Effective Port Scanning for Finding Vulnerabilities in Bug Bounties

Introduction

Port scanning is an essential technique in the arsenal of bug bounty hunters. By probing a target for open ports, security researchers can identify running services and pinpoint potential vulnerabilities that may be exploitable. In the competitive world of bug bounties, knowing how to perform effective port scans can mean the difference between discovering valuable vulnerabilities and missing out.

In this article, we’ll dive into the specifics of port scanning, exploring various tools, techniques, and best practices to help you optimize your approach and maximize your success rate in bug bounty hunting.

Understanding Ports and Their Role in Security

Ports are numbered logical endpoints for network communication on a server or device. They allow for different types of services to coexist on a single IP address, each handling specific traffic types. For example:

• Port 80 is typically used for HTTP traffic.
• Port 443 is often reserved for HTTPS traffic.
• Port 22 is commonly used for SSH connections.

While ports facilitate essential network functions, open ports also create potential points of entry for attackers. Identifying open ports helps bug bounty hunters determine what services a target is running, which can lead to the discovery of exploitable vulnerabilities.

Essential Port Scanning Tools

Several tools have become standard for port scanning, each offering unique capabilities. Below are the most commonly used tools in bug bounties:

Nmap (Network Mapper)

• Overview: Nmap is a powerful, versatile tool widely used for network discovery and security auditing. With numerous scan options, it can quickly identify open ports and the services running on them.
• Installation: Available on Linux, Windows, and macOS. Install Nmap on Linux using:
• sudo apt install nmap
• Basic Commands: The simplest command to start with is:
• nmap <target IP>
• For a more detailed scan with version detection, use:
• nmap -sV <target IP>
• Advanced Scanning: Using flags like -sS for SYN scan or -A for OS detection provides deeper insights:
• nmap -sS -A <target IP>
• Nmap Scripting Engine (NSE): NSE enhances Nmap’s capabilities by enabling custom scripts for vulnerability detection. For instance:
• nmap --script vuln <target IP>

Masscan

• Overview: Known for its speed, Masscan can scan the entire Internet in a matter of minutes, making it an excellent choice for large-scale scans.
• Installation and Usage: Install Masscan on Linux with:
• sudo apt install masscan
• A basic scan on all ports at a set speed would look like this:
• masscan -p1-65535 <target IP> --rate=1000
• Masscan with Nmap: One effective approach is to use Masscan for a broad scan, then feed the results into Nmap for a more detailed analysis:
• masscan -p80,443 <target IP> -oL results.txt nmap -iL results.txt -sV

Unicornscan

• Overview: Though less common than Nmap and Masscan, Unicornscan provides robust, high-speed scanning capabilities. It’s especially useful for UDP scanning.
• Installation: On Debian-based systems, install it with:
• sudo apt install unicornscan
• Basic Command Example:
• unicornscan -msf -v <target IP>:a

Effective Port Scanning Techniques

Different situations call for different scanning techniques, depending on the level of stealth needed, the network’s size, and the depth of information you’re after. Here are some effective strategies:

TCP Connect Scan vs. SYN Scan

• TCP Connect Scan (-sT): Establishes a full connection to every port. It’s reliable but easily detectable.
• SYN Scan (-sS): Often called a “half-open” scan, it sends a SYN packet without completing the handshake. It’s faster and stealthier.

Timing and Throttling

• Timing Options: Using the -T flag in Nmap (values 0-5) allows you to control the timing. A lower value (e.g., -T0) provides stealth at the expense of speed, while -T5 is aggressive and fast.
• Rate Limiting in Masscan: For stealth, set a lower rate to avoid detection. Example:
• masscan -p80,443 <target IP> --rate=100

Service and OS Detection

• Service Version Detection: Nmap’s -sV flag determines the version of services running on open ports, which is valuable for vulnerability matching.
• Operating System Detection: The -O flag in Nmap helps identify the OS on the target machine, providing context for further exploitation attempts.

Identifying Vulnerabilities on Open Ports

Knowing which vulnerabilities are associated with specific open ports is essential. Here are some of the most common vulnerabilities related to popular ports:

• Port 22 (SSH): Vulnerabilities here might involve weak credentials, outdated software, or configuration flaws. Check for older SSH versions that might have known vulnerabilities.
• Port 80 and 443 (HTTP and HTTPS): Web services on these ports are frequently vulnerable to injection attacks, authentication flaws, and misconfigurations.
• Port 3306 (MySQL): This port is often exposed inadvertently, allowing attackers to exploit database vulnerabilities, especially if default credentials are used.

Once you identify open ports and services, cross-reference the service version with vulnerability databases like the NVD (National Vulnerability Database) or Exploit Database.

Case Study: From Port Scanning to Vulnerability Discovery

Let’s walk through a case study to demonstrate how effective port scanning can lead to discovering a vulnerability.

1. Initial Scan with Nmap

• nmap -sS -A -p1-65535 <target IP>

The scan identifies that port 8080 is open and running an outdated version of Apache Tomcat.

Service Version Identification

• nmap -sV -p8080 <target IP>

1. Nmap confirms that Apache Tomcat 7.0.82 is running.
2. Researching Vulnerabilities By looking up Apache Tomcat 7.0.82, you discover it has a known vulnerability: CVE-2017–12617, which allows for remote code execution if file upload capabilities are enabled.
3. Exploiting the Vulnerability Using Metasploit or a similar framework, you test the vulnerability in a safe environment and successfully upload a web shell, confirming the exploit.
4. Documenting Findings When submitting your bug report, detail the open port, the detected service and version, the associated CVE, and the exploitation steps. Clear documentation adds value to your report and demonstrates professionalism.

Conclusion

Effective port scanning is the foundation of bug bounty hunting. By identifying open ports, analyzing running services, and detecting vulnerable versions, you can uncover valuable insights and potential vulnerabilities on a target system. Whether using powerful tools like Nmap for detailed analysis or leveraging Masscan for rapid scans across multiple targets, having a solid port scanning strategy can significantly enhance your bug bounty hunting efforts.

Stay updated on new scanning tools, techniques, and emerging vulnerabilities to ensure your skills remain sharp and effective. Happy hunting!

Promote and Collaborate on Cybersecurity Insights

We are excited to offer promotional opportunities and guest post collaborations on our blog and website, focusing on all aspects of cybersecurity. Whether you’re an expert with valuable insights to share or a business looking to reach a wider audience, our platform provides the perfect space to showcase your knowledge and services. Let’s work together to enhance our community’s understanding of cybersecurity!

About the Author:

Vijay Gupta is a cybersecurity enthusiast with several years of experience in cyber security, cyber crime forensics investigation, and security awareness training in schools and colleges. With a passion for safeguarding digital environments and educating others about cybersecurity best practices, Vijay has dedicated his career to promoting cyber safety and resilience. Stay connected with Vijay Gupta on various social media platforms and professional networks to access valuable insights and stay updated on the latest cybersecurity trends.