock nsock_connect_udp(): UDP connection requested to 192.168.0.112:69 (IOD #1)
EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8
[192.168.0.112:69]
Ncat: Connected to 192.168.0.112:69.
libnsock nsock_read(): Read request from IOD #1 [192.168.0.112:69] (timeout: -1ms) EID
18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID
26
^C
NMAP:
Nmap is a free and open-source security scanner, originally written by Gordon Lyon, used
to discover hosts and services on a computer network, thus building a “map” of the
network. To accomplish its goal, Nmap sends specially crafted packets to the target host
and then analyzes the responses. The default nmap TCP scan will scan the 1000 most
popular ports on a given machine.
– Scanning a single host:
#nmap <host>
root@kali:/# nmap 192.168.0.112

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-24 21:11 -03
Nmap scan report for 192.168.0.112
Host is up (0.0022s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2869/tcp open icslap
3306/tcp open mysql
MAC Address: 08:00:27:F1:FD:FE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.30 seconds
– Scanning a network:
#nmap <network>/<CIDR>
root@kali:/# nmap 192.168.0.0/24

PORT STATE SERVICE
80/tcp open http
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8888/tcp open sun-answerbook
MAC Address: 58:23:8C:08:8D:AA (Technicolor CH USA)

PORT STATE SERVICE
80/tcp open http
443/tcp open https
631/tcp open ipp
9100/tcp open jetdirect
9220/tcp open unknown
MAC Address: 48:BA:4E:FD:9E:8B (Hewlett Packard)
— snip —
– Scanning multiple targets:
#nmap <host> <host>
root@kali:/# nmap 192.168.0.1 192.168.0.112

PORT STATE SERVICE
80/tcp open http

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
Nmap done: 2 IP addresses (2 hosts up) scanned in 7.13 seconds
– Scanning a range of IPs:
#nmap <host>-<End of range>
root@kali:/# nmap 192.168.0.100-112

All 1000 scanned ports on 192.168.0.102 are closed
MAC Address: 2C:0E:3D:CA:3C:9F (Samsung Electro-mechanics(thailand))

PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
902/tcp open iss-realsecure
MAC Address: 98:83:89:8E:51:E7 (Samsung Electronics)

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql

PORT STATE SERVICE
22/tcp open ssh
– Using a file with hosts to perform a scan
#nmap -iL <file> – Make sure the file is in the same directory you are running nmap.
root@kali:/# nmap -iL hosts.txt

PORT STATE SERVICE
80/tcp open http

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
PORT STATE SERVICE
22/tcp open ssh

root@kali:/#
– Excluding IPs from scan:
#nmap <host><End of Range> –exclude <host>
root@kali:/# nmap 192.168.0.0-112 –exclude 192.168.0.1

PORT STATE SERVICE
80/tcp open http
443/tcp open https
631/tcp open ipp
9100/tcp open jetdirect
9220/tcp open unknown
MAC Address: 48:BA:4E:FD:9E:8B (Hewlett Packard)

MAC Address: AC:5F:3E:7D:1D:A8 (Samsung Electro-mechanics(thailand))
— snip —
– Scanning multiple ports:
#nmap -p<port>,<port>,<port> <host>
root@kali:/# nmap -p21,25,80 192.168.0.112

PORT STATE SERVICE

21/tcp open ftp
25/tcp open smtp
80/tcp open http
Nmap Scannning Techniques:
TCP SYN Scan(-sS):
A SYN scan (A.K.A. stealth scan) is a TCP scan that does not finish the TCP handshake. In
a SYN scan, Nmap sends the SYN and waits for the SYN-ACK if the
port is open but never sends the ACK to complete the connection. If the SYN packet
receives no SYN-ACK response, the port is not available; either it’s closed or the
connection is being filtered.
This way, Nmap finds out if a port is open without ever fully connecting to the target
machine. The syntax for a SYN scan is the -sS flag.
#nmap -sS <host>
root@kali:/# nmap -sS 192.168.0.112

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
TCP connect() scan (-sT):
This the default scanning technique used.Unlike the TCP SYN scan, it completes the
normal TCP three way handshake process and requires the system to call connect(), which
is a part of the operating system.
Keep in mind that this technique is only applicable to find out the TCP ports, not the UDP
ports.
#nmap -sT <host>
root@kali:/# nmap -sT 192.168.0.112

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
UDP Scan (-sU):
This technique is used to find an open UDP port of the target machine.
#nmap -sU <host>
root@kali:/# nmap -sU 192.168.0.112

PORT STATE SERVICE
69/udp open|filtered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
FIN Scan (-sF):

Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and
IPS scans might be deployed on the target machine, but a firewall will usually block the
SYN packets. A FIN scan sends the packet only set with a FIN flag, so it is not required to
complete the TCP handshaking.
#namp -sF <host>
root@kali:/# nmap -sF 192.168.0.112

Just like a FIN scan, we can perform an xmas scan (-sX) and Null scan (-sN). The idea is
same but there is a difference between each type of scan. For example, the FIN scan sends
the packets containing only the FIN flag, where as the Null scan does not send any bit on
the packet, and the xmas sends FIN, PSH, and URG flags.
Ping Scan (-sP):
Ping scanning is unlike the other scan techniques because it is only used to find out whether
the host is alive or not, it is not used to discover open ports.
#nmap -sP <host>
root@kali:~# nmap -sP 192.168.0.112

Version Detection (-sV):
Version detection is the right technique that is used to find out what software version is
running on the target computer and on the respective ports. It is unlike the other scanning
techniques because it is not used to detect the open ports, but it requires the information
from open ports to detect the software version. In the first step of this scan technique,
version detection uses the TCP SYN scan to find out which ports are open.
#nmap -sV <host>

root@kali:~# nmap -sV 192.168.0.112
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.32 beta
25/tcp open smtp SLmail smtpd 5.5.0.4433
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3306/tcp open mysql MySQL (unauthorized)
Service Info: Host: bookxp; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows,
cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Idle Scan (-sI):
Idle scan is an advance scan that provides complete anonymity while scanning. In idle scan,
Nmap doesn’t send the packets from your real IP address—instead of generating the
packets from the attacker machine, Nmap uses another host from the target network to
send the packets. Many people use -Pn w/Idlescan to prevent pings from their true IP.
#nmap -sI zombie_host target_host
root@kali:~# nmap -sI 192.168.0.1 192.168.0.112 -Pn

Idle scan using zombie 192.168.0.1 (192.168.0.1:80); Class: Incremental
Not shown: 992 closed|filtered ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
OS Detection Nmap
One of the most important feature that Nmap has is the ability to detect remote operating
systems and software. It is very helpful during a penetration test to know about the
operating system and the software used by the remote computer because you can easily
predict the known vulnerabilities from this information.
Nmap has a database called nmap-os-db, the database contains information of more than
2,600 operating systems. Nmap sends TCP and UDP packets to the target machine and
then it examines the response by comparing the result with the database. The Nmap
operating system discovery technique is slightly slower then the scanning techniques
because OS detection involves the process of finding open ports.
#nmap -O <host>
root@kali:~# nmap -O -Pn 192.168.0.112

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
If it the OS cannot be detected, we can use the option -osscan-guess and nmap will find the
nearest match of the target OS or –osscan-limit to skip the OS guessing.
–osscan-limit: Limit OS detection to promising targets

–osscan-guess: Guess OS more aggressively
#nmap -osscan-guess <host>
When I ran just option -O nmap, it automatically tried to guess the OS.
root@kali:~# nmap -O 192.168.0.1

PORT STATE SERVICE
80/tcp open http
Aggressive OS guesses: HP ProCurve 1810G, ZyXEL GS1910, or FibroLAN switch (eCos
3.0) (96%),
Motorola SURFboard 5101 cable modem (95%), HP ProCurve 1810G switch (eCos 3.0)
(93%), FreeBSD daemon 4.5-RELEASE (92%), DragonFly BSD 1.8.0-RELEASE – 1.10.1
(x86) (92%), FreeBSD 4.6.2-RELEASE (92%), FreeNAS 0.686b (FreeBSD 6.2-RELEASE)
(92%), DragonFly BSD 1.10.1 (91%), VxWorks 6.4 (91%), VxWorks (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

root@kali:~# nmap –osscan-limit 192.168.0.1

PORT STATE SERVICE
80/tcp open http
Important Options:
-A: Enable OS detection, version detection, script scanning, and traceroute
-oA <basename>: Output in the three major formats at once (.gnmap, .nmap, .xml)
-v: Increase verbosity level (use -vv or more for greater effect)
-oG: saves the scan in a file in a Grepable format.
#nmap -v -A <host> -oA scan
root@kali:~# nmap -A 192.168.0.112 -oA scan

PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.32 beta
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 1 ftp ftp 0 Aug 06 2009 incoming
|_-r–r–r– 1 ftp ftp 187 Aug 06 2009 onefile.html
|_ftp-bounce: bounce working!
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
— snip —
root@kali:~# ls -l scan*
-rw-r–r– 1 root root 936 Sep 25 21:21 scan.gnmap
-rw-r–r– 1 root root 3529 Sep 25 21:21 scan.nmap
-rw-r–r– 1 root root 14711 Sep 25 21:21 scan.xml
Nmap Scriptiing Engine:
The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It
allows users to write (and share) simple scripts to automate a wide variety of networking
tasks. Those scripts are then executed in parallel with the speed and efficiency you expect
from Nmap. Users can rely on the growing and diverse set of scripts distributed with
Nmap, or write their own to meet custom needs. NSE is stored in the
/usr/share/nmap/scripts.
root@kali:/usr/share/nmap/scripts# pwd
/usr/share/nmap/scripts
root@kali:/usr/share/nmap/scripts#
root@kali:/usr/share/nmap/scripts# ls -l | wc -l
590
root@kali:/usr/share/nmap/scripts#
SCRIPT SCAN:
-sC: equivalent to –script=default
–script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
–script-args-file=filename: provide NSE script args in a file
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
–script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
NSE is activated with the -sC option (or –script if you wish to specify a custom set of
scripts) and results are integrated into Nmap normal and XML output.
smb-os-discovery.nse
root@kali:/usr/share/nmap/scripts# nmap 192.168.0.112 –script smb-os-discovery.nse

PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
Host script results:

| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: bookxp
| NetBIOS computer name: BOOKXP\x00
| Workgroup: GRUPO\x00
|_ System time: 2018-09-25T22:12:42-03:00
OR
root@kali:/usr/share/nmap/scripts# nmap -sC -p 139 192.168.0.112
PORT STATE SERVICE


|_clock-skew: mean: 1h29m59s, deviation: 2h07m16s, median: 0s
|_nbstat: NetBIOS name: BOOKXP, NetBIOS user: <unknown>, NetBIOS MAC:
08:00:27:f1:fd:fe (Oracle VirtualBox virtual NIC)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: bookxp
| NetBIOS computer name: BOOKXP\x00
| Workgroup: GRUPO\x00
|_ System time: 2018-09-25T22:17:36-03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)
whois-domain.nse script:
root@kali:/usr/share/nmap/scripts# nmap jpsecnetworks.com –script whois-domain.nse

Nmap scan report for jpsecnetworks.com (162.241.216.158)
rDNS record for 162.241.216.158: box5414.bluehost.com
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
26/tcp open rsftp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
2222/tcp open EtherNetIP-1
3306/tcp open mysql
8443/tcp open https-alt

| whois-domain:
|
| Domain name record found at whois.verisign-grs.com
| Domain Name: JPSECNETWORKS.COM\x0D
| Registry Domain ID: 2300229417_DOMAIN_COM-VRSN\x0D
| Registrar WHOIS Server: whois.fastdomain.com\x0D
| Registrar URL: http://www.fastdomain.com\x0D
| Updated Date: 2018-08-21T13:35:39Z\x0D
| Creation Date: 2018-08-21T13:35:39Z\x0D
| Registry Expiry Date: 2019-08-21T13:35:39Z\x0D
| Registrar: FastDomain, Inc.\x0D
| Registrar IANA ID: 1154\x0D
| Registrar Abuse Contact Email:\x0D
| Registrar Abuse Contact Phone:\x0D
| Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited\x0D
| Name Server: NS1.BLUEHOST.COM\x0D
| Name Server: NS2.BLUEHOST.COM\x0D
| DNSSEC: unsigned\x0D
| URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/\x0D
Banner grab:
Banner grabbing is a process of collecting details regarding any remote PC on a network

and the services running on its open ports.
root@kali:~# nmap 192.168.0.112 –script=banner

PORT STATE SERVICE
21/tcp open ftp
| banner: 220-FileZilla Server version 0.9.32 beta\x0D\x0A220-written by
|_Tim Kosse (Tim.Kosse@gmx.de)\x0D\x0A220 Please visit http://sourcefo…
25/tcp open smtp
| banner: 220 bookxp SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken her
|_e
80/tcp open http
135/tcp open msrpc
443/tcp open https
3306/tcp open mysql
| banner: F\x00\x00\x00\xFFj\x04Host ‘192.168.0.109’ is not allowed to co
|_nnect to this MySQL server
Nmap done: 1 IP address (1 host up) scanned in 28.98 second

Port Scanning Technique OSCP

Uploaded by

Copyright:

Available Formats

Port Scanning Technique OSCP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Port Scanning Technique OSCP

Uploaded by

Copyright:

Available Formats

What is port scanning and what are some common port scanning techniques?

What is port scanning and what are some common port scanning techniques?

What is Nmap and how can it be used for scanning?

What is Nmap and how can it be used for scanning?

Port Scanning

Manual port scanning:

root@kali:/scripts# nc -nvv 192.168.0.112 25

root@kali:/# nc -nvv -u 192.168.0.112 69

– Scanning a single host:

root@kali:/# nmap 192.168.0.112

Nmap done: 1 IP address (1 host up) scanned in 8.30 seconds

root@kali:/# nmap 192.168.0.0/24

Nmap scan report for 192.168.0.27

– Scanning multiple targets:

#nmap <host> <host>

root@kali:/# nmap 192.168.0.1 192.168.0.112

Nmap scan report for 192.168.0.112

Nmap done: 2 IP addresses (2 hosts up) scanned in 7.13 seconds

– Scanning a range of IPs:

#nmap <host>-<End of range>

root@kali:/# nmap 192.168.0.100-112

Nmap scan report for 192.168.0.103

Nmap scan report for 192.168.0.112

Nmap scan report for 192.168.0.109

Nmap done: 13 IP addresses (5 hosts up) scanned in 15.31 seconds

– Using a file with hosts to perform a scan

root@kali:/# nmap -iL hosts.txt

Nmap scan report for 192.168.0.112

Nmap done: 3 IP addresses (3 hosts up) scanned in 13.89 seconds

– Excluding IPs from scan:

#nmap <host><End of Range> –exclude <host>

root@kali:/# nmap 192.168.0.0-112 –exclude 192.168.0.1

Nmap scan report for 192.168.0.100

– Scanning multiple ports:

#nmap -p<port>,<port>,<port> <host>

root@kali:/# nmap -p21,25,80 192.168.0.112

PORT STATE SERVICE

Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds

Nmap Scannning Techniques:

TCP SYN Scan(-sS):

#nmap -sS <host>

root@kali:/# nmap -sS 192.168.0.112

Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds

TCP connect() scan (-sT):

#nmap -sT <host>

root@kali:/# nmap -sT 192.168.0.112

UDP Scan (-sU):

#nmap -sU <host>

root@kali:/# nmap -sU 192.168.0.112

FIN Scan (-sF):

#namp -sF <host>

root@kali:/# nmap -sF 192.168.0.112

Ping Scan (-sP):

#nmap -sP <host>

root@kali:~# nmap -sP 192.168.0.112

Version Detection (-sV):

#nmap -sV <host>

Service detection performed. Please report any incorrect results at

Idle Scan (-sI):