Portscanning - Beginner Tutorial
Portscanning 101
[Image: hacker-security.jpg]
Welcome to portscanning 101 with Dismal_0x8. For all the newbies out there, portscanning is an important thing to know how to do. Portscanning is how you start to probe a system for vulnerabilities. This tutorial will get into some pretty detailed stuff later on. Let's get to it.
1. Installation
[align=justify]We're going to start with the boring part. A great way to start, I know. If you're on Windows, I highly recommend you not be (here's a tutorial on how to use Linux without getting rid of Windows: Installing Kali. All the steps will be more or less the same though. We're going to be installing a tool called nmap (short for network mapper). If you're on Windows you can install nmap from nmap.org. Here's the direct link to the exe installer: Nmap-7.80.exe. If you're on *nix, you can install it from your package manager. 99.999% of the time, it's in your distro's repositories. For Debian-based distros (Kali, Ubuntu, etc.):
sudo apt update -y && apt install -y nmap
This is a good time to go ahead and get something out of the way for my Unix-using people. I know everyone always says "don't run as root, it's dangerous." You have to understand the reasoning behind that. You don't want to run as root for everyday tasks, because if you do something dumb or your computer gets compromised you're screwed. But when you're doing administrative work or hacking, switch to root. There's no reason to not be, and nobody wants to enter sudo before every command. Rant over. So go ahead and enter this command to switch to root:
sudo su && . .bashrc

Now that we have installation out of the way, let's get down to it.
2. Our First Portscan
So now that we have nmap, let's do a portscan. Open up cmd.exe as admin in Windows and a terminal if you're in *nix (root shell). Enter this command:
If you want to be a skidshit (google script kiddie) then you can skip this section. This is about as simple as portscanning gets. You'll see some output from the command. Read through it and see what's going on even if you don't understand it yet. What this command does is port scan your computer ( aka localhost is a special IP address for your computer that is only usable by the computer itself). So wtf is a portscan? To understand that, you have to know what a port is. Let's take a web server for example. A web server is a computer that has a website on it. To show you the website content, the server "listens" for connections on a port. A port is just a way for computers to know which program is using what part of the network interface. Ports are given numbers from 1-65535. To give an analogy, a host is like an apartment complex and the ports are like the apartments. If you went to an apartment and didn't know which apartment number to go to, the apartment complex staff can't help you find the right one. So with this system, servers can have multiple services (programs listening on a port). Like port 80 is a web server, 21 is FTP (file transfer protocol), etc. If you want to access the web server, connect to on port 80. Now what port scanning does is it tries to connect to every port on the remote system very fast to determine what services are running. If the system responds that a port is open, there is a service running on it and we can try to determine what it is. If the system responds the port is closed, there is no service running on that port. I've heard some (stupid) questions about "breaking into closed ports." These people think that a port is like a doorway into the system and if you can "break down the door" you can get into the system. That is not how closed ports work. If the port is closed, the system doesn't have a program using that port so there's no program to do anything with what you're sending. You can send as much data as you want to that closed port but nothing will happen. To give an analogy, it's like trying to call a company to buy a car. The catch is this company doesn't exist. So no car for you. Now nmap doesn't just send the string "is da port open muddafuqa?" And the server doesn't respond with "ya man" or "nah man." TCP (transmission control protocol) is the protocol that determines how computers communicate (not the best description, but it's easy enough to understand). TCP is the most common type of protocol used on the internet. It is used for HTTP (web servers), FTP, SSH, etc. The best way to understand is a little illustration. [Image: handshake.png]
So as you saw, the client (or portscanner) sends a packet (piece of data) with the SYN (syncronize) flag set. If the port is open, the server replies with SYN-ACK (syncronize acknowlegement) or a RST (reset) if the port is closed. The Client then responds with ACK (acknowlege). A connection is now established and the computers can send data back and forth. I'm going to give you an analogy. The TCP three way handshake is like you sending your friend a package. You send your friend a package with nothing in it labeled as SYN. Your friend sends one back that is labeled SYN-ACK if he wants packages from you. You send back one that says ACK. Now the two of you can send packages with messages, food, or whatever you want. Now the portscan we did is what's called a TCP connect scan. It does this three way handshake for lots of ports (1000 to be exact). You may note that there are 65535 ports, but we only scanned 1000. This is because scanning 65535 ports takes a decent bit of time depending on some other factors. So nmap by default scans the 1000 most commonly used ports. This usually works fine, but if you want to thorough you need to scan them all. You can practice using the TCP connect scan by port scanning your local network's devices. Just enter the following (replace x with a number between 1 and 254):
nmap -sT 192.168.1.x
The "-sT" flag is an option that specifies we want to do a TCP connect scan. The scan command we used before did the same thing because a connect scan is the default if you don't specify which one you want. Next we look at the SYN stealth scan. The way this works is it sends the SYN just like normal but if the server replies with SYN-ACK the port scanner doesn't send an ACK. The portscanner assumes that the port is open since the server replied with SYN-ACK (a reasonable assumption). The reason it's called a "stealth scan" is that it never actually completes the connection. So it's technically less likely to be logged by the target system. Not to say it is impossible to detect a SYN scan. Modern IDS/IPS (intrusion detection/prevention system) have no problem detecting SYN scans. SYN scanning is also faster than connect scanning because it doesn't have to worry about sending the last ACK. To do a SYN scan, just enter the following
nmap -sS 192.168.1.x
SYN scans are a good scan to default to if you're doing port scanning. The port scanner also requires higher privileges to run them because it has to do low level stuff with the packets it's sending. Hence, we run as admin or root. Now that we have a little knowledge under our belts, let's do some fun stuff.
2. Live Target
Ok, now we're going to practice on a live target. Fyi port scanning is not illegal per se, but it is typically the first step in an attack so some people don't take it well. We'll use greysec as an example.
Enter this command to do a portscan of greysec:
nmap -sS -Pn -vv --open greysec.net
This scan may take a few minutes depending on your network and the greysec server. I introduced some new options here. The -Pn option tells nmap not to do a ping of the host. Nmap does this to confirm the target is reachable and on before it starts scanning. But we can assume that greysec is up, since you're browsing it right now. The -vv option is just personal preference mostly. You don't have to use it. -v makes nmap output more information. -vv makes it output even more than that. You'll see the responses of SYN-ACK and such if you use -vv. I'm going to run this command myself to show you what the output will look like.
$ nmap -sS -Pn -vv greysec.net
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 12:32 XXX
Initiating Parallel DNS resolution of 1 host. at 12:32
Completed Parallel DNS resolution of 1 host. at 12:32, 5.08s elapsed
Initiating SYN Stealth Scan at 12:32
Scanning greysec.net ( [1000 ports]
Discovered open port 443/tcp on
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Increasing send delay for from 0 to 5 due to 29 out of 95 dropped probes since last increase.
Completed SYN Stealth Scan at 12:32, 15.90s elapsed (1000 total ports)
Nmap scan report for greysec.net (
Host is up, received user-set (0.13s latency).
rDNS record for 112-143-172-163.rev.cloud.scaleway.com
Scanned at 2020-05-03 12:32:42 XXX for 16s
Not shown: 992 closed ports
Reason: 992 resets
22/tcp  open    ssh          syn-ack ttl 50
25/tcp  filtered smtp        no-response
80/tcp  open    http        syn-ack ttl 50
111/tcp filtered rpcbind      no-response
135/tcp filtered msrpc        no-response
139/tcp filtered netbios-ssn  no-response
443/tcp open    https        syn-ack ttl 50
445/tcp filtered microsoft-ds no-response

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds
          Raw packets sent: 1091 (48.004KB) | Rcvd: 1067 (42.700KB)
So there's a lot to look at here. You can see that nmap resolves the domain name with DNS. Greysec.net resolves to Nmap found 3 open ports. SSH port 22, HTTP port 80, and HTTPS port 443. Generally SSH isn't the best thing to expose to the internet if you don't have to. Reason being it allows you to login to the server and give it commands if you can get the login credentials. Of course you'd have to brute force/dictionary attack the password. A good way to mitigate this is by only allowing public key authentication. This just means you have to have a special file that acts like a key. That way there's no way to brute force or dictionary attack the password. I did check and the server supports password authentication. I'm not making any judgements on Insiders security practices of course. I'm sure he has his reasons and as far as we know the greysec server hasn't been compromised. If we were doing actual recon then we'd definitely want to explore those ports more. Find service versions, explore the functionality, etc. You can see the latency (how long it takes a packet to get to the server and the server to get one back to us) is 0.13 seconds. The hostname 112-143-172-163.rev.cloud.scaleway.com suggests that this is likely a cloud server. Important to know. You can also see that nmap says it isn't showing the 992 closed ports. Which makes sense because they aren't helpful to see. It also tells us how it determined they were closed. The server responded with RST packets (992 resets). It also tells us the reason why it determined some ports to be open: syn-ack. You also see that some ports are "filtered." This means that nmap couldn't determine whether the port was open or closed. This can indicate a firewall or something else is in place. You'll notice that the reason for these being filtered is "no-response." This just means we sent a SYN packet but the server didn't respond. Pretty self-explanatory.
Now in real life this may or may not be something you would do. You'll ideally want to be more stealthy. Port scans aren't really stealthy for the most part. Connecting to hundreds or thousands of ports rapidly isn't normal behavior for a client. Of course you can slow down the scan to be more stealthy. Nmap has different speeds from 0-5. 0 is really slow, 5 is an unholy level of fast. I don't recommend using above the default of 3. You can read more about the speeds by entering man nmap. To specify a speed, use -T <number>. Port scans will start taking a few minutes if you use below 3. Another approach is to scan only specific ports that you want to go after. For example:
nmap -sS -T2 -p 21,22,23,80,443,135,445,139 example.com
This does a slightly slower port scan (-T2) of only ports 21,22, 23...etc. Those ports are FTP, SSH, Telnet, HTTP, HTTPS, netbios, some windows protocol I can't remember the name of rn, and Windows SMB. It's not a comprehensive list of things to look for, but it's a start.
I hope you enjoyed the tutorial. If you made it this far, congrats! You either skipped down here or read the whole thing. It's a lot to digest. Check out all the options nmap has available by entering nmap --help. If you have questions feel free to ask below or PM me. Thanks for reading.

Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] Password Attacks With Hydra DeepLogic 1 1,269 05-16-2020, 10:58 PM
Last Post: Insider
  The Complete Wireshark Course: Beginner to Network Admin! Cypher 2 6,691 03-06-2018, 03:15 AM
Last Post: QMark