TCP/UDP Service Scanning

MITRE ATT&CK™ Network Service Discovery - Technique T1046

Theory

We may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. Blindly conducting port scans can lead to detrimental consequences for both the target systems and the client network. This is primarily due to the potentially high volume of traffic generated by these scans, coupled with their intrusive nature. Such consequences may include server and network link overloads, as well as the triggering of intrusion detection and prevention systems (IDS/IPS).

TCP and UDP or protocols of the TCP/IP transport layer. They exchange data receipt acknowledgments and retransmit missing packets to ensure that packets arrive in order and without error. End-to-end communication is referred to as such.

TCP: Applications can interact with one another using TCP as though they were physically connected by a circuit. TCP transmits data in a way that resembles character-by-character transmission rather than separate packets. A starting point that establishes the connection, the whole transmission in byte order, and an ending point that closes the connection make up this transmission.
UDP: The datagram delivery service is provided by UDP, the other transport layer protocol. Connections between receiving and sending hosts are not verified by UDP. Applications that transport little amounts of data use UDP rather than TCP because it eliminates the processes of establishing and validating connections.

Practice

Nmap is one of the most popular, versatile, and robust port scanners available.

# Nmap TCP CONNECT scan
## -sT: TCP Connect scan
## -p3388-3390: port range
nmap -sT <IP> -p3388-3390

# Nmap SYN TCP scan (stealthy)
nmap -sS <IP>

# Nmap UDP scan
nmap -sU <IP> 

# Nmap Full scan
## -sV: Version scan
## -sC: Script scan
## -O: OS Scan
## --osscan-guess: Guess OS more aggressively
## -oN: Output to file (normal format)
## -p-: Scan all ports
nmap -sS -sV -sC -O --osscan-guess -oN nmap.txt <IP> -p-

Netcat also may be used to scan tragets for open ports

# netact TCP CONNECT scan
## 
## -n: numeric‐only IP addresses, no DNS
## -vv: verbose level
## -w: request timeout (in second)
## -z: zero‐I/O mode (scan mode)
## 3388-3390: port range to scan
nc -nvv -w 1 -z <IP> 3388-3390

# netact UDP scan
## -u: UDP mode
## 120-123: port range to scan
## If no "ICMP port unreachable" message sent back, port is likely open/filtred
nc -nv -u -z -w 1 <IP> 120-123

The Test-NetConnection powershell cmdlet checks if an IP responds to ICMP and whether a specified TCP port on the target host is open.

# Scan for one port
Test-NetConnection -Port <PORT> <IP>

However Test-NetConnection send additional traffic that is non needed for our purposes Using the Net.Sockets.TcpClient object, we can script a service scan

# Loop to scan the first 1024 ports 
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("TARGET_IP", $_)) "TCP port $_ is open"} 2>$null

Ressources

Network Service Discovery, Technique T1046 - Enterprise | MITRE ATT&CK®

Last updated 8 months ago