Thursday, May 19, 2011

WHAT IS PORT SCANNING

The point of port scanning a server is to detect its open ports the port’s listening services. Once a hacker knows all the services running on your server, he could search for possible vulnerabilities they may have and exploit them to take control of your website. In the port scanning example we will use the most popular port scanner: Nmap. The Nmap Security Scanner is available for both Mac and Windows users: http://nmap.org/download.html . The example will be shown using the Nmap GUI (Graphical User Interface). Otherwise known as Zenmap.

1. First the hacker would choose a target and place it in the target box. As you can see the “Command:” section gets updated as well. This is what the command would look like if you were running the CLI version.

2. Next the hacker would choose the “Profile:”, or in other words, the scan type. A smart hacker would go with a quick and quiet scan. Full version detection scans are very loud and could raise suspicion on the other end. Stay away from those options because as you will see later on, there are other ways to get that information.

3. A sample scan result may look like the following:

4. As you can see it found a few open ports and listed the services that are run on them. Below I have a list of some of the most popular ports/services on the internet.


20 FTP data (File Transfer Protocol)
21 FTP (File Transfer Protocol)
22 SSH (Secure Shell)
23 Telnet 25 SMTP (Send Mail Transfer Protocol)
43 whois
53 DNS (Domain Name Service)
68 DHCP (Dynamic Host Control Protocol)
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
1352 Lotus Notes
1433 Microsoft SQL Server
1521 Oracle SQL
2049 NFS (Network File System)
3306 MYSQL
4000 ICQ
5800 VNC
5900 VNC
8080 HTTP

5. Along with finding out what ports are running, the hacker needs to also find out what operating system the server is running. There are always a lot of operating system vulnerabilities out there to choose from. So by knowing the operating system, the hacker’s chances of taking over the server go up.

As you can see, there is an option on Nmap to detect the operating system, but this scan is very loud and easily detected so it is better to avoid it if possible. A simple way to determine what the server is running is by getting a 404 error page. You can get there by going to a page that doesn’t exist. For example the hacker would put in “www.targetsite.com/asdlfjasl.php” this page will most likely not exist and bring him to the 404 page. On most sites the 404 error page displays the server operating system along with its version. Many sites nowadays don’t display this by putting up custom 404 pages so this may not always work.

6. If you are planning on using the CLI version of Nmap, or want a more in depth look at all the commands take a look at the Nmap manual: http://nmap.org/book/man.html .

7. Now that the hacker has got all the running services and open ports on the targets system, he will now have to find out what versions the server is running. This is where “Banner Grabbing” comes in.

0 comments: