> For the complete documentation index, see [llms.txt](https://tzero86.gitbook.io/tzero86/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tzero86.gitbook.io/tzero86/scanning/basic-scanning-shodan.io-and-nmap.md). # Basic Scanning (Shodan.io & Nmap) {% hint style="info" %} **CEH:** "*In scanning, we usually find open, closed, and filtered ports. Each one corresponds to completely different services, except for some ports used to present a website (80 or 8080). One of the biggest vulnerabilities is finding easily accessible ports, such as port 22 (SSH) and port 23 (Telnet)."* {% endhint %} In this **`mini-practice`** we will see how to use **`Shodan`** to locate servers that have certain ports open. For this example we are interested in finding the ports **`22`** and **`23`** open. Then we will use **`nmap`** to confirm that those servers indeed have both ports open. {% hint style="danger" %} **Wikipedia:** **Telnet** (**Tel**etype **Net**work​) is the name of a [network protocol](https://es.wikipedia.org/wiki/Protocolo_de_red) that allows us to access another machine to [manage it remotely](https://es.wikipedia.org/wiki/Administraci%C3%B3n_remota). It is also the name of the [software program](https://es.wikipedia.org/wiki/Programa_inform%C3%A1tico) that implements the [client](https://es.wikipedia.org/wiki/Cliente_\(inform%C3%A1tica\)). Its biggest problem is security, since all the **usernames and passwords needed to log into machines travel through the** [**network**](https://es.wikipedia.org/wiki/Red_de_telecomunicaci%C3%B3n) **as** [**plain text**](https://es.wikipedia.org/wiki/Texto_plano) (text strings without [encryption](https://es.wikipedia.org/wiki/Cifrado_\(criptograf%C3%ADa\))). This makes it easy for anyone sniffing the network traffic to obtain the usernames and passwords. For this reason it fell out of use with the arrival of **SSH**. {% endhint %} {% hint style="success" %} **Wikipedia:** **SSH** (or **S**ecure **SH**ell) is the name of a [protocol](https://es.wikipedia.org/wiki/Protocolo_\(inform%C3%A1tica\)) and of the [program](https://es.wikipedia.org/wiki/Programa_\(computaci%C3%B3n\)) that implements it whose main function is [remote access](https://es.wikipedia.org/wiki/Administraci%C3%B3n_remota) to a server through a secure channel in which all information is encrypted. SSH allows copying data securely (both individual files and simulating [FTP](https://es.wikipedia.org/wiki/File_Transfer_Protocol) encrypted), managing [RSA keys](https://es.wikipedia.org/wiki/Claves_RSA) so as not to type passwords when connecting to devices and to pass the data of any other application through a secure [tunneled](https://es.wikipedia.org/wiki/Protocolo_tunelizado) channel via SSH and it can also redirect traffic from the ([X Window System](https://es.wikipedia.org/wiki/Sistema_de_ventanas_X)) to be able to run graphical programs remotely. {% endhint %} ## Locating servers with ports 22, 23 open. **Shodan** allows us to perform searches both from its website and from the terminal using an API access key. In this case we will quickly use the web version, [`Shodan.io`](https://www.shodan.io/) using the search. Which we will refine with the use of **`filters`**, in this case the port filter called **`port:`**. We can use this filter in the following way: {% hint style="success" %} In the search bar we enter the text **`port:`** followed by the port number we want to filter by. For example: **`port:80`**. {% endhint %} ![](https://i.imgur.com/A0cICh6.png) This search with **`shodan`** we will perform to find the targets for this practice, it is enough to select from the list of results offered by **`shodan`** the **`IP addresses`**. Those IP addresses we will use next to confirm that the open ports for each target reported by **`shodan`** are indeed open. For that confirmation we will use the tool **`nmap`**. ## Scanning targets with nmap For scanning I will use **`nmap`** as a tool, it comes preinstalled in distributions like [**`Kali Linux`**](https://www.kali.org/). ### Port 22 As a first example I will use the target **`35.199.79.95`** when scanning it with **`nmap`** we see that that server has port **`22`** open. For this we will use nmap with a series of switches or flags that allow us to refine the type of scan, speed and port. {% hint style="info" %} In this mini-practice we are not going to delve into **`nmap`**. To learn more about this tool and how to perform different types of scans, follow this :point\_right: [**link**](/tzero86/scanning/running-scans-with-nmap.md). {% endhint %} ![](https://i.imgur.com/47SVpSo.png) Once the scan is completed we see that we obtain confirmation that the target has port **`22`** open as had been reported by the search we performed in **`shodan`**. If we look closely at the scan result, we see that nmap returns quite a bit of additional information. ### Port 23 Now let's search for a target that has port **`23`** open, for which we refine our search in **`shodan`** with the filter **`port:23`**, alternatively we can search directly by the service name, `telnet`. {% hint style="info" %} To find **`servers`** with the **`telnet`** service active, it is enough to enter the **`service name`** in the search bar. This works with other services such as for example **`SSH`**. {% endhint %} Once the target is chosen we proceed to scan it with nmap to confirm that indeed the port **`23`** is open. In my case I chose **`67.201.141.136`** as the target: ![](https://i.imgur.com/AxlaXZ3.png) As we can see in the results the scan confirms that port **`23`** is open. In this particular case port **`21`** is also open. In this way we saw how to locate servers with certain ports open and how using nmap we can verify that they are indeed open. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://tzero86.gitbook.io/tzero86/scanning/basic-scanning-shodan.io-and-nmap.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.