14. Port Scanning

First, let's take a look at port scanning. Packets can be sent with various protocols from the hacker PC to observe the reaction from the server PC. You can utilize various protocols, including ICMP, TCP, UDP, SCTP, etc. Usually the TCP SYN scanning technique is utilized in NMap because it can easily avoid being detected by security devices and is also fast.

Figure 14-1 TCP SYN SCAN

When the hacker PC sends a TCP SYN packet to a specific Port of the server PC, the hacker PC receives a “SYN/ACK” packet if the service is running over that port. If the port is closed, the “hacker PC” receives an “RST” packet. When the “hacker PC” receives a “SYN/ACK” packet, it terminates the connection by sending an “RST” packet. As a result, TCP SYN scanning can be fast and is referred to as “Half-open Scanning”. 

Figure 14-2 TCP SYNC SCAN of NMap

Let’s check from ports 1 to 1024 by using the TCP SYNC SCAN method. A socket module provided by python can be used to conduct port scanning. However, there is a drawback in that this is time consuming because it takes time to wait for a port with no response. You can quickly test ports with the NMap module. Let's take a look at a simple example.

import sys import os import socket import nmap                                                #(1) nm = nmap.PortScanner()                                    #(2) nm.scan('server', '1-1024')                                #(3) for host in nm.all_hosts():                                #(4)     print('----------------------------------------------------')     print('Host : {0} ({1})'.format(host, nm[host].hostname())) #(5)     print('State : {0}'.format(nm[host].state()))               #(6)     for proto in nm[host].all_protocols():                      #(7)         print('----------')         print('Protocol : {0}'.format(proto))                                lport = list(nm[host][proto].keys())                    #(8)         lport.sort()         for port in lport:             print('port : {0}\tstate : {1}'.format(port, nm[host][proto][port]))  #(9) print('----------------------------------------------------')

Example 14-1 port scanning

As previously mentioned, the reason for calling NMap indirectly through Python nmap is its extensibility. Port Scanning using the NMap GUI tools is better in simple cases, but programming is necessary for cases where the results of the port scanning will be further used. Therefore, it is advantageous to integrate with NMap through an API in python. The operating procedure is as follows.

(1) Importing the nmap module: Importing the module allows you to use a python nmap.

(2) Creating a PortScanner object: Creating a PortScanner object supports using nmap in Python. Unless the program is not installed on the PC, a PortScanner exception will be generated.

(3) Running a Port Scan: Executing a port scan requires two or three arguments.

  ⦁ host: Specify the type of the host information, such as 'scanme.nmap.org', '198.116.0-255.1-127', '216.163.128.20/20'

⦁ port: Specify the Port that is to be used to scan in the form of '22,53,110,143-4564'.

⦁ argument: Specify the option that is to be used to execute NMap in the form of '-sU -sX -sC'.

(4) Obtaining the list of hosts: Return the information for the host that is specified as an argument for the scan function in the form of a list data type.

(5) Printing Host Information: Print the host IP and name.

(6) Printing Host Status: print the state of the host. If the host is providing service, the output is “up”.

(7) Printing Scanned Protocol from the Host: The output for all protocol information that is scanned from the host is in the form of a list data type.

(8) Getting Port Information: Return the port information that has been open for each host and protocol as a set form.

(9) Printing Port Information: Print the details of the port.

NMap provides detailed information on the open port information and the service information and application. A hacker can obtain basic knowledge for network hacking through NMap.

---------------------------------------------------- Host : 169.2511.27.229 (server) State : up ---------- Protocol : addresses port : ipv4       state : 169.2511.27.229 port : mac        state : 08:00:27:92:AF:7D ---------- Protocol : tcp port : 21        state : {'product': u'Microsoft ftpd', 'state': u'open', 'version': '', 'name': u'ftp', 'conf': u'10', 'extrainfo': '', 'reason': u'syn-ack', 'cpe': u'cpe:/o:microsoft:windows'} port : 80        state : {'product': u'Apache httpd', 'state': u'open', 'version': '', 'name': u'http', 'conf': u'10', 'extrainfo': '', 'reason': u'syn-ack', 'cpe': u'cpe:/a:apache:http_server'} ---------- Protocol : vendor port : 08:00:27:92:AF:7D          state : Cadmus Computer Systems ----------------------------------------------------

Figure 14-3 Port Scanning Result

In general, it is illegal to try to conduct port scanning. You must therefore configure the test environment to learn how to use NMap. Now we have found the information for the open hosts and ports for the corresponding applications. Then, FTP, which is served from port 21 can be used to attempt a Password Cracking attack to obtain the administrator’s password.