Ethical hacking: Port interrogation tools and techniques
“Know your enemy.” This is as true in hacking as it is in war, and port interrogation is a key part of that.
Port interrogation is a key skill that the bad guys use frequently when they begin their attacks. Ethical hackers should become intimately familiar with the tools and techniques of port interrogation in order to help their organization better defend against them.
This article will help you explore the details of port interrogation. We’ll look at what port interrogation is and the different tools and techniques that ethical hackers should understand.
What is port interrogation?
Port interrogation, also known as port scanning, is a way to see which ports are enabled and open. It is also a way to discover details about the services running on these open ports, including application name, version number and other useful information like info about the traffic crossing the network.
This is valuable because different application versions have their own vulnerabilities. Real attackers want to know this because the attack techniques they choose will depend on this. They also want to know which unnecessary services are running on open ports because they are the reconnaissance equivalent of a sitting duck — if you don’t use a service (or monitor them on some level), it can be a vulnerability. You, as the ethical hacker, want to know this so you can address these vulnerabilities long before attackers can exploit them.
Port interrogation tools
There are a variety of tools available for port interrogation purposes. The general idea with these tools is that IP packets are used to gather reconnaissance information about network ports.
Nmap is free, open-source and the most well-known of all port scanning/interrogation tools. It works by sending raw IP packets to targeted ports and can gather a plethora of information about its target. Just some of this information includes available ports, available hosts, what services are running on available hosts, application name and version, the target system’s OS and version, finding vulnerabilities on hosts, the type of packet filters in use, firewall information and a great deal of other information.
Unicornscan is a powerful, sophisticated and stateless port scan and reconnaissance tool that has hundreds of features. What sets it apart from other tools is that it uses its own TCP/IP stack, which means it is faster than other tools. Some of the unique features it offers include:
- Asynchronous stateless TCP scanning
- Asynchronous banner grabbing — used in OS and application fingerprinting
- Asynchronous UDP scanning (protocol specific)
- Remote OS and application detection (active and passive)
- Enable multiple modules from command line
- PCAP filtering and file logging
- Capability to store scan results in a relational database (output)
- Custom module support
- Customizable data set views
Angry IP Scanner
This cross-platform, open-source network scanner is built for speed and simplicity. It works by pinging every IP address on a network and can perform port and IP address scanning and find NetBIOS and web server information, among many other useful features. Angry IP Scanner provides all of this at no cost (yes, free!).
Advanced Port Scanner
Advanced Port Scanner is a very fast, robust, small and easy-to-use port scanner. It offers a user-friendly interface with rich functionality, including application names and versions and getting useful information about network devices. Like many other port interrogation tools, this one is free.
Port interrogation techniques
Port interrogation tools have automated these techniques, but they are still important for ethical hackers to understand. Below is a list of the major techniques that power the port interrogation tools above.
- Vanilla TCP Connect Scan: This is the most basic technique of the bunch. It uses the operating system’s connect system call to open a connection to every available port
- Address Resolution Protocol (ARP) scan: This technique helps you map out an entire network. It works by sending out a series of broadcasts and discovers active local network devices by incrementing the address field in the ARP broadcast
- TCP/IP stack fingerprinting: This technique is used by Nmap and helps it detect a wealth of information about a target’s OS, also known as OS detection. It involves sending a series of TCP and UDP packets to hosts and examines responses bit by bit. Dozens of tests are performed including TCP ISN sampling, IP ID sampling and initial window size check. Results are then compared with known OS fingerprints, which lets you know if there is a match. Just some of the information this technique gathers includes underlying OS, OS version, vendor name and device type
Port interrogation is one of the first actions attackers take when they begin an attack. As part of the reconnaissance phase of an attack, port interrogation can discover a wealth of information about a target including the traffic coming over their network, how many hosts are on the network, information about the services running on available ports and more.
Ethical hackers need to know how the real bad guys think and where they may be looking when they are casing your organization for an attack. Gaining a thorough understanding of these port interrogation tools and techniques will help keep you a step ahead.