Port Scanning Tools

❑ Port Scanning is the name of the technique used to

identify available ports and services on hosts on a
network.

❑ Security engineers sometimes use it to scan

computers for vulnerabilities, and hackers also use
it to target victims.
► Network scanners do not actually harm computers; instead, they make requests
that are similar to those sent by human users who visit websites or connect to
other computers using applications like Remote Desktop Protocol (RDP) and
Telnet.

► A port scan is performed by sending ICMP echo-request packets with specific

flags set in the packet headers that indicate the type of message being transmitted:

► Type 8 indicates the request to be an echo-reply packet with the source IP address
as the responding host, while Type 0 indicates that no response is expected from
the responding host.
 Types of Port Scans:
► To protect your network from port scans, it is essential to understand the
different types of port scans used by hackers.
► Vanilla:
The scanner tries to connect to all 65,535 ports ) – The scanner looks for
open UDP ports.
► Sweep:
The scanner pings an identical port on over one computer to envision
which pc is active.
► FTP Bounce:
The scanner goes through an FTP server to mask the source.
► Stealth:
The scanner locks scanned computer records Scan of port.
► Fragmented Packets:
The scanner sends packet fragments as a means to bypass
packet filters in a firewall.
► User Datagram Protocol (UDP):
The scanner looks for open UDP ports.
 Types of Ports:

► Open:
The host replies and announces that it is listening and open for
queries. An undesired open port means that it is an attack path for the
network.

► Closed:
The host responds but notices that no application is listening.
Hackers will scan again if it is opened.

► Filtered:
The host does not respond to a request. This could mean that the
packet was dropped due to congestion or a firewall.
 NMAP:
► Nmap is a security auditing tool used in the security field to actively enumerate a target
system/network. It is one of the most extensively used tools by network administrators and
conversely attackers for reconnaissance (enumeration), the first step in the 5 phases of
hacking.

► Nmap is used to actively probe the target network for active hosts(host discovery), port
scanning, OS detection, version details, and active services running on the hosts that are up.

► For this, Nmap uses the technique of sending packets and analyzing the responses.

► Port Scanning is one of the features of Nmap wherein the tool detects the status of the ports on
active hosts in a network. The status of the ports can be open, filtered, or closed. Type Nmap
in the command line to run Nmap. Add necessary switches according to the scanning type to
initiate a specific scan technique.

► Example: nmap -sS 192.168.0.1-192.168.0.52.

This command runs Nmap in TCP SYN scan type (-sS) and scans the given IP address range for
active hosts and services.
 List of Tools in Port Scanning :
1) Cain and Abel:
❖ A password recovery tool for Microsoft Windows.
❖ It could recover many kinds of passwords using methods such as network packet
sniffing, cracking various password hashes by using methods such as dictionary
attacks, brute force and cryptanalysis attacks.
FEATURES:
❖ WEP cracking
❖ Speeding up packet capture speed by wireless packet injection
❖ Ability to record VoIP conversations
❖ Decoding scrambled passwords
❖ Calculating hashes
❖ Traceroute.
❖ Revealing password boxes

ADVANTAGE:
❖ Provide a wealth of information about a target system. In addition to identifying if a system is
online and which ports are open, port scanners can also identify the applications listening to
 2) Maltego

► Maltego is an intelligence gathering tool, its available for windows, mac, and Linux.
USES:
► Maltego is a comprehensive tool for graphical link analyses that
offers real-time data mining and information gathering, as well as
the representation of this information on a node-based graph,
making patterns and multiple order connections between said
information easily identifiable.
ADVANTAGES:
► Easily mine data from dispersed sources, automatically merge matching information in one
graph, and visually map it to explore your data landscape.
DISADVANTAGES:
► Requires setup on each machine you wish to install them
► It does not delve as deep into the Transform specifications - no slider or settings.
► Updating a Transform means it needs to be updated on every machine.
► Sensitive data such as usernames and passwords could reside on the computer of the
analysts.
 3) NET SPARKER.

Netsparker tool used for?

► Netsparker helps you scan all of your organization's web pages, so you can gain deeper
visibility into your applications and potential vulnerabilities. Any type of webpage or
web app can be scanned. They can be based upon any technology set, language, or
framework.
Netsparker Scanner Features:
► Exploitation engine to show the real impact of exploited vulnerabilities.
► Retest vulnerabilities functionality.
► Advanced Scanning.
► Proof-Based Scanning.
► Full HTML5 Support. Advantages: Disadvantages:
► Web Services Scanning.
Designed to fit The desktop
► Flexibility & productivity. big companies. version consume
so many
Less false resources.
positive Only Windows
installation.
 4) HASHCAT

► Hashcat is a well-known cracker of passwords. It is intended to crack even the most dynamic
passwords. To do this, it allows a particular password to be broken in several ways, combined
with flexibility and speed.

► To find an easy and reliable way to crack passwords, Hashcat uses pre-computed dictionaries,
rainbow tables, and even a brute-force method. An introductory lesson for decoding the
passwords through Hashcat software package is mentioned in this article.
How it is used?
✔ Lookup Tables: Hashes are pre-compiled through dictionary and then kept into a lookup table
procedure with their communicating password.

✔ Reverse Lookup: This rush allows a cyber rusher, without having to pre-compile a lookup, to
bid a dictionary or brute-force rush to several hashes during same time.

✔ Rainbow Tables: A time-memory strategy is Rainbow tables. Except that they compromise hash
cracking speed to render the lookup tables smaller, they are comparable to lookup tables.

✔ Hashing with Salt: The hashes are aimless with this way by adding or prepending a random
string known as "salt." This is appended before hashing the password.
Advantages :

▪ Hashcat is a password cracking or recovery program.

▪ GPU (Graphics Processing unit)support stands out, to speed up the

cracking process on the graphics card and the distributed processing
between cracking nodes.
 5) OWASP ZAP (Zed Attack Proxy)

► OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security
scanner designed to be used during the development phase. It allows developers to
identify and fix security vulnerabilities in their applications.

► One of the most active open web application security project.

► When used as a proxy server it allows the user to manipulate all of the traffic that
passes through it, including traffic using https.

► A full featured free and open source DAST (Dynamic Application Security Testing )
tool that includes both automated scanning for vulnerabilities and tools to assist expert
manual web app pen testing.

► Web application penetration testing is the practice of simulating attacks on a system in

an attempt to gain access to sensitive data, with the purpose of determining whether a
system is secure.
Advantages: Disadvantages:

Zap provides cross-platform i.e. The forced browse has been

it works across all OS (Linux, incorporated into the program
Mac, Windows) Zap is reusable. and it is resource-intensive. The
solution is somewhat unreliable
because after we get the
finding, we have to manually
verify each of its findings to see
whether it's a false positive or a
true finding, and it takes time.
 6) Kismet:

1. Kismet is a network detector, packet sniffer, and intrusion detection system for
802.11 wireless LANs.
2. Intrusion Detection System (IDS) is a monitoring system that detects suspicious
activities and generates alerts when they are detected.
3. The tool works on a machine with a wireless card, Where it sniffs networks and
displays the output.
4. It can detect the various range of network IP.
5. It can detect default or not configured network.

Advantages: • Disavantages:
• It will capture more
packets because • It takes long time to
adjacent channels search networks.
overlap.
• Kismet also supports
logging of the
geographical
coordinates of the
network if the input from
 7) NETSTUMBLER

► NetStumbler (also known as Network Stumbler) was a tool for Windows that facilitates detection of Wireless
LANs using the 802.11b, 802.11a and 802.11g WLAN standards.

► A trimmed-down version called MiniStumbler is available for the handheld Windows CE operating system.

► Netstumbler has become one of the most popular programs for wardriving and wireless reconnaissance.

► It can be detected easily by most intrusion detection system, because it actively probes a network to collect
information.

► Netstumbler has integrated support for a GPS unit.

Netstumbler used for and Advantages:

✔ Verifying network configurations.

✔ Finding locations with poor coverage in a WLAN.

✔ Detecting causes of wireless interference.

✔ Detecting unauthorized ("rogue") access points.

✔ Aiming directional antennas for long-haul WLAN links.

✔ No updated version has been developed since 2004.

SCANNING TECHNIQUES:

► Hackers and Pen-testers check for Live systems.

► Check for open ports (The technique is called Port
Scanning)
► Scanning beyond IDS (Intrusion Detection System)
► Scan for vulnerability
► Prepare Proxies
Types of Scanning:

► Network Scanning
► Port Scanning
► Vulnerability Scanning
NETWORK SCANNING:

► Network scanning is a procedure for identifying

active devices on a network by employing a
feature or features in the network protocol to
signal devices and await a response.
► It is mainly used for security assessment, system
maintenance, and also for performing attacks by
hackers.
PORT SCANNING:

► It is a conventional technique used by penetration

testers and hackers to search for open doors from
which hackers can access any organization's
system.
SCANNING THROUGH
PORTS USE OF FLAGS:
1. SYNScan:
► A hacker sends an SYN packet to the victim, and if
an SYN/ACK frame is received back, then the
target would complete the connection, and the
port is in a position to listen.
► If an RST is retrieved from the target, it is
assumed that the port is closed or not activated.
USE OF FLAGS:

2. XMASScan:
► XMAS scan send a packet which contains URG
(urgent), FIN (finish) and PSH (push) flags.
► If there is an open port, there will be no response;
but the target responds with an RST/ACK packet if
the port is closed.
USE OF FLAGS:

3. FINScan:
► A FIN scan is similar to an XMAS scan except that
it sends a packet with just the FIN (finish) flag and
no URG or PSH flags.
► FIN scan receives the same response and has the
same limitations as XMAS scans.
USE OF FLAGS:

4. IDLEScan:
► An IDLE scan uses a spoofed/hoax IP to send the
SYN packet to the target by determining the port
scan response and IP header sequence number.
► Depending on the response of the scan, the port
is determined, whether open or closed.
USE OF FLAGS:

5. Inverse TCP Flag Scan:

► The attacker sends TCP probe packets with a TCP
flag (FIN, URG PSH) or no flags.
► If there is no response, it indicates that the port is
open, and RST means it is closed.
USE OF FLAGS:

6. ACK Flag Probe Scan:

► The attacker sends TCP probe packets where an
ACK flag is set to a remote device, analyzing the
header information (TTL and WINDOW field).
► The RST packet signifies whether the port is open
or closed. This scan is also used to check the
target's/victim's filtering system.
VULNERABILITY SCANNING

► It is the proactive identification of the system's

vulnerabilities within a network in an automated
manner to determine whether the system can be
exploited or threatened.
► In this case, the computer should have to be
connected to the internet.
SCANNING BEYOND IDS AND
FIREWALL:

Intrusion Detection System:

► An Intrusion Detection System (IDS) is a device
or software application that monitors a network or
systems for malicious activity or policy violations
Types of Intrusion Detection Systems:
► Network Intrusion Detection System:
► Network Node Intrusion Detection System:
► Host Intrusion Detection System:
► Protocol based Intrusion Detection System
► Application Protocol based Intrusion Detection
System
INTRUSION DETECTION
SYSTEM METHODS:

1. Signature-Based Intrusion Detection:

Signature based Intrusion Detection Systems (SIDS)
aim to identify patterns and match them with known signs of
intrusions
2. Anomaly Based Intrusion Detection:
► An AIDS can identify these new zero-day intrusions. An SIDS
uses machine learning (ML) and statistical data to create a
model of “normal” behavior.
► Anytime traffic deviates from this typical behavior, the system
flags it as suspicious.
3. Hybrid Intrusion Detection:
► A hybrid system combines the best of both worlds.
► By looking at patterns and one-off events, a Hybrid Intrusion
Detection system can flag new and existing intrusion strategies
FIREWALLS:

► In computing, a firewall is a network security

system that monitors and controls incoming
and outgoing network traffic based on
predetermined security rules.
► A firewall typically establishes a barrier
between a trusted network and an
untrusted network, such as the Internet.
Types of Firewalls:

► Packet filtering -A small amount of data is

analyzed and distributed according to the filter’s
standards.
► Proxy service - Network security system that
protects while filtering messages at the application
layer.
► Stateful inspection - Dynamic packet filtering
that monitors active connections to determine
which network packets to allow through the
Firewall.
► Next Generation Firewall (NGFW) - Deep
packet inspection Firewall with application-level
inspection.
Scanning beyond IDS and
firewalls:

► The main difference being that firewall performs

actions such as blocking and filtering of traffic
while an IPS/IDS detects and alert a system
administrator or prevent the attack as per
configuration.
► Though firewalls and IDSs avoid malicious traffic
(packets) from entering a server, attackers
manage to send intended packets to the
destination server by implementing techniques
such as,
TECHNIQUES IMPLEMENTED BY
HACKERS BEYOND IDS AND
FIREWALL:
► Packet Fragmentation: The attacker sends
fragmented probe packets to the intended server
which re-assembles it after receiving all the
fragments.
► Source Routing: The attacker specifies the routing
path for the malformed packet to reach the intended
server.
► IP Address Decoy: Generating or manually
specifying IP addresses of the decoys so that the
IDS/Firewall cannot determine the actual IP address.
► IP Address Spoofing: The attacker changes source
IP addresses so that the attack appears to be
coming in as someone else.