Advanced Port Scanning Techniques for Bug Bounty Programs

Port scanning is one of the most foundational steps in reconnaissance during a bug bounty program. While basic port scanning techniques help identify open ports, advanced port scanning can provide richer insights into vulnerabilities and services that run on exposed ports. In this blog, we’ll explore advanced port scanning techniques that can help bug bounty hunters gain a significant edge in their assessments. Whether you are hunting for high-severity bugs or looking to enhance your reconnaissance, this guide is built for advanced users.

Table of Contents

1. Understanding Port Scanning Basics
2. Common Tools for Advanced Port Scanning
3. Stealth Scanning Techniques
4. Banner Grabbing and Service Detection
5. Timing and Evasion Techniques
6. Fingerprinting Operating Systems and Services
7. Using Scripts and Automation in Port Scanning
8. Advanced Network Mapping with Nmap
9. Deep Dive: Scanning IPv6 Networks
10. Handling Firewalls, IDS, and Honeypots
11. Analyzing the Results for Vulnerabilities
12. Real-World Scenarios for Bug Bounty Programs
13. Conclusion

1. Understanding Port Scanning Basics

Before delving into advanced techniques, let’s quickly summarize the basics of port scanning. Port scanning is the process of probing a target system to determine which network ports are open, closed, or filtered. Open ports represent active services that could potentially be exploited.

The three basic types of scans are:

• TCP Connect Scan: Completes the three-way TCP handshake (SYN, SYN-ACK, ACK) to check for open ports.
• TCP SYN Scan: Sends SYN packets and waits for SYN-ACK responses. This method doesn’t complete the handshake, making it stealthier.
• UDP Scan: More challenging to execute but necessary to identify open UDP ports.

While these methods are effective for basic reconnaissance, they leave out nuances that could be exploited in more sophisticated bug bounty programs.

2. Common Tools for Advanced Port Scanning

Advanced port scanning leverages a variety of powerful tools. While Nmap remains the most popular choice for port scanning, many advanced tools enhance or extend its functionality:

• Nmap: Nmap’s versatility and scripting capabilities make it ideal for both beginners and advanced users. The NSE (Nmap Scripting Engine) provides significant enhancements for more granular control over scanning processes.
• Masscan: Known for its speed, Masscan can scan the entire internet in a few minutes. However, it lacks the finesse of Nmap in analyzing results.
• Unicornscan: Designed for large-scale network discovery, Unicornscan is great for distributed scanning and performance optimization.
• Zmap: Efficient for wide-area network scanning and can work alongside tools like Nmap for post-scan analysis.

Choosing the right tool depends on the scope of your engagement and the target’s network architecture.

3. Stealth Scanning Techniques

One of the main concerns during bug bounty reconnaissance is avoiding detection by security systems like firewalls and Intrusion Detection Systems (IDS). Stealth scanning techniques allow you to gather information without raising red flags:

TCP SYN Scan (Half-Open Scan)

This is one of the most popular stealth scanning methods:

• How it works: The scanner sends a SYN packet to the target. If the target responds with a SYN-ACK, the port is considered open. The scanner doesn’t complete the handshake by sending an ACK, thus avoiding logging the connection.
• Why it’s stealthy: By avoiding the final ACK, the scan can bypass many logging systems.

FIN, Xmas, and Null Scans

These scans manipulate TCP flags in creative ways:

• FIN Scan: Sends a FIN packet, which should only close connections. If the port is closed, an RST packet is sent in response.
• Xmas Scan: Sends a packet with FIN, URG, and PUSH flags all set to 1. Closed ports will send an RST response.
• Null Scan: Sends packets with no flags set. Closed ports return RST, while open ports remain silent.

These scans are particularly useful against firewalls or security systems that focus on detecting only standard TCP traffic.

Idle Scanning (IPID Scanning)

Idle scanning uses a third-party zombie system to perform the scan, masking the original scanner’s IP:

• How it works: The attacker sends spoofed packets from the zombie system, tricking the target into responding to the zombie rather than the attacker. This allows complete anonymity for the attacker.
• Why it’s powerful: If configured correctly, this scan can be entirely undetectable, as the real attacker’s IP is never directly involved.

4. Banner Grabbing and Service Detection

While detecting open ports is essential, identifying the services running on those ports is even more critical. Banner grabbing involves extracting information about the software version running on a specific port, which can be useful for identifying vulnerabilities.

Tools for Banner Grabbing:

• Nmap: With the -sV flag, Nmap attempts to detect the version of the service running on a given port. It also uses NSE scripts for more in-depth service analysis.
• Netcat: A simple utility for manual banner grabbing. By connecting to a service on an open port (e.g., HTTP on port 80), Netcat can reveal banners that disclose the server type, version, or other useful details.
• Telnet: Similar to Netcat, Telnet can connect to services and retrieve basic banners.

Using NSE Scripts for Deeper Service Detection:

The Nmap Scripting Engine (NSE) provides a wide range of scripts specifically for service detection. Some useful scripts include:

• http-enum.nse: Enumerates directories on an HTTP server.
• ssl-enum-ciphers.nse: Enumerates supported SSL/TLS ciphers and gives insights into weak configurations.
• ftp-anon.nse: Tests for anonymous login on FTP servers.

5. Timing and Evasion Techniques

To avoid triggering IDS or rate-limiting mechanisms, it’s crucial to manage scan timing carefully. Here are a few advanced timing and evasion techniques:

Timing Templates:

Nmap provides timing templates (-T0 to -T5):

• -T0: Paranoid scan mode, ideal for stealth as it minimizes scan speed to evade detection.
• -T4: Aggressive scan, suited for faster scanning but more likely to trigger alarms.

Randomized Source IP Addresses:

Many tools, including Masscan and Unicornscan, allow IP spoofing to randomize the source IP address for each packet, helping evade firewall rules and rate limiting.

Fragmentation of Packets:

Sending fragmented packets can help bypass detection mechanisms that expect whole packets. Nmap’s -f flag fragments the IP packet header, making it harder for basic IDS/IPS systems to detect scans.

6. Fingerprinting Operating Systems and Services

Once you’ve detected open ports and identified services, the next step is to fingerprint the underlying operating system (OS) and software versions. OS and service fingerprinting can provide crucial insights for developing exploits.

Nmap OS Fingerprinting:

Using the -O flag, Nmap can send a series of probes and analyze responses to detect the operating system. While it isn’t foolproof, it’s highly accurate for commonly used OSes.

Passive Fingerprinting:

Unlike active fingerprinting, which sends packets to provoke responses, passive fingerprinting involves analyzing network traffic to infer OS details. Tools like p0f can be used to fingerprint OSes without actively scanning the target, making it stealthier.

7. Using Scripts and Automation in Port Scanning

Automation is crucial in advanced bug bounty programs, where you might need to scan large IP ranges or automate repetitive tasks. Leveraging Nmap scripts (NSE) and integrating with automation platforms can greatly enhance your scanning capabilities.

Nmap NSE Scripts for Automation:

• vulners.nse: Combines port scanning with vulnerability scanning by checking discovered services against known vulnerabilities.
• brute.nse: Performs brute force attacks on open services like SSH or FTP.

Automating with Python:

Python’s subprocess module can be used to automate Nmap scans and parse results. For example, using Python to launch periodic scans or integrate scan data into a larger vulnerability management system can help you scale your reconnaissance.

8. Advanced Network Mapping with Nmap

Nmap’s network mapping capabilities are essential for understanding the topology of a target network. Techniques like traceroute, network distance estimation, and firewall identification can give you a clear picture of how to approach the target.

Traceroute with Nmap:

The --traceroute option in Nmap helps identify intermediate devices, such as routers and firewalls. Knowing the network path can help tailor your attacks and avoid detection.

9. Deep Dive: Scanning IPv6 Networks

With IPv6 adoption increasing, advanced bug hunters must familiarize themselves with IPv6 scanning techniques. IPv6’s larger address space makes scanning more complex, but tools like Nmap and Zmap support IPv6 scanning.

Challenges in IPv6 Scanning:

The sheer size of the IPv6 address space means you can’t scan it as you would with IPv4. Focus on known ranges, DNS lookups, and services that advertise their IPv6 addresses.

10. Handling Firewalls, IDS, and Honeypots

Firewalls, Intrusion Detection Systems (IDS), and honeypots are often deployed to thwart attackers. Identifying and bypassing these defenses is a critical skill in advanced bug bounty hunting.

Detecting Firewalls and IDS:

• TTL Analysis: By observing TTL (Time To Live) values, you can infer the presence of firewalls.
• Firewalk: A tool designed to identify firewall rule sets by sending packets with increasing TTL values.

Honeypot Detection:

Honeypots are deceptive systems designed to lure attackers. Tools like Nmap and Honeyd can help identify suspiciously open ports or low-interaction services, indicative of a honeypot.

11. Analyzing the Results for Vulnerabilities

After conducting a thorough scan, the final and most crucial step is analyzing the results. Open ports and detected services can be mapped against known vulnerabilities, but advanced bug hunters go a step further:

Exploiting Misconfigurations:

Misconfigurations in services like SSH, FTP, and HTTP are common and often lead to critical vulnerabilities. For example:

• Default Credentials: Many services ship with default credentials, which, if unchanged, provide easy access.
• Weak SSL/TLS Configurations: Tools like sslscan can analyze weak SSL configurations.

Exploiting Non-Standard Ports:

Don’t ignore non-standard ports. Services running on non-default ports are often forgotten by admins and may present unique vulnerabilities.

12. Real-World Scenarios for Bug Bounty Programs

Let’s look at how advanced port scanning techniques apply in real-world bug bounty programs:

Scenario 1: Evading Detection on a Corporate Network

You’re scanning a high-profile target protected by advanced firewalls and IDS. Using stealth scanning and timing templates with Nmap, you evade detection while gathering a detailed map of the network.

Scenario 2: Discovering Vulnerabilities in IoT Devices

Using banner grabbing and service detection, you identify an outdated version of a web server on an IoT device. This leads you to discover a buffer overflow vulnerability, resulting in a critical bug report.

13. Conclusion

Advanced port scanning is a critical skill for bug bounty hunters, enabling deeper insights into a target’s infrastructure and vulnerabilities. By mastering stealth techniques, automation, service detection, and network mapping, you can gain a significant edge over competitors and uncover high-severity vulnerabilities that others might miss.

Bug bounty hunting is about persistence, creativity, and continuous learning. As network defenses evolve, so must your scanning techniques. Dive deep into the tools, experiment with new techniques, and never stop honing your craft. Happy hunting!

Promote and Collaborate on Cybersecurity Insights

We are excited to offer promotional opportunities and guest post collaborations on our blog and website, focusing on all aspects of cybersecurity. Whether you’re an expert with valuable insights to share or a business looking to reach a wider audience, our platform provides the perfect space to showcase your knowledge and services. Let’s work together to enhance our community’s understanding of cybersecurity!

About the Author:

Vijay Gupta is a cybersecurity enthusiast with several years of experience in cyber security, cyber crime forensics investigation, and security awareness training in schools and colleges. With a passion for safeguarding digital environments and educating others about cybersecurity best practices, Vijay has dedicated his career to promoting cyber safety and resilience. Stay connected with Vijay Gupta on various social media platforms and professional networks to access valuable insights and stay updated on the latest cybersecurity trends.