Port scanning helps us determine how a target communicates with the outside world and It’s this communication that we leverage when exploiting a target.
Think of it like this, when a computer, phone, raspberry pi, server, smart TV, smart watch, or any device runs a web server over ports 80 or 443. A computer, phone, raspberry pi, server, smart TV, smart watch, or any device can connect to its port 80 or 443 and access whatever is being shared via the web server. If the computer, phone, raspberry pi, server, smart TV, smart watch, or device runs SSH then chances are SSH can be accessed via port 22. If an FTP server is being run then it most likely can be connected to by way of port 21.
Ports are either closed, filtered, or open. At least that is the case for the level of depth at which we are exploring ports in this writing. Open ports are of the greatest interest as we will want to explore the data/information being shared or the services being offered over these open ports. Generally speaking, there are 65,535 ports. Ports come in two flavors TCP and UDP. Therefore a complete scan would involve 65,535 TCP ports and 65,535 UDP ports.
“What’s the point Unsecured Nerd? Where are you going with this?”
The Unsecured Nerd thinks that Port Scanning is incredibly important. How else would we know what’s running on a target. Osmosis maybe?
Nmap is the world’s most popular port scanner. It does everything but this isn’t a tutorial on NMAP. Why? Because, there are a ton of those on the internet. They are just a Google search away.
Nmap is feature rich to put it mildly. It’s also worth noting that the Unsecured Nerd is a bit greedy when it comes to that initial NMAP scan. Nmap, and all of its features, makes it incredibly easy to fire off a scan that examines all 65,535 ports performing OS detection, service identification, version identification, and vulnerability scanning. There is a certain amount of overhead associated with scans that provide results with higher levels of fidelity.
What if there are “considerations”? Case in point, for a short period of time I found myself using an internet connection that was based on a cellular service provider’s 5G offering. The internet connection was fine. It was perfectly suitable for browsing the internet, it seemed to handle streaming services ok, and uptime was great. However, whenever I connected to a certain gamified cybersecurity training platform’s network via VPN everything seemed to slow down. All the tools I used were slow and so was browsing any content targets were serving. Anecdotally, I’ve connected to this same gamified cybersecurity training platforms network via VPN using a fiber-optic connection and there was no slow down at all. Here I am using an internet connection which, I believe, is causing Nmap to run much slower. I asked myself: Do I really need OS detection, service identification, version identification, and vulnerability scanning? Eventually, yes I might need that information but there is most definitely a better way to go about this given the “considerations”.
A BASH script will allow us to leverage the Operating System’s built-in functionality. A good comparison would be a BATCH file in Windows. I don’t want to get too deep into the details of BASH scripting at this time. I’ll provide short explanations as we refine our script. The important thing is to try to grok what’s going on from a big picture perspective. That level of understanding should allow us to immediately put into practice re-using certain elements to create BASH scripts that help us do other things.
There are a variety of methods and tools we could use for this task but ease of use and portability make Netcat a reasonable choice. If you need to get caught up then check out it’s homepage at https://netcat.sourceforge.net/ and the man page by typing “man nc” at your terminal if you are on a linux system or online at https://linux.die.net/man/1/nc.
We should always start our scripts with the “Shebang” line. This tells the operating system where to find the interpreter. The shebang line for a BASH script is:
#!/usr/bin/env bashWe will include author information as well:
# AUTHOR: insert_your_name_hereWe should have something that looks sort of like:
#!/usr/bin/env bash
#
# AUTHOR: insert_your_name_hereWhat information do we want to get from Netcat and how do we want it sorted? At a minimum we want to know which ports are closed and which which ports are open. Syntax for Netcat to perform a scan on a single port:
┌──(unsecurednerd㉿kali)-[~]
└─$ nc 127.0.0.1 80The subsequent output :
(UNKNOWN) [127.0.0.1] 80 (http) : Connection refusedNetcat can also scan a range of ports and/or several nonconsecutive ports. When we enter:
┌──(unsecurednerd㉿kali)-[~]
└─$ nc 127.0.0.1 80 81
┌──(unsecurednerd㉿kali)-[~]
└─$ nc 127.0.0.1 80-85
┌──(unsecurednerd㉿kali)-[~]
└─$ nc 127.0.0.1 80-85 90
┌──(unsecurednerd㉿kali)-[~]
└─$ nc 127.0.0.1 80-85 90 91
┌──(unsecurednerd㉿kali)-[~]
└─$ nc 127.0.0.1 80-85 90-95We get nothing and here is where the man page comes in handy. It tells us that Netcat has a “verbose” command line switch. That switch can actually be called twice. When would need to enter:
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 127.0.0.1 80 81
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 127.0.0.1 80-85
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 127.0.0.1 80-85 90
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 127.0.0.1 80-85 90 91
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 127.0.0.1 80-85 90-95So, If we enter:
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 127.0.0.1 80-85 90 91The output received is:
localhost [127.0.0.1] 85 (?) : Connection refused
localhost [127.0.0.1] 84 (?) : Connection refused
localhost [127.0.0.1] 83 (?) : Connection refused
localhost [127.0.0.1] 82 (?) : Connection refused
localhost [127.0.0.1] 81 (?) : Connection refused
localhost [127.0.0.1] 80 (http) : Connection refused
localhost [127.0.0.1] 90 (?) : Connection refused
localhost [127.0.0.1] 91 (?) : Connection refusedAll of the ports that we have scanned up to this point have a status that reads “connection refused” but if the port is not “connection refused” then is it safe to assume that the output would be exactly the same but “connection refused would be replaced with something like “open” or “filtered”? We don’t know and we need to find out.
We can enter something like:
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -vv 8.8.8.8 53The output received is:
dns.google [8.8.8.8] 53 (domain) openIt’s worth noting that there is no colon “:“ between the service name and the status when the port is open.
Other things:
1. The scanning seems to be fairly sequential. That is not good. Netcat has a -r command line switch that will randomize local and remote ports.
2. Netcat has a -z command line switch that is described as “zero-I/O mode [used for scanning]”
The syntax for a scan should probably look something like:
┌──(unsecurednerd㉿kali)-[~]
└─$ nc -rvvz 127.0.0.1 80-85 90 91Which produces output similar to the following:
localhost [127.0.0.1] 84 (?) : Connection refused
localhost [127.0.0.1] 82 (?) : Connection refused
localhost [127.0.0.1] 81 (?) : Connection refused
localhost [127.0.0.1] 85 (?) : Connection refused
localhost [127.0.0.1] 83 (?) : Connection refused
localhost [127.0.0.1] 80 (http) : Connection refused
localhost [127.0.0.1] 90 (?) : Connection refused
localhost [127.0.0.1] 91 (?) : Connection refusedWe need to clean up this output. Awk can help us. If we think of each space delimited field as a column we can pipe the output to Awk and use Awk to search for “open” in the line of output and return columns such as the ip address, port, service, and the status. If there is a “:” in the line of output, which happens when the status is “Connection refused”, the ip address; port; and service are returned. Awk can also add a field that reads “closed/filtered” in these cases. We can then pipe that output to Column:
awk '{ if($5 == "open") { print $2" "$3" "$4" "$5 }; if($5 == ":") { print $2" "$3" "$4" ""closed/filtered" } }' | column -tThe syntax for our scan now looks something like:
nc -rvvz 127.0.0.1 80-85 90 91 | awk '{ if($5 == "open") { print $2" "$3" "$4" "$5 }; if($5 == ":") { print $2" "$3" "$4" ""closed/filtered" } }' | column -t***The above command will not work if copied and pasted or entered at a terminal prompt. I wrote the BASH script version of this command first. It needs to be altered slightly in order for it to work at a terminal prompt. I will change and provide an explanation in a re-write.***
We need to convert this into something suitable for a BASH script:
NC_OUTPUT=$(nc -rvvz "$@" 2>&1 | awk '{ if($5 == "open") { print $2" "$3" "$4" "$5 }; if($5 == ":") { print $2" "$3" "$4" ""closed/filtered" } }' | column -t)
We assign all of our output to a variable NC_OUTPUT. Our entire command is enclosed in $(). $() allows for command
substitution. The best definition for command substitution can be found at
https://tldp.org/LDP/abs/html/commandsub.html where it is defined as “reassigns the output of a command or even
multiple commands; it literally plugs the command output into another context.”
We then use nc -rvvz but the $@ that appears after allows us to provide any combination/number of individual
ports and port ranges. The 2>&1 redirects stderr to stdout so that we can get both error messages written to FD2
as well as normal output on FD1 written to FD1. We then pipe this to the awk command via the |. We then pipe that
output to column which separates the fields of the output into a table since we used the -t command line option. The
column man page tells us “Table output is useful for pretty-printing.”
Our BASH script so far sans major comments:
#!/usr/bin/env bash
#
# AUTHOR: insert_your_name_here
NC_OUTPUT=$(nc -rvvz "$@" 2>&1 | awk '{ if($5 == "open") { print $2" "$3" "$4" "$5 }; if($5 == ":") { print $2" "$3" "$4" ""closed/filtered" } }' | column -t)
echo "$NC_OUTPUT"
echo is used to print the contents of NC_OUTPUT to the terminal.
We run the script by entering the following at the terminal prompt:
┌──(unsecurednerd㉿kali)-[~]
└─$ ./nc_port_scanner_ver_002.sh 127.0.0.1 80 81 82-85Your output should look similar to:
[127.0.0.1] 80 (http) closed/filtered
[127.0.0.1] 81 (?) closed/filtered
[127.0.0.1] 83 (?) closed/filtered
[127.0.0.1] 85 (?) closed/filtered
[127.0.0.1] 82 (?) closed/filtered
[127.0.0.1] 84 (?) closed/filtered
This is good but there is one problem though and I think the answer is where BASH scripting and Linux-Fu shine as
solutions to certain kinds of problems. The ports are out of order. If we pipe NC_OUTPUT to
the sort command and ask it to sort the second field by string numerical value the contents of
NC_OUTPUT will appear ordered:
#echo "ordered" results
echo "$NC_OUTPUT" | sort -k 2 -nOur BASH script sans major comments now looks like:
#!/usr/bin/env bash
#
# AUTHOR: insert_your_name_here
NC_OUTPUT=$(nc -rvvz "$@" 2>&1 | awk '{ if($5 == "open") { print $2" "$3" "$4" "$5 }; if($5 == ":") { print $2" "$3" "$4" ""closed/filtered" } }' | column -t)
#echo "ordered" results
echo "$NC_OUTPUT" | sort -k 2 -nThe output is now ordered:
[127.0.0.1] 80 (http) closed/filtered
[127.0.0.1] 81 (?) closed/filtered
[127.0.0.1] 82 (?) closed/filtered
[127.0.0.1] 83 (?) closed/filtered
[127.0.0.1] 84 (?) closed/filtered
[127.0.0.1] 85 (?) closed/filteredLet's add some comments:
#!/usr/bin/env bash
#
# AUTHOR: insert_your_name_here
#
# USAGE: sh nc_port_scanner_ver_002.sh <ip_address> <port>||<port_range>||<any combination or number of ports and port ranges separated by a space characters>
# USAGE: ./nc_port_scanner_ver_002.sh <ip_address> <port>||<port_range>||<any combination or number of ports and port ranges separated by a space characters>
#
# EXAMPLE USAGE: sh nc_port_scanner_ver_002.sh 127.0.0.1 80
# EXAMPLE USAGE: sh nc_port_scanner_ver_002.sh 127.0.0.1 80 90
# EXAMPLE USAGE: sh nc_port_scanner_ver_002.sh 127.0.0.1 80 90 100-120
# EXAMPLE USAGE: ./nc_port_scanner_ver_002.sh 127.0.0.1 50-80
# EXAMPLE USAGE: ./nc_port_scanner_ver_002.sh 127.0.0.1 50-80 90-120
# EXAMPLE USAGE: ./nc_port_scanner_ver_002.sh 127.0.0.1 50-80 90-120 1000
#
# DESCRIPTION: simple netcat (nc) based port scanner. Scans TCP ports.
# Can scan either a single port or a single small range of ports as well
# as a combination/list of single ports and small ranges of ports because of
# the "$@" after the "nc -rvvz".
#
# nc (netcat) options being used:
#
# -r
# specifies that source and/or destination ports should be chosen
# randomly instead of sequentially within a range or in the order
# that the system assigns them.
#
# -vv
# have nc give more verbose output. We are using two v's so it should
# be "doubly" verbose.
#
# -z
# specifies that nc should just scan for listening daemons, without
# sending any data to them. It is an error to use this option in conjunction
# with the -l option.
#
# using redirection 2>&1:
# due to the way that nc handles output it is necessary to redirect stderr to
# stdout so that we can get both error messages written to FD2 as well as normal
# output on FD1 written to FD1.
# there are three file descriptors that cover basic reading and writing:
#
# -r
# specifies that source and/or destination ports should be chosen
# randomly instead of sequentially within a range or in the order
# that the system assigns them.
#
# -vv
# have nc give more verbose output. We are using two v's so it should
# be "doubly" verbose.
#
# -z
# specifies that nc should just scan for listening daemons, without
# sending any data to them. It is an error to use this option in conjunction
# with the -l option.
#
# using redirection 2>&1:
# due to the way that nc handles output it is necessary to redirect stderr to
# stdout so that we can get both error messages written to FD2 as well as normal
# output on FD1 written to FD1.
# there are three file descriptors that cover basic reading and writing:
# 0 - stdin (input)
# 1 - stdout (normal output)
# 2 - stderr (normal error)The entire script:
#!/usr/bin/env bash
#
# AUTHOR: <insert_your_name_here>
#
# USAGE: sh nc_port_scanner_ver_002.sh <ip_address> <port>||<port_range>||<any combination or number of ports and port ranges separated by a space characters>
# USAGE: ./nc_port_scanner_ver_002.sh <ip_address> <port>||<port_range>||<any combination or number of ports and port ranges separated by a space characters>
#
# EXAMPLE USAGE: sh nc_port_scanner_ver_002.sh 127.0.0.1 80
# EXAMPLE USAGE: sh nc_port_scanner_ver_002.sh 127.0.0.1 80 90
# EXAMPLE USAGE: sh nc_port_scanner_ver_002.sh 127.0.0.1 80 90 100-120
# EXAMPLE USAGE: ./nc_port_scanner_ver_002.sh 127.0.0.1 50-80
# EXAMPLE USAGE: ./nc_port_scanner_ver_002.sh 127.0.0.1 50-80 90-120
# EXAMPLE USAGE: ./nc_port_scanner_ver_002.sh 127.0.0.1 50-80 90-120 1000
#
# DESCRIPTION: simple netcat (nc) based port scanner. Scans TCP ports.
# Can scan either a single port or a single small range of ports as well
# as a combination/list of single ports and small ranges of ports because of
# the "$@" after the "nc -rvvz".
#
# nc (netcat) options being used:
#
# -r
# specifies that source and/or destination ports should be chosen
# randomly instead of sequentially within a range or in the order
# that the system assigns them.
#
# -vv
# have nc give more verbose output. We are using two v's so it should
# be "doubly" verbose.
#
# -z
# specifies that nc should just scan for listening daemons, without
# sending any data to them. It is an error to use this option in conjunction
# with the -l option.
#
# using redirection 2>&1:
# due to the way that nc handles output it is necessary to redirect stderr to
# stdout so that we can get both error messages written to FD2 as well as normal
# output on FD1 written to FD1.
# there are three file descriptors that cover basic reading and writing:
#
# -r
# specifies that source and/or destination ports should be chosen
# randomly instead of sequentially within a range or in the order
# that the system assigns them.
#
# -vv
# have nc give more verbose output. We are using two v's so it should
# be "doubly" verbose.
#
# -z
# specifies that nc should just scan for listening daemons, without
# sending any data to them. It is an error to use this option in conjunction
# with the -l option.
#
# using redirection 2>&1:
# due to the way that nc handles output it is necessary to redirect stderr to
# stdout so that we can get both error messages written to FD2 as well as normal
# output on FD1 written to FD1.
# there are three file descriptors that cover basic reading and writing:
# 0 - stdin (input)
# 1 - stdout (normal output)
# 2 - stderr (normal error)
NC_OUTPUT=$(nc -rvvz "$@" 2>&1 | awk '{ if($5 == "open") { print $2" "$3" "$4" "$5 }; if($5 == ":") { print $2" "$3" "$4" ""closed/filtered" } }' | column -t)
#echo "ordered" results
echo "$NC_OUTPUT" | sort -k 2 -nDISCLAIMER Everything discussed herein is done so within the context of Boot2Roots, Crackmes, CTFs, and various other types of Cyber Security/Information Security/Programming challenges and competitions, Cyber Security/Information Security/Programming education, the Cyber Security/Information Security/Programming industry, and the Cyber Security/Information Security/Programming education industry. DO NOT "ATTACK" ANY SYSTEM(S) WITHOUT FIRST OBTAINING PROPER AUTHORIZATION. The Unsecured Nerd cannot and, most importantly, is genuinely not interested in helping you hack your personal enemies, family, friends, significant other, your government, governments that oppose your government, random remote targets that you managed to locate on the internet, and/or really anything at all. If reading something on this site causes you to wonder how it can be applied to hack any of those aforementioned things it’s best that you keep wondering. Stay safe.
This site relies very heavily on design elements provided by Barebones which is "a modern, responsive boilerplate laid bare". Download your copy from https://acahir.github.io/Barebones/.