Friday, 23 August 2013

How to test for open ports in a system

Problem: Want a listing of open network ports on your system
 

Solution: Probe your ports from a remote system.

Test a Specific TCP port(ssh):-

# telnet target.example.com ssh
# nc -v -z target.example.com ssh

To scan most of the interesting TCP ports:-
# nmap -v target.example.com

To test a specific UDP port (1024)
# nc -v -z -u target.example.com 1024

To scan most of the interesting UDP ports (slowly!)
# nmap -v -sU target.example.com

To do host discovery (only) for a range of address, without port scanning
# nmap -v -sP 10.12.104.200-222

To do OS fingerprinting
# nmap -v -O target.example.com

 Namp command is a powerful and widely used tool for network security testing. It gathers information about target systems in three distinct phace:-


1. Host Discovery: 

Initial probes to determine which machines are responding within an address range.

2. Port Scanning: 

Test to find open ports that are not protected by firewalls, and are accepting connections

3. OS fingerprinting: Will get more details about the targets

To probe a single target, host name or address:
# nmap -v target.example.com
# nmap -v 10.12.200.115

-v option give more info, also can use -v -v option for more details

You can also scan a range of address:-
# nmap -v target.example.com/24
# nmap -v 10.12.200.115/24
# nmap -v 10.12.200.0-255
# nmap -v "10.12.200.*"

nmapfe is a graphical front end that run nmap with an appropriate command line.

Use nmap -P option if your tcp or icmp ping is blocked.

The goal of host discovery is to avoid wasting time performing port scanning for unused addresses.If you know your targets are up you can disable host discovery with the -P0(zero) option.

The simplest way to test a tcp port is to try to connect with telnet. 


The port might be open,
# telnet target.example.com ssh
  trying target.example.com.....
   connecting to target.example.com.
   Escape character is '^]'.
  

or closed(ie, passed by the firewall, but having no server accepting connections on the target)


# telnet target.example.com 33333
  trying target.example.com.....
  telnet: connection to address 10.12.19.99: connection refused

or blocked(filtered by firewall):
 

# telnet target.example.com 137
  trying target.example.com.....
  telnet: connection to address 10.12.19.99: connection timed out
 


The nc command is an even better way to probe ports:

# nc -z -vv target.example.com ssh 33333 137

target.example.com [10.12.19.99] 22 (ssh) open
target.example.com [10.12.19.99] 33333 (?):Connection refused
target.example.com [10.12.19.99] 137 (netbios-ns):Connection timed out
 


The -z option requests a probe, without transferring any data.

UDP ports are harder to probe than TCP ports, because packet delivery is not guaranteed.

No comments:

Post a Comment