It is probably the only old technique that has remained in the hacking game. It has also remained fairly unchanged and therefore gets executed the same way through various tools. Port scans are used in lateral movement for the purpose of identifying systems or services of interest that hackers can attack and attempt to capture valuable data from. These systems are mostly database servers and web applications. Hackers have learned that quick and full-blown port scans easily get detected and therefore they use slower scanning tools that get past all network monitoring systems. Monitoring systems are normally configured to identify unusual behaviors on a network but by scanning at a slow-enough speed, the monitoring tools will not detect the scanning activity.

Most of the scanning tools used were discussed in Chapter 4, Reconnaissance. The nmap tool is normally a preference of many since it has many features and is always reliable and dependable.

In the previous chapter, that is, Chapter 6, Chasing User’s Identity, a lot of information was given on how nmap operates and what kinds of information it gives to its users. A default nmap scan uses full TCP connection handshakes, which are sufficient for finding other targets for the hackers to move to. The following are some examples of how port scans are done in nmap:

# nmap -p80 192.168.4.16

This command only scans to check whether port 80 is open on the target machine with the IP 192.168.4.16:

# nmap -p80,23 192.1168.4.16

One can also check whether multiple ports are open by separating them with a comma in the command as shown previously.