Mastering PortScan & Stuff: A Complete Network Auditing Guide
Network auditing is the backbone of modern cybersecurity. Securing a perimeter requires seeing it exactly how an attacker does. This guide covers port scanning principles, essential tooling, and defensive strategies to protect infrastructure. Understanding Port Scanning
Every service on a network listens on a specific logical channel called a port. Ports range from 0 to 65535. They are split into three categories:
Well-Known Ports (0–1023): Reserved for core services like HTTP (80), HTTPS (443), SSH (22), and DNS (53).
Registered Ports (1024–49151): Used by specific applications like MySQL (3306) or RDP (3389).
Dynamic/Private Ports (49152–65535): Assigned temporarily for client-side communications.
Port scanning is the systematic probing of these channels to find open doors. Auditors use it to map assets and identify unauthorized services. Attackers use it to find an entry point. Common Scan Types
TCP SYN Scan (Half-Open): The scanner sends a SYN packet. If a SYN/ACK returns, the port is open. The scanner then drops the connection with a RST packet. This method is fast and avoids opening full connections.
TCP Connect Scan: The scanner completes the full three-way handshake (SYN, SYN/ACK, ACK). This is louder and easily logged by target operating systems, but it requires no special privileges to run.
UDP Scan: UDP is connectionless. The scanner sends a raw UDP packet. If the port is closed, the target usually replies with an ICMP Port Unreachable message. No response typically means the port is open or filtered. Core Auditing Tools
Efficient auditing relies on selecting the right tool for the specific environment. 1. Nmap (Network Mapper)
Nmap remains the industry standard for network discovery and vulnerability scanning. It provides unmatched depth through its scriptable engine. Basic Ping Sweep: Maps live hosts without scanning ports. nmap -sn 192.168.1.0/24 Use code with caution.
Aggressive Scan: Detects OS, service versions, and runs default scripts. nmap -A -T4 192.168.1.50 Use code with caution. 2. Masscan
When auditing massive internet-scale networks, Nmap can be too slow. Masscan is built for raw speed, capable of scanning the entire internet in under six minutes if the network pipe allows. It transmits packets asynchronously and handles results out of order. High-Speed Subnet Scan: masscan 10.0.0.0/8 -p80,443 –rate 10000 Use code with caution. 3. RustScan
RustScan balances the speed of modern languages with the deep analytical capabilities of Nmap. It uses Rust to rapidly find open ports in seconds, then automatically pipes those specific ports into Nmap for version and vulnerability detection. The Auditing Workflow
A standard network audit follows a strict, repeatable lifecycle to ensure thorough coverage. Phase 1: Reconnaissance and Discovery
Define the scope. Perform passive reconnaissance via DNS records and public threat intelligence before running active sweeps to identify live hosts. Phase 2: Enumeration
Identify the specific software versions running on open ports. Knowing a port is open is useful; knowing it runs an outdated version of Apache allows for precision risk assessment. Phase 3: Vulnerability Mapping
Compare service versions against known Common Vulnerabilities and Exposures (CVE) databases. Automation scripts can assist, but manual verification prevents false positives. Hardening and Defense
Auditing is only valuable if it leads to remediation. Use these strategies to protect infrastructure from unauthorized scanning:
Implement a Default-Deny Firewall Policy: Block all inbound traffic except explicitly whitelisted services.
Deploy Intrusion Detection Systems (IDS): Configure Snort or Suricata to detect high-velocity scanning patterns and automatically block origin IPs.
Rate-Limit Traffic: Restrict the number of connection requests a single IP can make per minute to disrupt asynchronous scanners like Masscan.
Disable Unused Services: Reduce the attack surface by shutting down legacy or unnecessary background daemons.
To help tailor this guide or explore specific areas further, tell me:
Are you auditing an internal corporate network or an external cloud environment?
Leave a Reply