# TCP/UDP Service Scanning

## Theory

We may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.\
Blindly conducting port scans can lead to detrimental consequences for both the target systems and the client network. This is primarily due to the potentially high volume of traffic generated by these scans, coupled with their intrusive nature. Such consequences may include server and network link overloads, as well as the triggering of intrusion detection and prevention systems (IDS/IPS).

TCP and UDP or protocols of the TCP/IP transport layer. They exchange data receipt acknowledgments and retransmit missing packets to ensure that packets arrive in order and without error. End-to-end communication is referred to as such.

* **TCP:** Applications can interact with one another using [TCP](https://www.geeksforgeeks.org/what-is-transmission-control-protocol-tcp/) as though they were physically connected by a circuit. TCP transmits data in a way that resembles character-by-character transmission rather than separate packets. A starting point that establishes the connection, the whole transmission in byte order, and an ending point that closes the connection make up this transmission.
* **UDP:** The datagram delivery service is provided by [UDP](https://www.geeksforgeeks.org/user-datagram-protocol-udp/), the other transport layer protocol. Connections between receiving and sending hosts are not verified by UDP. Applications that transport little amounts of data use UDP rather than TCP because it eliminates the processes of establishing and validating connections.

## Practice

{% tabs %}
{% tab title="UNIX-Like" %}
[Nmap](https://nmap.org/download) is one of the most popular, versatile, and robust port scanners available.

```bash
# Nmap TCP CONNECT scan
## -sT: TCP Connect scan
## -p3388-3390: port range
nmap -sT <IP> -p3388-3390

# Nmap SYN TCP scan (stealthy)
nmap -sS <IP>

# Nmap UDP scan
nmap -sU <IP> 

# Nmap Full scan
## -sV: Version scan
## -sC: Script scan
## -O: OS Scan
## --osscan-guess: Guess OS more aggressively
## -oN: Output to file (normal format)
## -p-: Scan all ports
nmap -sS -sV -sC -O --osscan-guess -oN nmap.txt <IP> -p-
```

[Netcat](https://nmap.org/download) also may be used to scan tragets for open ports

```bash
# netact TCP CONNECT scan
## 
## -n: numeric‐only IP addresses, no DNS
## -vv: verbose level
## -w: request timeout (in second)
## -z: zero‐I/O mode (scan mode)
## 3388-3390: port range to scan
nc -nvv -w 1 -z <IP> 3388-3390

# netact UDP scan
## -u: UDP mode
## 120-123: port range to scan
## If no "ICMP port unreachable" message sent back, port is likely open/filtred
nc -nv -u -z -w 1 <IP> 120-123
```

{% endtab %}

{% tab title="Windows" %}
The [Test-NetConnection](https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps) powershell cmdlet checks if an IP responds to ICMP and whether a specified TCP port on the target host is open.

```powershell
# Scan for one port
Test-NetConnection -Port <PORT> <IP>
```

However `Test-NetConnection` send additional traffic that is non needed for our purposes Using the Net.Sockets.TcpClient object, we can script a service scan

```powershell
# Loop to scan the first 1024 ports 
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("TARGET_IP", $_)) "TCP port $_ is open"} 2>$null
```

{% endtab %}
{% endtabs %}

## Ressources

{% embed url="<https://attack.mitre.org/techniques/T1046/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/recon/tcp-udp-service-scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.