Port Scanner Shootout Part 1: The Stage
Port scanning is an essential part of network device management and security. The basics of auditing and enumeration are taught as core skills of network engineering, defensive security, and offensive security. That being said, it can be difficult to understand all the technology behind port scanning, what new tools have come along, and how we can best use them for our tasks. This series will go into detail about port scanning techniques, tools, and tests that will help us better understand which tools is best for the different types of port scanning tasks that we have.
The Basics
Port scanning is the technique for enumerating services that allow network connections on a target device. As every device connected to a network has multiple different services and methods of communication, it can be difficult to track all of these and properly harden them against potential abuse. The solution to this is the Port Scanner. This tool sends simple network connection requests or "probes" to a target device, and then reports the status of the port/service to the user.
Using tools that regularly audit and report on the port status is a highly effective method of detecting changes within your environment that are unwarranted. Combined with the ability to create security alerts for these changes, these tools have become staples of network security engineers everywhere. They can also be used for offensive security testing. When attempting to enumerate security vulnerabilities on a system, port scanning is typically one of the first tasks. Akin to jiggling the door knob to see if the door is unlocked, port scanning highlights all of the starting points for offensive security practitioners to try to infiltrate their target.
Port scanning also plays a large part in Vulnerability and Asset Management. In modern networks, most managed hosts have software agents of different utilities installed on them to assist with the various operational tasks of the network team. Vulnerability management teams will often deploy a vulnerability scanning agent to specifically audit the versions and configurations of different installed software on a device. For the most accurate results, these are paired with special privileged credentials only for the tool to perform what is called a Credentialed Scan. For all of the other devices on the network that do not have an agent installed or do not allow Credentialed scanning, these tools can perform an un-credentialed scan against a remote host. These will typically include a port scan against the target to determine its open services, and then a request for the banner information of the running service. A service banner is a text response that contains various information about the running service and its current version, that is given when a connection attempt requests it.
Types of Port Scanning
Port scanning incorporates multiple types of layer 4 networking protocols. Over the years of development, port scanning techniques have also grown to include various special types of scanning that can enumerate data about targets based on the results of certain interactions with certain ports. Here are a few of the most popular:
TCP - A connection oriented protocol, TCP has many options for testing connectivity that manipulate the three-way handshake as well as the optional flags that can be set in connections.
TCP Connect - The original and most common type of scan, this will attempt a complete three way handshake with the target in order to determine if a connection can be established.
TCP SYN - Using only the first step in the three way handshake, SYN scans do not create a successful connection and only look to determine if a port is open to connection attempts. This is the popular choice for offensive scanning, as since no network connections are established, there are much fewer data points from which to generate a security alert
TCP FIN - Since FIN packets are typically used when connections are already established, many firewalls do not stop FIN packets. Sending these can be used to determine if a port is open by looking for any port that does not respond as closed ports will respond with a, RST packet.
TCP XMAS and NULL - These scans use the multiple flag options available within the TCP protocol to prompt an error or response from the target. The manner in which the target handles these can enumerate information about the target itself.
UDP - A connection-less protocol like UDP presents more of a challenge for scanning, as there are no other handshake steps to rely on for responses. Instead, it uses ICMP "port unreachable" messages to show that a port is not open. Due to this method of scanning and security abuses of the ICMP protocol, many network security devices will implement rate limiting of ICMP packets.
ICMP - While many will argue if ICMP belongs at layer 3 or layer 4, ICMP packets are still used in standard connectivity tests in many port scanning tools, as well as important to the success of UDP scanning.
Port Scanning Results
When scanning for open ports on a target device, there are three states that you will encounter. These will indicate if a port is willing to accept network connections and if there is any security measures in place to restrict these connections.
Open - This indicates that a port is open on the target host, that it is accepting connections, and that there is no other infrastructure that is preventing connections to the device.
For TCP SYN scans, only a SYN is sent from the scanner to the target, and is replied by a SYN-ACK. After the Syn-ACK, the scanner will often send its own RST packet as to not keep the target in a state of waiting for a completed connection.
For TCP Connect scans, a complete three way handshake will occur followed by a reset or RST-ACK packet .
For UDP Scans, a simple request will return with the UDP port data if the port is open.
For FIN, NULL, and XMAS scans, there will be no response returned for an open port.
Closed - This indicates that the port is closed on the target host, that it is not accepting connections to that service, or there is other network infrastructure preventing the connection.
For TCP scans, these will be shown by an immediate RST packet in response to the first SYN packet sent.
For UDP scans, the scanner will receive an ICMP port unreachable message if the port is closed.
For FIN, NULL, and XMAS scans, the scanner will receive an immediate RST packet from the target.
Filtered/Dropped/Blocked - This indicates that a security tool or setting is preventing traffic to the target and the specified port under specific conditions. No responses will come from ports with these statuses.
The Methodology
Our goal is to test multiple port scanning tools under different conditions, to determine which one accomplishes our tasks the most effectively. The first step in this is to define the scope of our testing. To define our scope we must look at in what parameters we perform port scanning.
Targets - Depending on the purpose, port scanning can be that of a single target, or multiple targets within a subnet. Methods will include single and multiple target tests.
Ports - Certain use cases like bug bounty hunting, often look for a single port across multiple hosts. Others like with security auditing, we will look at all the available ports on a single host. We will test both scenarios to determine which tool performs best for each purpose.
Location - Modern networks will have a wide range of infrastructure designs where some assets to be scanned will be within your local network, and others will be remote. Tests should be performed within a local environment as well as repeated against a remote target to test the impact of internet traversal on the performance of the tool.
Data - Port scanning can return a wealth of information from a simple port status, to a full service and version detail. While most port scanners are focused on simple TCP SYN scanning, we will evaluate the content and accuracy of the other data points that can be extracted using each tool.
The Targets
To satisfy the different needs detailed in the scope above, three separate targets were selected to encompass them.
Local Host - A Metasploitable3 virtual machine will be launched on a local machine that will also be hosting the device performing the scanning. This will allow various tests against a single target in a local area where network infrastructure issues will not exists, and the performance of the tools will solely depend on themselves.
Single Remote Host - Drawing inspiration from many other blogs that test out individual tools, we will be performing scans against the domain of hackerone.com. This will again allow various tests against a single target, but now introduce the variables of the internet.
Remote Subnet - Choosing a remote subnet will allow us to test against multiple hosts in a single scanning task. For this we chose 103.48.139.0/24, a random subnet with a high number of active hosts and a poor reputation
The Metrics
In order to quantify the success of each tool, we much establish metrics for different points of their performance. We must also establish a minimum standard required for the tool's task to be successful.
Accuracy - This metric is paramount to the success of the tool. It does not matter how fast it is or how many cool extra functions it can do if it cannot perform accurate scans. The minimum acceptable performance of this should be 100% accuracy.
Speed - This would be the primary metric to determine if the performance of the tool is as close to 100% accuracy as possible. This is the over all time the scanning task takes.
Utility - This is a more subjective metric that will take a look at any extra functionality within the tool as well as how well it can be used in combination with other tools.
To be continued...
In the next entry, we will determine the requirements for testing qualification, and review our contenders. Which scanner will be tested? Check the next Entry to find out!
Reference
Understanding Nmap scan process with Wireshark - https://www.youtube.com/watch?v=J1_ej5UKPko/
Last updated