Scanning Network Protocols

A Brief Primer on Network Protocols

Understanding how devices communicate across a network is fundamental to cybersecurity. Below is a brief overview of key network protocols and tools used in scanning and enumeration.

ICMP (Internet Control Message Protocol)

  • Primarily used to test connectivity between devices using tools like ping.

  • Does not use ports.

  • Commonly used in reconnaissance to determine if a host is up.

  • Example – Test if a host is up usingping:

ping 192.168.1.1

ICMP operates without ports and is often filtered by firewalls for security reasons.

TCP (Transmission Control Protocol)

  • A connection-oriented protocol.

  • Ensures reliable and ordered delivery of data.

  • Initiates communication using the three-way handshake (SYN β†’ SYN-ACK β†’ ACK).

  • Commonly used in services like HTTP, SSH, and FTP.

  • Example – Scan for open TCP ports using Nmap:

nmap -sS 192.168.1.1

This performs a SYN scan (stealth scan) to detect open TCP ports.

UDP (User Datagram Protocol)

  • A connectionless protocol.

  • Sends data without establishing a connection β€” often referred to as "fire and forget".

  • Faster than TCP but lacks reliability.

  • Widely used in applications like DNS, VoIP, and video streaming.

Security Note: Our goal as security professionals is to identify weaknesses in applications and services that utilize these protocols.

  • Example – Scan for open UDP ports using Nmap:

nmap -sU -p 53,67,123 192.168.1.1

This scans common UDP ports like DNS (53), DHCP (67), and NTP (123).

Ports

  • Ports are logical endpoints used to identify specific services running on a device.

  • Example: Port 80 (HTTP), Port 443 (HTTPS), Port 22 (SSH).

  • Ports act like doorways that allow interaction with network services.

  • Example – List all open ports with service detection:

nmap -sV 192.168.1.1

This adds version detection to determine what software and versions are running on each port.

Networking Knowledge

A foundational understanding of networking is essential before diving into topics like vulnerability scanning and penetration testing. Consider taking courses like CompTIA Network+ to solidify your base knowledge.

Scanning Tools

Nmap

  • A widely-used open-source network scanner.

  • Active for over two decades and continuously maintained.

  • Capable of host discovery, port scanning, service/version detection, and OS fingerprinting.

Netcat (nc)

  • A powerful network utility tool.

  • Can be used for reading and writing data across network connections.

  • Commonly used for setting up listener shells and connecting to remote services.

  • Example – Connect to a web server on port 80:

nc 192.168.1.1 80

  • Example – Start a listener on port 4444:

nc -lvnp 4444

Netcat is often used in post-exploitation scenarios to create reverse shells or transfer files.

Masscan

  • A high-speed port scanner designed for large-scale scanning.

  • Can scan the entire Internet in minutes.

  • Lightweight but requires more manual configuration compared to Nmap.

Purpose of these tools: Enumeration β€” identifying hosts, open ports, and the services running on those ports.

  • Example – Scan a local subnet for open ports:

masscan 192.168.1.0/24 -p0-65535 --rate=10000

Adjust the --rate to control scan speed. A higher rate increases scan speed but may trigger security alerts.

Example: Basic Port Scanning with Nmap, Netcat, and Masscan

# TCP SYN Scan using Nmap
nmap -sS -p 1-1000 192.168.1.1

# Connecting to a remote service using Netcat
nc 192.168.1.1 80

# High-speed port scan using Masscan
masscan 192.168.1.0/24 -p0-65535 --rate=10000

PreviousM03: Understanding Network ProtocolsNextScanning with Nmap

Last updated