HakTip 137 – Identifying Open Ports in Wireshark

Today on HakTip, Shannon explains how to view an attack on your network and how to discover your vulnerable network ports.

Download HD | Download MP4

If you are working at a business, you may find that an attacker wants to get into your network. The attacker would start by collecting publicly available information- like from your website. They can scan the website’s IP address for any open ports or running services, and a way to get in, or ‘intrude’. Oftentimes, an attacker can use a TCP SYN (for tcp synchronize) scan to find out what’s available to them. If your server was open, it would reply with an ACK acknowledge packet, and they’d have a handshake, but not a completed one since the attacker won’t be connecting yet. If a port is closed or if you’ve got a firewall turned on, they would either get an RST packet or none at all. This info probably sounds familiar if you’ve watched my series on NMap, a network scanner.

I’m using an example from Chris Sanders Practical Packet Analysis. Buy this book. It’s extremely useful and he goes into a lot of details I’ve just skipped over.

If you look under “Conversations” when an attack like this is going on, you’d see one IPv4 conversation happening, and tons of TCP ones. So let’s look at the very first packet, by clicking it, opening the packet header pane right clicking on Destination Port, and choosing Prepare a Filter, Selected. Delete dst from the filter, and press enter. We see that these are both port 443, but the server never replied. So maybe the port is closed.

Now find a port 53 packet, for DNS and do the same thing. The server tries to reach out to the attacker, but the attacker denies a connection, ending the TCP handshake. So it looks like the DNS port is open.
Do the same thing for a packet reaching out to port 113, like packet 13. This is used for authentication services. The port is closed, or nothing is running on it. The server replies with RST packets.

Open that conversations window again and sort TCP by packets, from high to low. Hit follow stream at the bottom to view the conversation for that specific conversation. You’ll notice that the ones with 5 packets are open, the ones with 2 packets are closed (RST). The rest only had one packet, meaning the ports are probably closed too.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

  • Marilyn

    Unquestionably believe that which you said. Your favorite justification appeared to be on the web the
    simplest thing to be aware of. I say to you, I certainly get irked
    while people think about worries that they just do not know about.
    You managed to hit the nail upon the top and defined out the whole thing without having side effect ,
    people can take a signal. Will probably be back to get more.

  • CarrolDReaney

    I think this is among the most vital information for me.
    And i am glad reading your article. But want to remark on few
    general things, The website style is ideal,
    the articles is really excellent : D. Good job, cheers

  • cheap pandora jewellery

    The author’s name is Angelica and she or he feels comfortable when people use complete name.
    For years she’s been living in Massachusetts but her husband wants
    the move. Her day job can be a supervisor and it is something
    she really have fun with. It’s not a common thing but what i like doing is climbing
    but I’m thinking on starting something new. Check out the latest news on my website:
    cheap pandora jewellery

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>