- Nmap Network Scanning
- Chapter4.Port Scanning Overview
Table of Contents
- Introduction to Port Scanning
- What Exactly is a Port?
- What Are the Most Popular Ports?
- What is Port Scanning?
- Why Scan Ports?
- A Quick Port Scanning Tutorial
- Command-line Flags
- Selecting Scan Techniques
- Selecting Ports to Scan
- Timing-related Options
- Output Format and Verbosity Options
- Firewall and IDS Evasion Options
- Specifying Targets
- Miscellaneous Options
- IPv6 Scanning (-6)
- SOLUTION: Scan a Large Network for a Certain Open TCP Port
- Problem
- Solution
- Discussion
- See Also
Introduction to Port Scanning
While Nmap has grown in functionality over the years, it beganas an efficient port scanner, and that remains its core function. Thesimple command nmap<target> scans the most commonly used 1,000 TCPports on the host <target>, classifying eachport into the stateopen,closed, filtered, unfiltered,open|filtered, orclosed|filtered.
What Exactly is a Port?
Ports are simply a software abstraction, used to distinguishbetween communication channels. Similar to the way IP addresses areused to identify machines on networks, ports identify specificapplications in use on a single machine. For example, your webbrowser will by default connect to TCP port 80 of machines in HTTPURLs. If you specify the secure HTTPS protocol instead, the browserwill try port 443 by default.
Nmap works with two protocols that use ports: TCP and UDP. Aconnection for each protocol is uniquely identified by four elements:source and destination IP addresses and corresponding source anddestination ports. All of these elements are simply numbers placed inthe headers of each packet sent between hosts. The protocol is aneight-bit field, which specifies what type of packet is contained in theIP data (payload) section. For example, TCP is protocol number six, andUDP is 17. IPv4 addresses have a length of 32-bits, while ports are16-bits long. IPv6 addresses are 128-bits in length. Further IP, TCP,and UDP header layout details can be found inthe section called “TCP/IP Reference”.
Because most popular services are registered to a well-knownport number, one can often guess what services open ports represent.Nmap includes an nmap-servicesfile,containing the well-known service for registered port and protocolnumbers, as well as common ports for trojan backdoors and otherapplications that don't bother registering with the Internet AssignedNumbers Authority (IANA). Nmap prints this service name for reference along with the port number.
Because the port number field is 16-bits wide, values can reach65,535. The lowest possible value,zero, is invalid.The Berkeleysockets API, which defines how programs are usually written for networkcommunication, does not allow port zero to be used as such. Instead,it interprets a port zero request as a wildcard, meaning that theprogrammer does not care which is used. The system then chooses anavailable port number. For example, programmers rarely care whatsource port number is used for an outgoing connection. So they set itto zero and let the operating system choose one.
While port zero is invalid, nothing stops someone fromspecifying it in the header field. Some malicious trojan backdoorslisten on port zero of compromised systems as a stealthy way to offerillegitimate access without appearing on most port scans. To combatthis, Nmap does allow scanning of port zero when it is specifiedexplicitly (e.g. -p0-65535).
The first class of valid ports, numbersone through 1,023,are known as reserved ports. Unix systems (unlike Windows) requirethat applications have special(root) privilegesin order to bind toand listen on these ports. The idea is to allow remote users to trustthat they are connecting to a valid service started by anadministrator and not by some wicked, unprivileged user. If theregistered port for SSH was 2,222 instead of 22, a malicious user couldstart up a rogue SSH daemon on that port, collecting passwords fromanyone who connects. As most common server applications listen on reservedports, these are often the most fruitful to scan.
The ephemeral port range is another class of ports.This poolof ports is made available by the system for allocation as needed. When anapplication specifies port zero (meaning “any port”), the system chooses aport from this range. The range varies by operating system, and isusually configurable. It should contain at least a couplethousand ports to avoid running out when many concurrent connections areopen. The Nmap connect scan can use hundreds at atime as it scans every specified port on each target machine. OnLinux, you can view or set the range using the file/proc/sys/net/ipv4/ip_local_port_range. Example4.1 shows that on myLinux system, the range is 32,768 to 61,000. Such a large rangeshould be sufficient in almost all cases, but I expand it just todemonstrate how to do so.
Example4.1.Viewing and increasing the ephemeral port range on Linux
felix/#cat /proc/sys/net/ipv4/ip_local_port_range32768 61000felix/#echo "10000 65000" > /proc/sys/net/ipv4/ip_local_port_rangefelix/#cat /proc/sys/net/ipv4/ip_local_port_range10000 65000felix/#
SunRPC ports are often found in the ephemeral range. Otherapplications open ephemeral ports temporarily for a file transfer orother event. FTP clients often do this when requesting an active modetransfer. Some P2P and instant messaging clients do so aswell.
The IANAhas their own port classification scheme, whichdiffersslightly from the vernacular of this book. Their authoritative port listat http://www.iana.org/assignments/port-numbersdivides the space into the following three classes:
- well-known ports
These are reserved ports (within the range of 1 to 1,023, as discussed above) which have been registered with the IANA for a certain service. Familiar examples are ports 22, 25, and 80 for the services SSH, SMTP, and HTTP, respectively.
- registered ports
These ports fall within the range 1,024 to 49,151 and have been registered with the IANA in the same way the well known ports have. Most of these are not as commonly used as the well-known ports. The key difference is that unprivileged users can bind to these ports and thus run the services on their registered port. Users cannot do so on most platforms for well-known ports, since they reside in the reserved port range.
- dynamic and/or private ports
The IANA reserves the port numbers from 49152 through 65535 for dynamic uses such as those discussed in the ephemeral ports section. Proprietary services that are only used within a company may also use these ports.
When this book mentions registered or well-known ports withoutany reference to the IANA, it usually means ports registered with Nmapin thenmap-servicesfile, regardless of whetherthey fall in the reserved port range.
Nmap's port registration file(nmap-services)contains empirical data about howfrequently each TCP or UDP port is found to be open. By default, Nmapscans the 1,000 most popular ports of each protocol it is asked toscan. There are many options for specifying an alternate set of ports(by frequency or by listing them explicitly), as described inthe section called “Selecting Ports to Scan”.
What Are the Most Popular Ports?
I spent the Summer of 2008 scanning tens of millions of Internethosts and collecting data from enterprises to determine how frequentlyeach port number is found open. It is important to be familiar withthe most common service ports, and also interesting to see which onesmade the list. The following two lists provide the top TCP and UDPports as determined by our empirical scan data. The listed service isthe one found in our nmap-services file. We tryto list the most common service for each portthere, though of course it is possible for a port to be used fordifferent things.
Top 20 (most commonly open) TCP ports
Port 80 (HTTP)—If you don't even know this service, you're reading the wrong book. This accounted for more than 14% of the open ports we discovered.
Port 23 (Telnet)—Telnet lives on (particularly as an administration port on devices such as routers and smart switches) even though it is insecure (unencrypted).
Port 443 (HTTPS)—SSL-encrypted web servers use this port by default.
Port 21 (FTP)—FTP, like Telnet, is another insecure protocol which should die. Even with anonymous FTP (avoiding the authentication sniffing worry), data transfer is still subject to tampering.
Port 22 (SSH)—Secure Shell, an encrypted replacement for Telnet (and, in some cases, FTP).
Port 25 (SMTP)—Simple Mail Transfer Protocol (also insecure).
Port 3389 (ms-term-server)—Microsoft Terminal Services administration port.
Port 110 (POP3)—Post Office Protocol version 3 for email retrieval (insecure).
Port 445 (Microsoft-DS)—For SMB communication over IP with MS Windows services (such as file/printer sharing).
Port 139 (NetBIOS-SSN)—NetBIOS Session Service for communication with MS Windows services (such as file/printer sharing). This has been supported on Windows machines longer than 445 has.
Port 143 (IMAP)—Internet Message Access Protocol version 2. An insecure email retrieval protocol.
Port 53 (Domain)—Domain Name System (DNS), an insecure system for conversion between host/domain names and IP addresses.
Port 135 (MSRPC)—Another common port for MS Windows services.
Port 3306 (MySQL)—For communication with MySQL databases.
Port 8080 (HTTP-Proxy)—Commonly used for HTTP proxies or as an alternate port for normal web servers (e.g. when another server is already listening on port 80, or when run by unprivileged UNIX users who can only bind to high ports).
Port 1723 (PPTP)—Point-to-point tunneling protocol (a method of implementing VPNs which is often required for broadband connections to ISPs).
Port 111 (RPCBind)—Maps SunRPC program numbers to their current TCP or UDP port numbers.
Port 995 (POP3S)—POP3 with SSL added for security.
Port 993 (IMAPS)—IMAPv2 with SSL added for security.
Port 5900 (VNC)—A graphical desktop sharing system (insecure).
Top 20 (most commonly open) UDP ports
Port 631 (IPP)—Internet Printing Protocol.
Port 161 (SNMP)—Simple Network Management Protocol.
Port 137 (NETBIOS-NS)—One of many UDP ports for Windows services such as file and printer sharing.
Port 123 (NTP)—Network Time Protocol.
Port 138 (NETBIOS-DGM)—Another Windows service.
Port 1434 (MS-SQL-DS)—Microsoft SQL Server.
Port 445 (Microsoft-DS)—Another Windows Services port.
Port 135 (MSRPC)—Yet Another Windows Services port.
Port 67 (DHCPS)—Dynamic Host Configuration Protocol Server (gives out IP addresses to clients when they join the network).
Port 53 (Domain)—Domain Name System (DNS) server.
Port 139 (NETBIOS-SSN)—Another Windows Services port.
Port 500 (ISAKMP)—The Internet Security Association and Key Management Protocol is used to set up IPsec VPNs.
Port 68 (DHCPC)—DHCP client port.
Port 520 (Route)—Routing Information Protocol (RIP).
Port 1900 (UPNP)—Microsoft Simple Service Discovery Protocol, which enables discovery of Universal plug-and-play devices.
Port 4500 (nat-t-ike)—For negotiating Network Address Translation traversal while initiating IPsec connections (during Internet Key Exchange).
Port 514 (Syslog)—The standard UNIX log daemon.
Port 49152 (Varies)—The first of the IANA-specified dynamic/private ports. No official ports may be registered from here up until the end of the port range (65536). Some systems use this range for their ephemeral ports, so services which bind a port without requesting a specific number are often allocated 49152 if they are the first program to do so.
Port 162 (SNMPTrap)—Simple Network Management Protocol trap port (An SNMP agent typically uses 161 while an SNMP manager typically uses 162).
Port 69 (TFTP)—Trivial File Transfer Protocol.
What is Port Scanning?
Port scanning is the act of remotely testing numerous ports todetermine what state they are in. The most interesting state isusually open, meaning that an application is listening and acceptingconnections on the port. Many techniques are available for conductingsuch a scan. Chapter5, Port Scanning Techniques and Algorithms explains the circ*mstancesunder which each is most appropriate.
While many port scanners have traditionally lumped all portsinto the open or closed states, Nmap is much more granular. Itdivides ports into six states. These states are not intrinsicproperties of the port itself, but describe how Nmap sees them. Forexample, an Nmap scan from the same network as the target may showport 135/tcp as open, while a scan at the same time with the sameoptions from across the Internet might show that port as filtered.
The six port states recognized by Nmap
- open
An application is actively accepting TCP connections or UDP packets on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-security scans because they show services available for use on the network. Before you get too excited about an open port, note that it is possible that the application is protected with a TCP wrapper (tcpd) or that the application itself is configured to only service approved client IP addresses. Such cases still leave more attack surface than a closed port.
- closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is online and using an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, they may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall so they appear in the filtered state, discussed next.
- filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This sort of filtering slows scans down dramatically.
- unfiltered
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
- open|filtered
Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
- closed|filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID Idle scan discussed in the section called “TCP Idle Scan (-sI)”.
While Nmap attempts to produce accurate results, keep in mindthat all of its insights are based on packets returned by the targetmachines (or firewalls in front of them). Such hosts may beuntrustworthy and send responses intended to confuse or mislead Nmap.Much more common are non-RFC-compliant hosts that do not respond asthey should to Nmap probes. FIN, NULL, and Xmas scans areparticularly susceptible to this problem. Such issues are specific tocertain scan types and so arediscussed in the relevant sections of Chapter5, Port Scanning Techniques and Algorithms.
Why Scan Ports?
Portscanning is not only performed for fun and amusem*nt. There are numerouspractical benefits to regularly scanning your networks. Foremostamong these is security. One of the central tenets of networksecurity is that reducing the number and complexity of servicesoffered reduces the opportunity for attackers to break in. Most remotenetwork compromises come from exploiting a server applicationlistening on a TCP or UDP port. In many cases, the exploitedapplication is not even used by the targeted organization, but wasenabled by default when the machine was set up. Had that service beendisabled, or protected by a firewall, the attack would have beenthwarted.
Realizing that every open port is an opportunity for compromise,attackers regularly scan targets, taking an inventory of all openports. They compare this list of listening services with their listof favorite exploits for vulnerable software. It takes just one matchto compromise a machine, creating a foothold that is often used toinfest the whole network. Attackers who are less discriminate aboutwho they target will often scan for just the default port of anexploitable application. This is much faster than scanning everyport, though the service will be missed when running on a non-defaultport. Such attackers are often derided as “scriptkiddies”, because they often know little more about securitythan how to run an exploit script written by someone more skilled.Across many organizations, such attackers are bound to find vulnerablehosts. They can be quite a nuisance, though their sheer numbers andrelentless pounding against Internet-accessible machines often drivepeople to patch systems quickly. This reduces the likelihood of moreserious, targeted attacks succeeding.
An important defense against these crackers is for systemsadministrators to scan their own networks regularly with tools such asNmap. Take the list of open ports, and shut down any services thataren't used. Ensure that those which must remain available are fullypatched and that you are on the vendor's security notification list.Firewall rules should be added where possible, limiting access to onlylegitimate users. Hardening instructions are available on the Web formost popular applications, reducing the cracker's opportunity evenfurther. Nmap cannot do most of this for you, but it creates the listof available services to start out with. Some administrators try touse netstat instead, but that doesn't scale well. It requires accessto every machine, and some mobile machines are easy to miss. Plus,you can't run netstat on your average wireless access point, VoIPphone, or printer. In addition, there is always the risk that acompromised machine will have a trojaned netstat which gives out falseinformation. Most of the modernrootkits installedby attackers include this functionality. Relying solely on Nmap is amistake too. A combination of careful design, configuration auditing,and regular scanning is well advised.
While security is the most common reason for port scanning,administrators often find that it suits other purposes as well.Creating an inventory of machines and the services they offer can beuseful for asset tracking, network design, policy compliance checks,software license tracking, availability testing, network debugging,and more.
