Scanning is part of the enumeration stage of a security assessment that will identify live hosts and what services they are running. This is an important first step during testing as it provides clarity of our attack surface and gives security testers the ability to prioritise their next steps.
Scanning can be broken down into 3 distinct stages:
· Identify target devices
· Understanding running services (open ports)
· Enumerating additional data
There are a multitude of tools that can help with these actions. For the most part, ARP or ICMP Ping packets are used to identify live hosts. Both IPv4 and IPv6 provide network addresses that allow computers to communicate and will therefore reply to these protocols when queried.
Computers use different ports to make different services available. There are 65535 TCP and UDP ports that can be used. Ports that range from 0 – 1023 are referred to as “well known ports”, 1024 – 49151 are referred to as “registered ports”, and 49152 – 65535 are “unassigned”.
While any service can run on any port, most well known services use their default port value. For example, web servers running HTTP will use the default TCP port 80, while HTTPS will use TCP Port 443, windows RDP will use the TCP port 3389. The list goes on. As such, a port scan can help us identify what software is running on a target device and therefore help direct the progress of an attack.
It is key to understand that to get a full understanding of the attack surface of a computer that all 65535 ports across both TCP and UDP need to be scanned.
TCP (Transmission Control Protocol) is a connection-oriented protocol that allows applications to send data over a network and verify its delivery. A large number of protocols use TCP due to the ability to establish a connection, confirm delivery of data and conduct error-checking. A website would be a good example of a TCP service.
UDP (User Datagram Protocol) is a message-oriented protocol that allows applications to send data over a network without verifying its delivery. Services that use the UDP protocol focus on data delivery and are best suited for real-time communication and broadcast systems. Video streaming is a good example of a service that uses UDP, this is because data needs to be constantly processed and displayed, if a packet has an error there is no value in understanding that error and resending the packet as this would require streaming to stop.
Once live hosts and open ports have been identified, it is possible to leverage this information further and start to make more advanced queries that can be used to provide attackers with more valuable data. This may include software version information, system information, or communication options that are supported. As such, conducting a thorough and detailed scan of a target environment is a key step when conducting a security assessment.
