Port and Service Discovery

Port and Service Discovery Guide

Introduction to Port and Service Discovery

Port and service discovery is a crucial phase in the ethical hacking methodology, specifically within the scanning networks stage. This process involves identifying open ports and active services running on target systems, providing valuable information for vulnerability assessment.

Why Port and Service Discovery is Important

Port and service discovery is essential because:

1. It reveals potential entry points into a system
2. It helps identify the operating system and applications running on the target
3. It exposes services that might be vulnerable to exploitation
4. It assists in mapping the network architecture
5. It enables targeted testing of specific services

What is Port and Service Discovery?

Port scanning is the process of probing a host for open ports, which are communication endpoints that services use to accept connections. Service discovery takes this further by identifying what specific services (like HTTP, FTP, SSH) are running on those open ports and determining their versions.

A port can be in one of three states:
- Open: The port is actively accepting connections
- Closed: The port is accessible but has no application listening on it
- Filtered: A firewall or other security mechanism is blocking access to the port

How Port and Service Discovery Works

Common Port Scanning Techniques:

1. TCP Connect Scan: Completes the full TCP three-way handshake. Most detectable but highly reliable.

2. SYN Scan (Half-open Scan): Sends SYN packets but never completes the connection, making it less detectable. The response indicates port status:
- SYN/ACK response = open port
- RST response = closed port
- No response = filtered port

3. FIN Scan: Sends a FIN packet to bypass simple packet filters. Closed ports respond with RST, while open ports typically ignore the packet.

4. XMAS Scan: Sends a packet with FIN, URG, and PUSH flags set. Responses are interpreted similarly to FIN scans.

5. NULL Scan: Sends packets with no flags set. Interpretation is similar to FIN scans.

6. UDP Scan: Sends UDP packets to detect UDP services. ICMP "port unreachable" messages indicate closed ports.

Service Discovery Methods:

1. Banner Grabbing: Collecting response banners from services that reveal version information.

2. Version Detection: Sending specific probes designed to elicit version information from services.

3. OS Fingerprinting: Analyzing network responses to determine the operating system.

Common Tools:

1. Nmap: The most comprehensive port scanning and service discovery tool.
Example: nmap -sV -O target_ip (scans for open ports, service versions, and OS)

2. Netcat: Simple utility for port scanning and banner grabbing.
Example: nc -v target_ip port

3. Masscan: Extremely fast port scanner for large networks.

4. Hping: Advanced packet crafting tool useful for custom scans.

Exam Tips: Answering Questions on Port and Service Discovery

1. Know Your Port Numbers:
- Memorize common port numbers and their associated services
- Examples: HTTP (80), HTTPS (443), FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53)

2. Understand Scanning Techniques:
- Be able to identify which scan type is appropriate for different scenarios
- Know the advantages and limitations of each scan type
- Understand which scans can evade detection and why

3. Recognize Nmap Commands:
- Know common Nmap switches and what they do
- Understand how to interpret Nmap output
- Be able to construct Nmap commands for specific scenarios

4. Identify Service Discovery Methods:
- Understand different banner grabbing techniques
- Know how version detection works
- Recognize OS fingerprinting methodologies

5. Security Implications:
- Understand how organizations can detect port scans
- Know countermeasures against port scanning
- Recognize the ethical and legal considerations

6. Practical Application:
- Focus on scenario-based questions that require applying knowledge
- Be prepared to analyze scan results and recommend next steps
- Practice interpreting various scan outputs

When answering exam questions, pay close attention to the exact scanning technique described, the port states mentioned, and the services involved. Often, questions will present a scenario and ask for the most appropriate scanning technique or the interpretation of scan results.