Port Scanning & Ping Sweep

Mostafa Elguerdawi
4 min readOct 3, 2023

Hello hackers, I’m Mostafa Elguerdawi, This will be the second write-up about Penetration Testing processes.

In this write-up we will talk about Port Scanning and Ping Sweep.

What is Port Scan?

  • Port scan is a technique that attacker perform to know open ports and running services in target server such as HTTP,FTP,SSH.
  • After know what is open ports and running services, We can use search for online exploits for them and test its vulnerabilities.
  • Port scanning considered as Active information gathering, That attacker must interact with the target to get this information.
  • Nmap is so famous tool for scan open ports, running services, and ping sweep, We can install it in linux using command sudo apt-get install nmap

Nmap Port Scan

  • When port scanning with Nmap, there are three basic scan types. These are:

TCP Connect Scans (-sT)

SYN (Stealth) Scans (-sS)

UDP Scans (-sU)

  • Additionally there are several less common port scan types:

TCP Null Scans (-sN)

TCP FIN Scans (-sF)

TCP Xmas Scans (-sX)

  • Most of these (with the exception of UDP scans) are used for very similar purposes, however, the way that they work differs between each scan.

TCP Connect Scans

To understand Connect scan we must get comfortable with Three Way Handshake.

Briefly the client(attacker) send TCP request to the server(target) with SYN flag, The server respond to the client with SYN-ACK flag, finally client send back ACK flag to server.

Explain : attacker sends request to server ask for connecting with it, then server respond with approval, finally attacker connect to server.

TCP connect scan works with performing Three Way Handshake with each port attacker need to scan.

E.g : Attacker run nmap to scan port 22 and this port is closed in target machine, The attacker sends request with SYN flag and server responde with RST flag because port is closed.

If, however, the request is sent to an open port, the target will respond with a TCP packet with the SYN/ACK flags set. Nmap then marks this port as being open (and completes the handshake by sending back a TCP packet with ACK set).

What if the port is open, but hidden behind a firewall?

Attacker send TCP request with SYN flag and responde nothing, in this case port will be considered as filterd.

nmap -sT <IP>

SYN Scans

SYN scan or Stealth scan is one of TCP scannes, It works for same purpose that Connect Scan, But with different way.

Where TCP scans perform a full three-way handshake with the target, SYN scans sends back a RST TCP packet after receiving a SYN/ACK from the server.

E.g : Attacker sends TCP request with SYN flag(like connect scan), Then server responde with SYN-ACK flag, and finally attacker send RST flag insted of ACK this prevents the server from repeatedly trying to make the request.

Stealth Scan required root permissions, SYN scans are the default scans used by Nmap if run with sudo permissions. If run without sudo permissions, Nmap defaults to the TCP Connect scan we saw in the previous task.

nmap -sS <IP>

UDP scan

UDP connections rely on sending packets to a target port and essentially hoping that they make it, but the lack of acknowledgement makes UDP significantly more difficult (and much slower) to scan.

Nmap send packet on UDP port and server responde with nothing, Nmap consider this port may be open or may be protected behind firewall(filtered), IF there is response the port marked as open, But in most time there is no response so Nmap send the packet again to check if there is response or not, IF not it will marked the port as open|filtered.

When a packet is sent to a closed UDP port, the target should respond with an ICMP (ping) packet containing a message that the port is unreachable. This clearly identifies closed ports, which Nmap marks as such and moves on.

nmap -sU <IP>

Ping Sweep

Ping Sweep is a process that attacker do to see which IP addresses contain active hosts, and which do not.

Nmap sends an ICMP packet to each possible IP address for the specified network. When it receives a response, it marks the IP address that responded as being alive.

E.g : attacker send ICMP packet to IP address 192.168.1.4 if the IP address respond to this packet so attacker know that IP have live host.

Nmap in ping sweep

nmap -sn 192.168.0.1-254

Firewall Evasion

Your typical Windows host will, with its default firewall, block all ICMP packets, Fortunately Nmap provides an option for this: -Pn, which tells Nmap to not bother pinging the host before scanning it. This means that Nmap will always treat the target host(s) as being alive(if the host really is dead then Nmap will still be checking and double checking every specified port).

--

--