"All IANA assigned ports"

jlemoigne · December 12, 2022, 1:42pm

Hi everybody , when configuring a new target, in the ‘Create / Edit Target’ pop-up window, at the ‘Port list’ item (just above the ‘Alive Test’ configuration choice), you are given 3 possibilities :
- All IANA assigned TCP
- All IANA assigned TCP and UDP
- All TCP and Nmap top 100 UDP
Say you select the first choice (All IANA assigned TCP).
My question is very straightforward : will ALL TCP ports, from 0 up to 65 535, actually be tested by the scanner on the target ? I mean : ALL of them … (0 - 65 535) ? And this, regardless of a possible port range limitation in the NVTs sets … ?
Many thanks for your answer, best regards,
J. Le Moigne, INRAe / DSI / SSI (France)

TreAtW · December 12, 2022, 2:09pm

Hi jlemoigne,

Not all 65535 ports will be tested. As the name suggests, only the IANA assigned ports are tested. You can find those here: IANA assigned ports. In summary, system ports (Ports 0-1023) will be highly frequented.

jlemoigne · December 12, 2022, 2:26pm

Hi TreAtW , many thanks for your quick reply, and the link (that I’d actually found, but I wasn’t sure ast to be able to get a strict understanding of it … )
So, if I’m not mistaken :

that’s roughly (roughly, because there are some small gaps with unassigned values) from 0 up to 49 150 (49 151 is IANA reserved)
and THEN also some ‘funny’ services, such as ‘chaos’ (CHAOS protocol), ‘ggp’ (Gateway Gateway Protocol), (and so on …) : are THESE also tested by the GVM scanner (if you would know the answer) … ??
Jean

TreAtW · December 12, 2022, 2:34pm

Unfortunately, my knowledge about OpenVAS, GVM and NVTs doesn’t reach that far But I’m sure that someone more experienced than me will answer your question.

jlemoigne · December 12, 2022, 2:36pm

Okay. Many thanks however ;-D)
regards, see you Jean

jjnicola · December 13, 2022, 7:34am

Hello @jlemoigne
If you want to take a look on the currently IANA port list , you can check the port list data object folder.

$ cd ~/install/var/lib/gvm/data-objects/gvmd/22.04/port-lists$ 
$ cat all-iana-assigned-tcp-33d0cd82-57c6-11e1-8ed1-406186ea4fc5.xml |xmlstarlet fo |egrep "start|end"

Regards,

jlemoigne · December 13, 2022, 7:43am

Hi jjnicola ,

~/install/var/lib/gvm/data-objects/gvmd/22.04/port-lists
hmmm … ! Yes, of course !
Excellent (and definetely GVM contextual). Thank you very much, regards, Jean

cfi · December 13, 2022, 7:51am

As soon as one port is included in the used port list and the port was found to be open during the port scanning phase the service behind this port will get scanned, independent what’s running behind it.

For example just because a specific port is IANA assigned / reserved doesn’t mean that such a service is actually running behind it. e.g. you could also make an SSH server (IANA assigned: 22) listen on port 80 (IANA assigned: www) and just relying on the IANA assignments doesn’t work in such cases.

jlemoigne · December 13, 2022, 8:18am

Hi cfi , many thanks to you as well.

e.g. you could also make an SSH server (IANA assigned: 22) listen on port 80 (IANA assigned: www) and just relying on the IANA assignments doesn’t work in such cases

hmmmm … Okay, but meaning what, exactly … ? is openvas-scanner ‘expecting’ HTTP protocol behind port 80 in some way ? and if it is SSH (on port 80), will it abort … ? or “try something else” … ?
Actually meaning : in this case, will it be able to effectively scan the service behind the port (even if it’s not at all IANA compliant), and get some info, or will this port scan just be unsuccessful ?

If you possibly would know the answer, that would be great to understand more deeply the way the scanner behaves.
Regards, Jean

jlemoigne · December 13, 2022, 8:37am

For instance, I suppose real hackers try ‘many things’ on any given active port. Hence, they probably are rapidly able to determine whether the actual service behind is SQL, HTTPS or SMTP.
The question is : do NVTs tests, or some other sections of openvas-scanner code, go that far as well … ?
Jean

cfi · December 13, 2022, 8:45am

Yes, services are “probed” via various means to identify the service running behind it independent from any IANA assignment or similar. See e.g. https://github.com/greenbone/openvas-scanner/blob/v22.4.0/nasl/nasl_builtin_find_service.c, VTs like “find_service1.nasl” or any other VTs in the “Service detection” family.

jlemoigne · December 13, 2022, 8:51am

I humbly confess I’ve not been checking the sources … (yet)
But this is great to hear : so it’s actually quite an advanced ‘expert’ system, and an impressive development effort !
Many thanks for your very precise answers, best regards , Jean

jlemoigne · December 14, 2022, 9:40am

So, if it might help somebody in shortening things : that’s 1 242 TCP ports scanned by ‘openvas-scanner’ in “ALL IANA assigned TCP ports” (which is far from all of them …), as of Dec 13th, 2022 (for it 's an information which is dynamically updated on your server).
=> see files in cd ~/install/var/lib/gvm/data-objects/gvmd/22.04/port-lists$ (as stated by jjnicola)
Best regards , jean
All IANA assigned TCP ports list - ‘openvas-scanner’ - 2022.12.13.txt (17.1 KB)

jlemoigne · December 14, 2022, 9:47am

On an operational and running GVM server, it’s actually located there :
/var/lib/gvm/data-objects/gvmd/22.04/port-lists
see ya , J.