Identifying Open Ports in Wireshark

Today on HakTip, Shannon explains how to view an attack on your network and how to discover your vulnerable network ports.

If you are working at a business, you may find that an attacker wants to get into your network. The attacker would start by collecting publicly available information- like from your website. They can scan the website's IP address for any open ports or running services, and a way to get in, or 'intrude'. Oftentimes, an attacker can use a TCP SYN (for tcp synchronize) scan to find out what's available to them. If your server was open, it would reply with an ACK acknowledge packet, and they'd have a handshake, but not a completed one since the attacker won't be connecting yet. If a port is closed or if you've got a firewall turned on, they would either get an RST packet or none at all. This info probably sounds familiar if you've watched my series on NMap, a network scanner.

I'm using an example from Chris Sanders Practical Packet Analysis. Buy this book. It's extremely useful and he goes into a lot of details I've just skipped over.

If you look under "Conversations" when an attack like this is going on, you'd see one IPv4 conversation happening, and tons of TCP ones. So let's look at the very first packet, by clicking it, opening the packet header pane right clicking on Destination Port, and choosing Prepare a Filter, Selected. Delete dst from the filter, and press enter. We see that these are both port 443, but the server never replied. So maybe the port is closed.

Now find a port 53 packet, for DNS and do the same thing. The server tries to reach out to the attacker, but the attacker denies a connection, ending the TCP handshake. So it looks like the DNS port is open.
Do the same thing for a packet reaching out to port 113, like packet 13. This is used for authentication services. The port is closed, or nothing is running on it. The server replies with RST packets.

Open that conversations window again and sort TCP by packets, from high to low. Hit follow stream at the bottom to view the conversation for that specific conversation. You'll notice that the ones with 5 packets are open, the ones with 2 packets are closed (RST). The rest only had one packet, meaning the ports are probably closed too.

Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.