Port scanning is a crucial technique within the toolkit of any seasoned Linux system administrator or cybersecurity practitioner. This in-depth 2600+ word guide aims to fully cover port scanning methodologies, tools, customization techniques, relevant statistics and best practices from an expert perspective.

An Introduction to Ports and Services

Before jumping into scanning, let‘s recap what ports and services are in networking.

A port is a logical construct that enables services to run over IP networks. Ports allow a single IP address to uniquely identify multiple services or processes running on a system.

For example, port 80 is typically tied to web traffic and HTTP servers while port 22 is bound to SSH services for remote administrative connections.

Here‘s a snapshot of the most common designated ports and protocols:

Port(s) Service & Protocol
20 & 21 FTP (Data/Control)
22 SSH
25 SMTP Mail
53 DNS
80 HTTP Web Traffic
110 & 143 POP3 Mail
443 HTTPS (Encrypted Web Traffic)

Services are the server applications listening on these ports to respond to network requests and data.

You can see the ports in use and associated services on a Linux system using: 

sudo netstat -tulpn

The Critical Role of Port Scanning

Port scanning provides tremendous value by revealing all open/exposed services listing on targets and networks:

Discover Visible Services: A port scan produces a list of open ports on servers, workstations and network devices along with the services driving each listening port. This makes it easy to catalog the running Internet-facing services across infrastructure.

Understand Attack Surface: Cyber risk is driven the "attack surface" – all public ports and weak services exposed to exploitation by attackers. Port scanning enumerates these endpoints to allow hardening high-risk vulnerabilities.

Continuously Audit: Port scanning is vital for ongoing audit checks that organization‘s security postures have not degraded over time. Scans validate that only authorized services are Internet accessible with the latest safeguards.

According to IBM‘s latest X-Force Threat Intelligence Index, approximately 70% of network attacks target vulnerabilities in openly exposed services. Regular scanning is crucial to get ahead of attackers probing infrastructure for weak points.

TCP vs UDP Scans

There are two primary protocols central to networking and data transmission:

TCP (Transmission Control Protocol) is a connected protocol. It maintains established connections through a three-way handshake between endpoints to setup sessions. Accurately determining if TCP ports are open, closed or filtered relies on sending handshake packets to probe connection state.

UDP (User Datagram Protocol) is a connectionless protocol. It transmits data without handshaking to set up sockets between endpoints. This means UDP scanning cannot definitively identify open ports. Any non-response will show up as open|filtered rather than a definitive open status.

The core port scanning methodologies in Linux center around crafting specialized TCP and UDP packets to map out target services.

Nmap Port Scanning

Nmap is the most widely used port scanner for Linux and generally considered the gold standard for network discovery and security auditing. It‘s an incredibly versatile scanner included with most system distributions.

First, confirm Nmap is already installed or add it:

sudo apt update
sudo apt install nmap

Let‘s explore some of Nmap‘s core TCP and UDP scanning capabilities.

TCP Connect Scanning

The default Nmap TCP scan type is a full connect scan:

sudo nmap 192.168.1.105

This completes full TCP socket handshakes by transmitting a SYN, receiving a SYN-ACK and responding with an ACK.

Some examples of customizing TCP connect scans:

nmap -p20,443,8080 192.168.1.105 # Probe specific ports
nmap -p 5000-5020 192.168.1.105 # Target a port range

TCP Connect Scan Pros: Confirms definitively open ports by finishing handshakes; Can bypass older firewalls.

TCP Connect Scan Cons: Slower than other TCP modes; More intrusive than half-open scans.

TCP SYN Scanning

A TCP SYN scan sends an SYN packet and waits for a response rather than completing full socket handshakes: 

sudo nmap -sS 192.168.1.105

Rather than the full three-way handshake, it only completes the first SYN exchange to check for listening ports.

TCP SYN Scan Pros: Very fast compared to full connects; Good way to bypass firewall rules.

TCP SYN Scan Cons: Not 100% reliable for confirming open ports; Seen as less stealthy nowadays.

Based on empirical tests, SYN scans are over 3x faster than full connection scans since they only transmit one packet per port. However, next-gen firewalls can more easily block standalone SYN packets versus allows full connection standards. There‘s always a balance of speed, accuracy and evasion!

UDP Scanning

UDP scans work by sending UDP packets to every targeted port while listening for ICMP port unreachable messages back. No response indicates the port status is open|filtered rather than definitively open: 

sudo nmap -sU --top-ports 100 192.168.1.105

This UDP scan probes the top 100 common UDP ports.

Notable options when UDP scanning include:

  • --top-ports <number>: Scan X Most Popular UDP Ports – Great for speed without hitting 65,535 ports unnecessarily. Useful for peeking at highest risk services.
  • --exclude-ports: List UDP ports to blackout from otherwise full range scans.

UDP Scan Pros: Successfully maps out open UDP services; Gets through UDP firewall rules.

UDP Scan Cons: Requires privileged user rights; Referenced around 6x more than TCP in vulnerability databases according to Rapid7 Open Data between 2015-2022.

So while UDP scanning has advantages, TCP remains the more common attack vector for cyber intrusions by a wide margin.

Detect Operating Systems & Services

Beyond port status, Nmap can identify:

  1. Operating Systems
  2. Running Services

…by examining subtle differences in TCP/IP stack implementations and service banner grabs.

Enable these detections features using:

sudo nmap -A -v 192.168.1.105
  • -A: Turn on OS & service detection
  • -v: Enable verbose output

Here‘s truncated output showing granular OS and service details revealed by Nmap‘s advanced analysis:

...
PORT    STATE SERVICE  VERSION
22/tcp open  ssh      OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: ...
80/tcp open  http     Apache httpd 2.4.37
|_http-server-header: Apache/2.4.37 ...  
MAC Address: 02:42:AC:11:00:02 (Unknown)
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop  
...

These intelligent detections enable immediately understanding exactly what is running on scanned targets vs just port status alone.

Speed Up Scans with Rustscan

Rustscan is an increasingly popular Nmap-wrapper designed specifically for faster scans by running them asynchronously. Think of it like a specialized optimization tool.

Install via cargo:

cargo install rustscan

Then launch scans using similar flags to Nmap:

rustscan -a 192.168.1.0/24 -r 2000 --ulimit 5000

Notable options:

  • -a: Aggressive scan mode
  • -r: Packets per second rate
  • --ulimit: High file limit for many socket connections

According to tests by Thomas Guinebertière, Rustscan achieved a ~900% runtime improvement versus advanced Nmap scans. This makes it better suited for wide network cidr ranges.

The catch is Rustscan only improves speed – it relies completely on Nmap under the hood for scan capabilities. Think of it as an optimization rather than a replacement.

Masscan for Internet-Wide Scans

Masscan takes port scanning velocity to another level for surveying internet-scale targets. It trades accuracy for unmatched scanning throughput via custom packet optimization.

Key features:

  • Scans at 20 million packets per second = over 1,000x faster than Nmap
  • Produces approximate results flagged for further verification
  • Extremely noisy – tries every port against every target

Install masscan:

sudo apt install masscan

Here is sample basic syntax:

masscan 192.168.0.0/22 -p1-65535 --rate 100000

This wields masscan‘s astonishing speed to blaze through a subnet at 100,000 packets a second.

Masscan makes no attempts at stealth but excels at public internet surveys across millions of IPs. It can quickly map out the broader landscape then feed those approximate findings into Nmap for accuracy.

According to Censys Scan Data, the entire IPv4 public range averages over 2 billion scans per week. In an environment with overwhelming input scale, optimizing for output speed over accuracy is often the only viable path forward.

Recipes for Advanced Port Scans

While beginners stick to basics like simple SYN and UDP scans, advanced practitioners utilize a range of techniques to customize scans:

Firewall Evasion Scans

One hurdle for port scanning is getting back false closed or filtered ports that are actually open but blocked by firewalls.

IP Fragmentation is an evasion technique that breaks packets into small fragments. These tiny packets appear less suspicious and can bypass non-stateful inspection rules. Nmap handles fragmentation automatically with -f: 

nmap -f 192.168.1.105

Multiple Decoys disguise the real scanning source IP by forging additional spoofed IPs transmitting packets alongside the scanner‘s real IP. The firewall logs fill up with fakes rather than revealing true origin.

nmap -D RND:10 192.168.1.105

This configures 10 random decoys.

Source Port Manipulation fools firewalls looking for low return ports assuming it‘s a valid connection response rather than scan traffic:

nmap --source-port 31 192.168.1.105

These samples demonstrate advanced techniques to get through restrictive network security controls. Firewalking scanning takes this deception to another level by sending packets with unauthorized protocol bits to map out rulesets.

According to research presented at Blackhat 2021, Over 75% of firewall filters can be bypassed using various combos of port scan obfuscation techniques.

Traffic Camouflage

More sophisticated evasion hides scans under normal expected traffic patterns:

Reverse Ident Scanning disguises port probes as ident traffic, a protocol often allowed for IRC connections:

nmap -sR 192.168.1.105

Custom Packets resembling other protocols can bypass filters expecting that traffic profile:

nmap -g 53 --source-port 53 192.168.1.105

Here ICMP is camouflaged as DNS queries over UDP.

These sneaky scans imitation legitimate traffic to hide scanning payloads without tripping alerts. Taken together they demonstrate the incredible flexibility of tools like nmap.

Optimizing Scan Speed

Default scans focus on accuracy rather than optimized runtime. Here are techniques for accelerating scripts:

Slice Network into Subnets for parallelization rather than one huge scan range slowing to a crawl from overload.

Probe Only Common Ports using --top-ports 1000 instead of a full 0-65535 port walk. Skip unusued blackhole ports.

Throttle Rate (-T) with dynamic timing rather than flooding at maximum speed causing choke points and drops.

Disable Reverse DNS Lookups (-n) ignoring name resolution checks which add tremendous latency.

Set Hardware Resources (-oN) by increasing open files, threads, memory limits so scans can scale up.

Scan Output Formats like grep-able ninja Nmap logs accelerate parsing for automation.

With tuning, Nmap throughput can safely increase over 5 times speed by applying various veteran optimizations.

Troubleshooting Port Scans

Despite intricate methodology, scans do fail due to network flakiness or hardware limits:

Connection Refused: Host is up but refuses connections, blocked by local firewall rules.

No route to host: Unreachable subnet or MAC address via local routers.

Timeout delays: Packet loss and network congestion disrupting transfers.

Low resource limits: Running out of sockets, threads, memory, cpu from undersized default settings.

Fixing errors involves adjusting the above performance levers – subnets, socket counts, thresholds, timeouts, jam rates. Iterate until the network path clears by isolating troublesome network segments causing the bottlenecks.

Wireshark is invaluable for network debugging by inspecting raw scan packets to identify exactly where the breakage occurs.

Port Scanning Best Practices

While this guide has covered technical scanner usage in depth, applying that knowledge safely and responsibly is equally important:

  • Scope tests narrowly to minimize unintended impact or traffic overload. Fail closed rather than wide open.
  • Automate reporting for immediate security team context avoiding panics from scans appearing as attacks.
  • Run scans from consistent source under operational domain names signaling legitimacy.
  • Never scan unauthorized targets without written permission exposing yourself to legal risk.
  • Check tool options carefully before launching to avoid accidental denial of service crashes from excess load.
  • Compare multiple scan types across tools for second opinions resolving discrepancies.
  • Reconfirm vulnerabilities through manual testing validating issues are real not just scan artifacts.
  • Correlate scans withInventoryto highlight truly rogue services absent from any asset records.

Following ethical scanning best practices pays dividends through more accurate tests and avoidance of performance mishaps or legal pitfalls.

Now go demonstrate your scanning prowess while staying responsible!

Related posts:

  1. Optimize Your File Searches: An Expert Guide to Excluding Directories with Linux Find
  2. Verifying Crontab is Active and Running Properly on Linux
  3. Unlocking the True Power of the Cut Command
  4. How to Use Linux SCP Command to Securely Transfer Files
  5. Mastering the Whatis Command for Linux Power Users
  6. The Complete Guide to Using the /etc/hosts File in Linux
  7. Linux "ss" Command Examples: An In-Depth Guide
  8. LVM: Add a New Disk to Extend Volume Size

Similar Posts