Perform a Port Scan

One way of assessing the potential vulnerability of a device, or series of devices, is to perform a scan of all the TCP and UDP ports on each device and analyzing the responses. Many common attacks start with doing port scans of remote systems to see if ports, with known vulnerabilities, are reachable and responding. Historically, a scan reported whether a port responded normally (OPEN), rejected the connection (CLOSED), and was silent if there was no answer. With more aggressive malware appearing, the practice arose of distinguishing this last state explicitly. Port scans now return one of the following responses:

• OPEN
• CLOSED (responds but with a rejection)
• STEALTHED (no response at all)

Firewalls or access controls, along the entire path from probe source to target, can affect the response. These access controls include enterprise firewalls, LAN firewalls, and software host-based firewalls; as well as the device configuration as to what services are running; and on what port. Many services like sshd or httpd can be configured to answer on any IP port not already in use.

Open a command window and enter the command NETSTAT -A -P TCP, which will list all the TCP ports on your computer that have processes connected to them (and whether there is any connection currently active on them). Notice that, although only one application can use a given port, more than one session or instance of that application can share it. This ambiguity is resolved by basing the state of each on the originating port as well as the destination. NETSTAT /?will show you other arguments, like -b, which lists the process name associated with each.

• Identify the services using all of the active ports. Keep a transcript of the result, both the scan and your interpretation of it.

The following is an example of netstat results on a Windows XP workstation:

C:Documents and Settingsmyob>netstat -a -n -p TCP Active Connections

Active ConnectionsDownload and install Nmap from http://nmap.org. Perform a port scan of your own computer using the command nmap "sT "p1-1056 . This will do a scan attempting only TCP Connect probes on ports 1-1056. Whether you use the Zenmap GUI or command line, you will be able to save a transcript of the results. Include this transcript in your report.

• Compare the results of the Nmap scan with the netstat listing. What differences do you see? Nmap is only showing you what ports are responding (look at the documentation for Nmap for arguments that will try to identify what the software is on the responding port), but netstat is showing you connections and listening processes. Of the information they have in common, what differences are there?

Perform a scan of your router's exterior using ShieldsUp! at http://www.grc.com/ (scroll down to the link or use the pull-down Services button). This will scan the first 1056 TCP ports on your system. What system is responding to ShieldsUp! Is this the same for all cases? Describe specific scenarios with an intervening NAT router. Compare the results of this scan with the previous scans you did. Are the results the same? Why or why not? If they are different, explain what produced the difference.

Repeat the first two steps specifying UDP instead of TCP:

NETSTAT -A -P UDP

nmap -sU -p1-1056

• Make a note of any differences. Explain what is happening.
• Explain the differences (in what your results are) and how they come to be.

Attachment:- Perform-a-Port-Scan.rar