the type of device that is communicating. As with
other packet capture programs,
there are ways to get traffic to your system that isn’t specifically destined there by
using a hub or a port span on a switch or even doing spoofing. The MAC address
comes from the layer 2 header, which gets pulled off when a packet crosses a layer 3
boundary (router).
Although the information you can get from passive reconnaissance using a tool like
p0f
is limited to what the service and system
is going to give up anyway, using
p0f
alleviates the manual work that may otherwise be required to pull out this level of
detail. The biggest advantage to using
p0f
is you can quickly
extract details without
doing the work yourself, but you are also not actively probing the target systems. This
helps to keep you off the radar of any monitoring systems or teams at your target.
Port Scanning
Once you are done gathering as much information as you can without actively and
noisily
probing the target networks, you can move on to the making noise stage with
port scans. This is commonly done using port scanners, though port scanning doesn’t
necessarily mean that the scans have to be high traffic and noisy. Port scanning uses
the networking protocols to extract information from
remote systems to determine
what ports are open. We use port scanning to determine what applications are run‐
ning on the remote system. The ports that are open can tell us a lot about those appli‐
cations. Ultimately, what we are looking for are ways into the system. The open ports
are our gateways.
An open port means that an application is listening on that port. If no application is
listening, the port won’t be open. Ports are the way we
address at the transport layer,
which means that you will see applications using TCP or UDP commonly for their
transport needs, depending on the requirements of the application. The one thing in
common across both transport protocols is the number of ports that are available.
There are 65,536 possible port values (0–65,535).
As you are scanning ports, you won’t see any port that is being used on the client side.
As an example, I can’t scan your desktop computer and
determine what connections
you have open to websites, email servers, and other services. We can only detect ports
that have listeners on them. When you have opened
a connection to another system,
you don’t have a port in a listening state. Instead, your operating system will take in
an incoming packet from the server you are communicating with and determine that
an application is waiting for that packet, based on a four-tuple of information (source
and destination IP addresses and ports).
Because differences exist between
the two transport protocols, the scans work differ‐
ently. In the end, you’re looking for open ports, but the means to determine that
information is different. Kali Linux comes with port scanning tools. The de facto
