How to perform a full 65,535 UDP and TCP port scan with just 784 Packets

Nessus has the ability to perform full port scans on UNIX and Windows systems by leveraging credentials. For UNIX systems, the “netstat –an” command is invoked and the results used to mark each reported TCP or UDP port open in the Nessus knowledge base. For Windows systems, WMI is used to identify each open port in a similar manner.

• For enterprise customers using Nessus or the Security Center to perform audits of systems with credentials, this type of audit saves time and improves accuracy over traditional port scanning methods:
• Probing a TCP service with a SYN scan or a full TCP connection takes time. Not only does each packet need to be sent, but it also needs to be tracked in case it was filtered, times out or is rejected.
• Performing UDP scans is very unreliable. By its very nature, a UDP port scan considers a port open if there is no response. Since UDP is unreliable in nature and is often filtered, most UDP port scans return results that are not accurate.
• Placing large numbers of sequential or random port connections to multiple target hosts can impact the performance of firewalls, NAT devices, switches and many other types of network equipment. Network devices which handle packets often keep a table of active connections and a port scan can make your network look very busy, or take a network that is operating at capacity and make it perform very poorly. In some cases, such devices are licensed per concurrent TCP sessions, and such a port scan might even disrupt other legitimate connections.
• The lack of port scanning traffic means that your NBAD, network IDS, firewall logs or SIM does not get hundreds or thousands of alerts that need to be filtered.

These credentialed port scans also have some other compliance and performance advantages:

• Unless someone has placed a rootkit on the OS, this technique will accurately identify all uncommon and high-port listening services. Of course, if an attacker has placed a rootkit, it very likely placed in defenses that make their ports not show up during active scans.
• If you have a PCI requirement to perform a full port scan of a target, this credentialed technique can also be used. PCI requires that assessments of Internet facing servers be performed without any filtering in place and for all 65,535 ports. Performing a credentialed scan is much quicker than doing a full active port scan.
• Since these techniques accurately identify all open ports, it is much more likely that Nessus will perform accurate service identification of these ports and discover vulnerabilities on them. Scans that perform their port scan analysis with active methods may not target all available ports due to time constraints.

Launching these Scans and Understanding them

To make use of these scanners, Nessus and Security Center users should simply enable these port scanners in their scan configurations and also include the required credentials to log into the remote systems. Below is a screen shot of the list of available port scanners in the NessusClient:

Notice that the “Nessus TCP” scanner and the “netstat portscanner (WMI)” were both selected. This would cause a full active TCP port scanner to execute as well as a credentialed WMI scan. There is nothing that prevents a Nessus user from combining these port scans, but there is no additional benefit. A user doing a credentialed audit of a UNIX or Windows system can save a lot of time by only performing the netstat style scans.

Having said that, you should surely consider creating a scan policy that made use of credentiales for Windows and UNIX accounts at the same time. Enabling both the "netstat portscanner (WMI)" and the "Netstat 'scanner'" for UNIX along with the required credentials can rapidly perform full network scans.

Results from these plugins are reported the same way as any other port scanner as shown below:

In this case, we used credentials to perform the WMI netstat scan of a Windows 2003 server. The above ports were identified. Running tcpdump during the scan, we gathered only 784 packets (which explains the title of this blog).

Full port scans place many more packets on the network. Even with a simple SYN scan for TCP and a UDP probe, a scanner would send 65535 * 2 = 131070 packets. Even worse, these packet counts can be much higher. For accuracy, a scanner might send the same packet more than once. When looking at full TCP connections or even a SYN scan, there could be 1000s of “reset” packets sent back from the target. With TCP resets and UDP “ICMP Unreachable” messages, it’s not uncommon for packet counts of full port scans to be more than 250,000.

For More Information

If you are concerned with minimizing network impact during active vulnerability scans, you should read our previous blog posts regarding distributed vulnerability scanning.  You should also review topics such as how to invoke the Nessus “safe checks” option,  UDP service enumeration, detecting “off port” services such as web servers not running on port 80 and generally how Nessus performs operating system fingerprinting.

If you are interested in real-time traffic analysis to identify change, new applications, new vulnerabilities and also discover which systems connect to each other and share data, the Passive Vulnerability Scanner can be used along with the Security Center. It feeds discovered data, including real-time identification of open ports, browsed ports and the applications and clients that make use them into the Security Center which combines this information with data from credentialed and un-credentialed Nessus scans.