Port Scanning Techniques - Part 2

Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Furthermore, users occasionally leave needless open ports on their systems without realising it. Such open ports are exploited by an attacker to launch assaults. 

This article is divided into two articles. Continue reading Part 1

UDP Scanning (-sU)

The UDP scan is less informal concerning an open port because there is no overhead of a TCP handshake. This scan performed exceptionally well on Windows-based hardware. Sending a packet using the UDP protocol can be trickier than using TCP scanning since you can't tell if a host is filtered, dead, or alive.

If you send a UDP packet to a port without an application bound to it, the IP stack will return an ICMP port unreachable packet. if any port returns an ICMP error, it will be closed, leaving the ports that did not answer if they are open or filtered through the firewall.

The UDP scan provides port information Only. It also requires privileged access; hence, this scan option is only available on systems with the appropriate user permissions. 

In nmap, the -sU option is used to perform a UDP scan. 

SCTP Scanning

SCTP INIT Scanning (-sY)

SCTP stands for String Control Transmission Protocol. It is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP. SCTP association comprises a four-way handshake method. The client initiates the connection with INIT, gets back INIT-ACK, then sends COOKIE-ECHO, and gets back COOKIE-ACK. Transmission of these four packets completes the SCTP Association. 

Similar to TCP SYN, this scan is likewise relatively undetectable and stealthy because it leaves the connection half open because it is unable to finish SCTP associations.  Attackers send INIT chunks to the target host. If the port is listening or open, it sends an acknowledgement as an INIT+ACK chunk. If the port is not listening or inactive, it sends an acknowledgement as an ABORT chunk. 

The port is filtered if, after several transmissions, there is no response or if an ICMP unreachable exception is returned. In nmap, the -sY option is used to perform this scan. 


It is a more advanced type of scan. Only a good IDS will be able to detect the SCTP COOKIE ECHO chunk. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. It displays the output as open|filtered in all scenarios and is unable to distinguish between open and filtered ports. 

In nmap, the -sZ option is used to perform this scan. 

SSDP Scanning

Simple Service Discovery Protocol (SSDP) is a network protocol that generally controls communication for the Universal Plug and Play (UPnP) feature. The SSDP service will respond to a query sent over IPv4 or IPv6 broadcast addresses. Details regarding the related UPnP feature are included in this response. The UPnP SSDP M-SEARCH information discovery tool can be used by the attacker to determine if the device is susceptible to UPnP exploits. This can be achieved using the MSFCONSOLE tool. Use ssdp_msearch, set the RHOSTS to the target IP address and enter exploit.

List Scanning

This type of scan simply generates and prints a list of IPs/Names without actually pinging them. By default, a reverse DNS resolution is still carried out on each host by Nmap to learn their names. In nmap, the -sL option is used to perform this type of scan. 

IPv6 Scanning

To allow for more levels of address hierarchy, IPv6 expands the capacity of an IP address from 32 bits to 128 bits. Attackers need to harvest IPv6 addresses from network traffic, recorded logs, or Received from: (header lines in archived emails). In nmap, the -6 option is used to scan for IPv6 addresses. 

Service Detection

All that version detection techniques do is look up TCP and UDP ports. Each port has a designated service, and each service has a version. An attacker can determine which attacks the target system is vulnerable to by getting precise service version numbers.

For instance, an attacker can quickly launch a WannaCry ransomware attack using Metasploit's eternalblue and doublepulsar backdoor combination if they identify the SMBv1 protocol as a running service on the target Windows PC. 

In nmap, the -sV option is used to detect service versions. 

No comments:

Post a Comment