by sunjester
original link
Introduction
Port scanning is the most basic and probably the first action taken when looking for hosts online or trying to see what services are running on remote networked computers. We are going to learn how to scan individual computers, whole networks, maybe even subnets, and I will also show you what the internet actually looks like.
Software
If you don't know, yes, NMAP is the best port scanner ever made. If you disagree your probably just a difficult person to work with (which makes your opinion crap). We will be using NMap for this discussion and whatever future topics of discussion that ever mention ports or scanning ports on this website.
You can however use any port scanner you like, and there are plenty of them out there. I will give you a list of them, although I strongly encourage you to use NMap.
* NMap
* Advanced Port Scanner
* Angry IP Scanner
* NSauditor Port Scanner
* T1Shopper.com Online Port Scanner
* NMap Online Port Scanner
NMap does have a GUI, and it is a very nice GUI. There is nothing wrong with using the GUI over the command line version. Every command that is done via the command line, I'm sure, can be done inside the GUI. The NMap GUI is called "ZenMap". ZenMap is a cross platform Graphical User Interface for the Network Mapper software. You can literally map your network with the GUI.
Who should we scan?
I strongly believe we should scan the scanners, or our own networks. This isn't always the most fun thing to do since we already know what is on our own networks. I like to find lists of spammers or IP addresses publicly available that are known to have "attacked" someone before. Check out these lists of IP addresses:
* all the stopforumspam.com ip addresses
* spam cannibal
* spam-ip.com
* enlight-inc.com listing
We scan the spammers because well, they shouldn't be filling my mailbox with spam, so I think this punishment is fitting. The next step into a network penetration would be attack services. Attacking spammer machines sounds like a better plan that attacking random computers at will.
You DO NOT want to just start "scanning the internet" or randomly scanning IP addresses. You never know who is watching and you never know what machines you will stumble upon. A long time ago I used to bomb people that scanned me. Now, if you scanned me I wouldn't even show up I'm sure. I am positive there are still people out there who aren't as easily deterred from portscanners, they will attack you for poking them.
Doing the dirt
We are going to go over some of the basic rules and guidelines for scanning with NMap. I'm going to scan my own networks and networks that have agreed to let me scan them for this article. The basic usage is as follows:
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
1. Scan Type & Options
2. Target Specification
The scan type and options is pretty much the bread and butter of NMap. There are SO many options, which ones should we use? You should look at them all and find which ones you want to use. Some of my favorite are the extra verbose command, service detection, os detection and the NO ping probes.
nmap -sV -vv -PN 192.168.1.104
The above command will scan the machine 192.168.1.104 and display ALL and ANY ports and try to tell me what service (application) is running on that port. the "-vv" command is the extra verbose, It let's me see everything that is going on, I like to be in the middle of it all.
You can also specify the port numbers you wish to use. Let's say I already know that the computer I'm scanning is running certain ports or SHOULD be running certain ports. I know it's an HTTP (web) server. I would pick some of the most common web server port numbers and scan that so we don't leave a huge footprint on the server's logfiles.
nmap -sV -vv -p 80,21,22,443 1920168.1.103
The command above says our scan will return service names, in extra verbose style on the following ports: 80 (http), 21 (ftp), 22 (ssh), 443 (ssl).
The state of ports
NMap will return the state of a port in several flavors.
* Open
* Closed
* Filtered
* Open|Filtered
* Closed|Filtered
* Unfiltered
If a port is open, you can connect to it and the application that is running on it. If it is closed, it usually means the port is open but there is no application running on the other end of it. Filtered means there is some kind fo packet filtering device not allowing NMap to see whats on the other end of the port. Finally, Unfiltered means we can get to it but don't know if it's open or closed.
Scan Techniques
Some of these techniques are quite old and are still heavily used. We will cover a couple of different types of scanning techniques. It helps to actually know a bit about networking and packets or packet delivery. Without knowing how networks actually work, you may find this bit useless. Even if you find it useless, you can apply it to NMap and it will definitely help you.
* SYN
* CONNECT
* NULL
* Xmas
* FIN
* ACK
SYN scans are quick because they don't have to do the whole "3-way handshake" with the host, which also makes them stealthy. This used to be called "half open" instead of "SYN", but it's not 1991 anymore.
Connect scans actually use your OS's system call to connect to the remote computer, it's like asking your web browser to connect to the remote computer your scanning. I would suggest using this if NMap won't allow you to use SYN scans.
NULL scanning is just leaving the packet's header flag at 0 and NOT setting it.
FIN scans are just packets with their FIN flag set for all the packets used to scan the remote computer.
Xmas scans are called Xmas scans because you are "lighting" up the packet like a christmas tree. This means you are going to set a couple flags at once, the PSH flag, FIN and URG (urgent) flags.
ACK scanning is really used for determining firewall rules. We can use the ack scanning technique to show us whether firewalls are stateful or not.
Port Scanning and Host Discovery Techniques
A good beginning tut on NMAP for sure, although I would fall in to the category of difficult person mentioned in the beginning. 
NMAP is such a complex tool you could write a book about all its functions, indeed there has been a book published on just that, but I do applaud the effort so don't think I'm just putting you down.
Also welcome to the forums, there's an intro thread around here... you should introduce yourself cause it's polite and all
Thanks for the read, might a suggest a few additions to strengthen your piece?
I would include a download link, specificly for NMAP because it has been on insecure.org for like 15 years.
I think also an addendum about using the avoiding firewall and IDS section is appropriate, given the who to scan section in your tut. Fragment, decoy, spoof, spoof MAC, used to be icing on the cake... but pretty much everyone is running a firewall these days so I believe the options should be escalated in any discussion about port scanning.
Lastly, while perhaps outside the scope of this tut, I think a mention of the zombie port scan option, and NMAPs new conficker scanning ability could use a 'shout out'
Again, just suggestions, don't take it personally. You have a good beginning tutorial here as is, I just feel you could build on it and make it better.
Cheers =)
Welcome to suck-o, if you decide to stick around I'd love to see an intro.
NMAP is such a complex tool you could write a book about all its functions, indeed there has been a book published on just that, but I do applaud the effort so don't think I'm just putting you down.
Also welcome to the forums, there's an intro thread around here... you should introduce yourself cause it's polite and all
Thanks for the read, might a suggest a few additions to strengthen your piece?
I would include a download link, specificly for NMAP because it has been on insecure.org for like 15 years.
I think also an addendum about using the avoiding firewall and IDS section is appropriate, given the who to scan section in your tut. Fragment, decoy, spoof, spoof MAC, used to be icing on the cake... but pretty much everyone is running a firewall these days so I believe the options should be escalated in any discussion about port scanning.
Lastly, while perhaps outside the scope of this tut, I think a mention of the zombie port scan option, and NMAPs new conficker scanning ability could use a 'shout out'
Again, just suggestions, don't take it personally. You have a good beginning tutorial here as is, I just feel you could build on it and make it better.
Cheers =)
Welcome to suck-o, if you decide to stick around I'd love to see an intro.
knuffeltjes voor mijn knuffel
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
[img]http://i911.photobucket.com/albums/ac320/stuphsack/Sig.jpg[/img]
yo sun - welcome to the forum, the introduction is kind of mandatory so go find the 'introduction thread'. You'll find many of us were 'hacking' prior to 1997 too (nmaps conception date)
The confusion was my part - I killed the link as it is a rules violation for newbies to post a link.
Post locked - DNR
The confusion was my part - I killed the link as it is a rules violation for newbies to post a link.
Post locked - DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.