📔
eCPPTv2 Notes
  • About
  • 1-System Security
    • Architecture Fundamentals
      • Security Implementations
      • References
    • Assembler Debuggers and Tool Arsenal
      • Compiler
      • NASM
      • Tool Arsenal
      • References
    • Buffer Overflow
      • Finding Buffer Overflows
      • Exploiting Buffer Overflow
      • Security Implementations
      • References
    • Shellcoding
      • Types of Shellcode
      • Encoding of Shellcode
      • Debugging a Shellcode
      • Creating our First Shellcode
      • More Advanced Shellcode
      • Shellcode and Payload Generators
      • References
    • Cryptography and Password Cracking
      • Cryptography Hash Function
      • Public Key Infrastructure
      • Pretty Good Privacy (PGP)
      • Secure Shell (SSH)
      • Cryptographic Attack
      • Security Pitfalls
      • Windows 2000/XP/2k3/Vista/7/8 Passwords
      • References
    • MALWARE
      • Techniques Used by Malware
      • How Malware Spreads
      • Samples
      • References
  • 2-Network Security
    • Information Gathering
      • Search Engines
      • Social Media
      • Infrastructures
      • Tools
      • References
    • Scanning
      • Detect Live Hosts and Ports
      • Service and OS detection
      • Firewall/IDS Evasion
      • References
    • Enumeration
      • NetBIOS
      • SNMP
      • References
    • Sniffing and MitM Attacks
      • What is Sniffing
      • Sniffing in Action
      • Basic of ARP
      • Sniffing Tools
      • Man in the Middle Attacks
      • Attacking Tools
      • Intercepting SSL Traffic
      • References
    • Exploitation
      • Vulnerability Assessment
      • Low Hanging Fruits
      • Exploitation
      • References
    • Post Exploitation
      • Privilege Escalation and Maintaining Access
      • Pillaging / Data Harvesting
      • Mapping the internal network
      • Exploitation through Pivoting
      • References
    • Anonymity
      • Browsing Anonymously
      • Tunneling for Anonymity
      • References
    • Social Engineering
      • Types of Social Engineering
      • Samples of Social Engineering Attacks
      • Pretexting Samples
      • Tools
      • References
  • 3-Powershell for Pentesters
    • Introduction
      • Why PowerShell ?
      • References
    • PowerShell Fundamentals
      • Cmdlets
      • Modules
      • Scripts
      • Objects
      • References
    • Offensive PowerShell
      • Downloading & Execution
      • Obfuscation
      • Information Gathering & Recon
      • Post-Exploitation With Powershell
      • References
Powered by GitBook
On this page

Was this helpful?

  1. 2-Network Security

Scanning

PreviousReferencesNextDetect Live Hosts and Ports

Last updated 4 years ago

Was this helpful?

2.1. Introduction

2.1.1. Ports, Protocols, and Services

Ports, Protocols, and Services (PPS) help us in identifying the types of application running on a system and subsequently any potential weaknesses. This is due to the fact that, in the past, security researchers not only discovered vulnerabilities for specific applications, but also, created exploits that would allow adversaries to take advantage of these weaknesses.

In order to effectively utilize PPS information, one must know where to uncover information about services and applications running on a specific port. This is also valid for potential malware that may already exist on the target systems.

While there are many references available on the internet, having a locally stored copy ready for easy reference is always beneficial.

Good reference for PPS:

Of course, you can always use search engines to find this information, but be sure to search for recent posting dates, as many of the available resources are dead.

The best option in identifying PPS would be to scan all ports of the remote system. Despite the fact that this is true, you should be aware that scanning all 65535 ports takes a very long time. Moreover, this type of scan will surely expose you presence on the network. Therefore, it is best to create jobs for specific smaller port ranges.

By default, most of the tools that we are going to use scan only a small set of ports. This means that they will scan only the most common applications and services such as telnet, FTP, SSH, HTTP, etc.

Note: A skilled network administrator may deploy anti-enumeration techniques. In addition, network administrator may deploy a service to a port that commonly identifies as hosting malware.

2.1.2. TCP - Three Way Handshake

All TCP based connection begin with a simple exchange of messages called three way handshake.

Header fields involved in the handshake:

  • Sequence number

  • Acknowledgement number

  • SYN and ACK flags

0                   1
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Source Port           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Sequence Number        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Acknowledgement Number    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data  |           |U|A|P|R|S|F|
|Offset | Reserved  |R|C|S|S|Y|I|
|       |           |G|K|H|T|N|N|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Steps:

  1. First, the client sends a TCP packet to the server This packet has the SYN flag enabled and a random sequence number set (i.e.: Client -SYN--[Seq:329 Ack:0]-> Server)

  2. Then, the server replies by sending a packet with both SYN and ACK flag set and contains another random sequence number The ACK number is always a simple increment of the SYN number sent by the client (i.e.: Client <-SYN/ACK--[Seq:498 Ack:330]- Server)

  3. Finally, the client completes the synchronization by sending an ACK packet Note that the client behaves just like the server when sending ACK packets (i.e.: Client -SYN--[Seq:330 Ack:449]-> Server)

More resources:

  • RFC for communication protocols

Service Name and Transport Protocol Port Number Registry
IP Layer Network Administration with Linux
TCP/IP Tutorial and Technical Overview
Packet Analysis Reference Guide v3.0.