Beginner to Advance networking Port and Port Scanning.

Networking Port and Port Scanning

  
 
 
 
Note: This article is focused on networking ports and not hardware ports.


 
* Who is recommended to read this article?

  • This is for all beginner and intermediate programmers.
  • Must-read for Cyber-Security enthusiasts or students.

 

 

INTRODUCTION:


Countless information on networking Port is available on the internet but sometimes after reading them, I have more complicated questions rather than an easy answer. And that's the reason why I will try my best to simplify the introduction to port. 

 


If you can't explain it simply, you don't understand it well enough. --Albert Einstein



I believe you will understand the basic idea of port even if you are a complete beginner.

 

 

 

PORT:

 

Before going directly to "PORT" let me give you some prerequisite idea so that everything you learn here will be connected.

 

 

In computer networking, an IP address is used to recognize a computer. When your computer wants to communicate with another computer (connected to the internet / on the same network). Your computer must know the target's IP address. Just think of IP address as your house number.


I like this house number example let's continue with a similar one.


Suppose you are staying at a hotel and I am sending you a mail. Assuming I know your hotel's address (think of the hotel's address as IP address). Now the mail is at your hotel but you don't want your mail to go to someone else's room right?


To solve this problem the room number's concept is introduced (think of room number as PORT number) to make sure the correct person receives the correct mail and also for easy distribution of mails.




MORE TECHNICAL DETAIL:


Internet Protocol Address:

 A numeral value used mainly for identification and location addressing of a device connected to a network that uses the Internet Protocol for communication.


There is much more in IP but we won't be going deeper. Let's get back to PORT.




Port Number:

 A 16-bit unsigned number that identifies a specific process or a type of network service. A port number is always associated with an IP address of a host/device (the room number is always associated with the room number). 


Its main function is to complete the destination of a message (mail). A port number can be from 0 to 65535. From the above range of numbers, specific port numbers are reserved for specific purposes. 

 

For example:

Port number 80 is reserved for HTTP (HyperText Transfer Protocol) used in World Wide Web (www). 

 

This means that when you visit a website you are talking to the web server's port 80.

 

192.168.2.4:80 -- here the italic part is the IP address of the host and the underlined part is the port. So we are connecting to the host through port 80, which also means that we are communicating through HTTP.





But when you want to visit a website you never type its IP address and port.

Thanks to DNS (Domain Naming System), its main work is to relate (for example) www.meandmyqwerty.com to its IP address.


I will cover DNS later. Now, back to PORT.



Note: More detailed networking tutorial coming soon.



 

COMMON POPULAR PORTS:

 


Note: I do not own the above picture.




SUPPORT MeAndMyQwerty and contribute in sharing knowledge: 

__CLICK_HERE__




PORT SCANNING:

 

Port Scanning is a way of figuring out which ports are listening and accepting connections. Most services run on standard, documented ports, so this information can be used to determine which services are running.



The simplest port scanning method would be trying to connect (TCP connection) to every possible port on the target's system. This method is effective but it's also very noisy and easily detectable.


To avoid this noise and detection, several new techniques have been invented.



NMAP: 

 

An open-source port scanning tool written by Fyodor is one of the most popular port scanning tool (available free) as it implements many clever and advanced techniques to reduce noise and detection.



 

Prerequisite concept:

To make a full connection (TCP/IP) to a host on certain ports, TCP handshake must be performed.

 

TCP/IP handshake process:

  • Client sends a SYN packet.
  • The Server sent back a SYN/ACK packet.
  • Finally, the client sends back ACK packet to complete the connection process.

 

 

 

Below are some of the popular advanced techniques NMAP uses briefly explained:

 

 

Stealth SYN Scan:

 

A SYN scan is also known as a half-open scan. This is because of its scanning technique used. In a SYN scan, an initial SYN packet is sent and the response is examined. If SYN/ACK packet is received in response, that port must be open and accepting connection. This is recorded and an RST packet is sent to tear down the connection to prevent the service from accidentally being DoSed.

 





FIN, X-MAS and NULL scans:


SYN scan was very effective as it reduces its noise and chance of detection drastically as it never makes any full connection with the target.


In response to SYN scanning new tools to detect and log half-open connections were created. So yet another collection of techniques for stealth port scanning evolved: FIN, X-mas, and Null scans. 

These all involve sending a nonsensical packet to every port on the target system. If a port is listening, these packets just get ignored. However, if the port is closed and the implementation follows protocol (RFC 793), a RST packet will be sent. This difference can be used to detect which ports are accepting connections, without actually opening any connections.


Using Nmap, FIN, X-mas, and NULL scans can be performed using the command line options -sF, -sX, and -sN, respectively.





Spoofing Decoys:

 

Another way to avoid detection is to hide among several decoys. This technique simply spoofs connections from various decoy IP addresses in between each real port-scanning connection. The responses from the spoofed connections aren't needed, since they simply mislead. However, the spoofed decoy addresses must use real IP address of live hosts; otherwise, the target may be accidentally SYN flooded.


Decoys can be specified in Nmap with the -D command-line option. The sample Nmap command shown below scans the IP 192.168.42.72, using 192.168.42.10 and 192.168.42.11 as decoys.






There are a lot more techniques, find out more yourself, check out idle scanning as your homework.




More and more defense mechanisms against these scans are emerging and so the same with more advanced scanning techniques and more amazing posts are also coming too.




Suggest me some topic of your interest. I cover topics like cyber-security, tech stuff, personal development... etc

Post a Comment (0)
Previous Post Next Post