Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to perform a full 65,535 UDP and TCP port scan with just 784 Packets

Nessus has the ability to perform full port scans on UNIX and Windows systems by leveraging credentials. For UNIX systems, the “netstat –an” command is invoked and the results used to mark each reported TCP or UDP port open in the Nessus knowledge base. For Windows systems, WMI is used to identify each open port in a similar manner.

  • For enterprise customers using Nessus or the Security Center to perform audits of systems with credentials, this type of audit saves time and improves accuracy over traditional port scanning methods:
  • Probing a TCP service with a SYN scan or a full TCP connection takes time. Not only does each packet need to be sent, but it also needs to be tracked in case it was filtered, times out or is rejected.
  • Performing UDP scans is very unreliable. By its very nature, a UDP port scan considers a port open if there is no response. Since UDP is unreliable in nature and is often filtered, most UDP port scans return results that are not accurate.
  • Placing large numbers of sequential or random port connections to multiple target hosts can impact the performance of firewalls, NAT devices, switches and many other types of network equipment. Network devices which handle packets often keep a table of active connections and a port scan can make your network look very busy, or take a network that is operating at capacity and make it perform very poorly. In some cases, such devices are licensed per concurrent TCP sessions, and such a port scan might even disrupt other legitimate connections.
  • The lack of port scanning traffic means that your NBAD, network IDS, firewall logs or SIM does not get hundreds or thousands of alerts that need to be filtered.

These credentialed port scans also have some other compliance and performance advantages:

  • Unless someone has placed a rootkit on the OS, this technique will accurately identify all uncommon and high-port listening services. Of course, if an attacker has placed a rootkit, it very likely placed in defenses that make their ports not show up during active scans.
  • If you have a PCI requirement to perform a full port scan of a target, this credentialed technique can also be used. PCI requires that assessments of Internet facing servers be performed without any filtering in place and for all 65,535 ports. Performing a credentialed scan is much quicker than doing a full active port scan.
  • Since these techniques accurately identify all open ports, it is much more likely that Nessus will perform accurate service identification of these ports and discover vulnerabilities on them. Scans that perform their port scan analysis with active methods may not target all available ports due to time constraints.

Launching these Scans and Understanding them

To make use of these scanners, Nessus and Security Center users should simply enable these port scanners in their scan configurations and also include the required credentials to log into the remote systems. Below is a screen shot of the list of available port scanners in the NessusClient:


Scanoptions

Notice that the “Nessus TCP” scanner and the “netstat portscanner (WMI)” were both selected. This would cause a full active TCP port scanner to execute as well as a credentialed WMI scan. There is nothing that prevents a Nessus user from combining these port scans, but there is no additional benefit. A user doing a credentialed audit of a UNIX or Windows system can save a lot of time by only performing the netstat style scans.

Having said that, you should surely consider creating a scan policy that made use of credentiales for Windows and UNIX accounts at the same time. Enabling both the "netstat portscanner (WMI)" and the "Netstat 'scanner'" for UNIX along with the required credentials can rapidly perform full network scans.

Results from these plugins are reported the same way as any other port scanner as shown below:


Rodanopenports

In this case, we used credentials to perform the WMI netstat scan of a Windows 2003 server. The above ports were identified. Running tcpdump during the scan, we gathered only 784 packets (which explains the title of this blog).

Full port scans place many more packets on the network. Even with a simple SYN scan for TCP and a UDP probe, a scanner would send 65535 * 2 = 131070 packets. Even worse, these packet counts can be much higher. For accuracy, a scanner might send the same packet more than once. When looking at full TCP connections or even a SYN scan, there could be 1000s of “reset” packets sent back from the target. With TCP resets and UDP “ICMP Unreachable” messages, it’s not uncommon for packet counts of full port scans to be more than 250,000.

For More Information

If you are concerned with minimizing network impact during active vulnerability scans, you should read our previous blog posts regarding distributed vulnerability scanning.  You should also review topics such as how to invoke the Nessus “safe checks” option,  UDP service enumeration, detecting “off port” services such as web servers not running on port 80 and generally how Nessus performs operating system fingerprinting.

If you are interested in real-time traffic analysis to identify change, new applications, new vulnerabilities and also discover which systems connect to each other and share data, the Passive Vulnerability Scanner can be used along with the Security Center. It feeds discovered data, including real-time identification of open ports, browsed ports and the applications and clients that make use them into the Security Center which combines this information with data from credentialed and un-credentialed Nessus scans.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training