Port scanning or OS fingerprinting. Believe it or not!
The fact is pretty obvious that footprinting is essential to any successful attack. By and large, 70% of any attack should be spent gathering precise footprinting. In doing so, an attacker presumably knows operating system, open ports and any services running on those open ports as well as any vulnerable applications installed.
Certainly, all of this information will be paramount in order to determine the selection of tools and technologies.
There are two different types of footprinting or reconnaissance: active or passive. Each one has pros and cons.
Here let us walk through active footprinting which we interact directly with a target. Active type is more accurate and faster than the passive one. However, it involves more risk of detection and sometimes could get caught unless an attacker has permission in written form.
One of the first steps in any active footprinting is to reduce a set of IP ranges into a targeted and active host.
To achieve this, it does require performing port scanning or Operation system fingerprinting. There are numerous types of port scanners to name. But we will discuss a popular open-source tool called Nmap.
Nmap is a free and open source tool for network discovery and security auditing. It comes with either command line or GUI version. Nmap runs on all major operating systems such as Windows, Linux, and Mac OS X.
Before we start port scanning, we need to understand the TCP three-way Handshake.
TCP three-way Handshake
As a diagram is shown above, the host attempting a connection sends a destination host a packet with a SYN flag. Then, the remote host would check that the proper authorizations are in place for this connection to be made. If all the requirements are met, then the remote host sends the first host a packet with the SYN and ACK flags. Finally, the first host sends a single ACK flag back to the second host, completing the handshake and establishing the connection.
Basic Nmap Scanning
First, we will do basic ping scan which simply pings every IP in a range of IPs and reports any hosts that respond.
As seen below, we scan a range of IP 192.168.56.0/24 that it will diagnose every IP from 192.168.56.0 to 192.168.56.255. So we can see there is a list of hosts on a network.
Based on the scan result below, we have three hosts are up running currently. (192.168.56.101, 192.168.56.102 & 192.168.56.103)
Next, we will identify what operating system OS the particular host running.
According to the above screenshot, we clearly see the detail information of operating system for two particular hosts.
Comphrensive Nmap Scanning
There is not only very basic scanning with Nmap but also comprehensive investigation like open or close ports and services as well as its version.
Let us examine any open ports, services, and its version.
The Nmap command with -sV option actively probe open ports to determine what service and version they are running.
When performing a version scan (-sV), Nmap sends a series of probes, each of which is assigned a rarity value between one and nine. If we look up the scanning result against 192.168.56.101, we have seen all open ports, type of services running on those ports and its version precisely.
Here is another scanning result for another host 192.168.56.103. Sometimes, the open ports could ensure us the type of operating system as another alternative guess.
Please remember that proper footprinting is a very important fundamental for any successful attack.
There are many tools for port scanning or OS fingerprinting other than Nmap. However, Nmap always stays ahead of the rest.