A port scan is a method for determining which ports on a network are open. As ports on a computer are the place where information is sent and received, port scanning is analogous to knocking on doors to see if someone is home. Running a port scan on a network or server reveals which ports are open and listening (receiving information), as well as revealing the presence of security devices such as firewalls that are present between the sender and the target. This technique is known as fingerprinting. It is also valuable for testing network security and the strength of the system’s firewall. Due to this functionality, it is also a popular reconnaissance tool for attackers seeking a weak point of access to break into a computer.
Ports vary in their services offered. They are numbered from 0 to 65535, but certain ranges are more frequently used. Ports 0 to 1023 are identified as the “well-known ports” or standard ports and have been assigned services by the Internet Assigned Numbers Authority (IANA). Some of the most prominent ports and their assigned services include:
- Port 20 (udp) – File Transfer Protocol (FTP) for data transfer
- Port 22 (tcp) – Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
- Port 23 (tcp) – Telnet protocol for unencrypted text commutations
- Port 53 (udp) – Domain Name System (DNS) translates names of all computers on internet to IP addresses
- Port 80 (tcp) – World Wide Web HTTP
There are standard services offered on ports after 1023 as well, and ports that, if open, indicate an infected system due to its popularity with some far-reaching Trojans and viruses.
A port scan sends a carefully prepared packet to each destination port number. The basic techniques that port scanning software is capable of include:
- Vanilla– the most basic scan; an attempt to connect to all 65,536 ports one at a time. A vanilla scan is a full connect scan, meaning it sends a SYN flag (request to connect) and upon receiving a SYN-ACK (acknowledgement of connection) response, sends back an ACK flag. This SYN, SYN-ACK, ACK exchange comprises a TCP handshake. Full connect scans are accurate, but very easily detected because full connections are always logged by firewalls.
- SYN Scan– Also referred to as a half-open scan, it only sends a SYN, and waits for a SYN-ACK response from the target. If a response is received, the scanner never responds. Since the TCP connection was not completed, the system doesn’t log the interaction, but the sender has learned if the port is open or not.
- XMAS and FIN Scans– an example of a suite of scans used to gather information without being logged by the target system. In a FIN scan, an unsolicited FIN flag (used normally to end an established session) will be sent to a port. The system’s response to this random flag can reveal the state of the port or insight about the firewall. For example, a closed port that receives an unsolicited FIN packet, will respond with a RST (an instantaneous abort) packet, but an open port will ignore it. An XMAS scan simply sends a set of all the flags, creating a nonsensical interaction. The system’s response by can be interpreted to better understand the system’s ports and firewall.
- FTP Bounce Scan– allows for the sender’s location to be disguised by bouncing the packet through an FTP server. This is also designed for the sender to go undetected.
- Sweep scan– pings the same port across a number of computers to identify which computers on the network are active. This does not reveal information about the port’s state, instead it tells the sender which systems on a network are active. Thus, it can be used as a preliminary scan.
Scans that are developed for the sender to go undetected by a receiving system’s log are known as stealth scans and are of particular interest to attackers. Despite its popularity in this area, port scanning is a valuable tool for fingerprinting a network and for a penetration tester to assess the strength of network security.
22 Mar Port Scanning and Its Importance in Vulnerability Scanning
Cybercrime is at an all-time high. One of the easiest ways for cybercriminals to gain access to an organization’s devices is through open ports. System administrators and security professionals run port scans as part of vulnerability scans to identify such open ports and avoid any kind of intrusion. In this blog, we’ll take a deep dive into the various aspects of port scanning and the role it plays in vulnerability scanning.
What Is Port Scanning?
The process of scanning a computer’s port is called port scanning. It provides information on whether a device’s ports are open, closed or filtered. It is mainly performed to identify if a port is sending or receiving any information.
Port scanning also involves the sending of data to specific ports and analyzing the responses to identify vulnerabilities.
It is also one of the techniques used by attackers to discover devices/services they can break into.
How Does Port Scanning Work?
A port scanner inspects your IP address block for hosts and open ports using Transmission Control Protocol/Internet Protocol (TCP/IP) network protocols.
To learn how it exactly works, we need to deep dive into the basic components of port scanning – ports, port numbers and the techniques used to accomplish it.
Ports and Port Numbers
Ports are communication endpoints that connect network devices. Each port is identified with a 16-bit unsigned port number. The various types of port numbers are as follows:
- Well-Known TCP/IP Port Numbers
Port numbers from 0 to 1024 are reserved for privileged services and designated as well-known ports. Here’s the list of well-known port numbers as provided by Webopedia.
Port Number | Description |
1 | TCP Port Service Multiplexer (TCPMUX) |
5 | Remote Job Entry (RJE) |
7 | ECHO |
18 | Message Send Protocol (MSP) |
20 | FTP — Data |
21 | FTP — Control |
22 | SSH Remote Login Protocol |
23 | Telnet |
25 | Simple Mail Transfer Protocol (SMTP) |
29 | MSG ICP |
37 | Time |
42 | Host Name Server (Nameserv) |
43 | WhoIs |
49 | Login Host Protocol (Login) |
53 | Domain Name System (DNS) |
69 | Trivial File Transfer Protocol (TFTP) |
70 | Gopher Services |
79 | Finger |
80 | HTTP |
103 | X.400 Standard |
108 | SNA Gateway Access Server |
109 | POP2 |
110 | POP3 |
115 | Simple File Transfer Protocol (SFTP) |
118 | SQL Services |
119 | Newsgroup (NNTP) |
137 | NetBIOS Name Service |
139 | NetBIOS Datagram Service |
143 | Interim Mail Access Protocol (IMAP) |
150 | NetBIOS Session Service |
156 | SQL Server |
161 | SNMP |
179 | Border Gateway Protocol (BGP) |
190 | Gateway Access Control Protocol (GACP) |
194 | Internet Relay Chat (IRC) |
197 | Directory Location Service (DLS) |
389 | Lightweight Directory Access Protocol (LDAP) |
396 | Novell Netware over IP |
443 | HTTPS |
444 | Simple Network Paging Protocol (SNPP) |
445 | Microsoft-DS |
458 | Apple QuickTime |
546 | DHCP Client |
547 | DHCP Server |
563 | SNEWS |
569 | MSN |
1080 | Socks |
Registered Ports
These port numbers are registered with Internet Assigned Numbers Authority (IANA) and can be used by anyone for their servers or as ephemeral (temporary and valid only till the connection lasts) numbers for their clients. The registered port numbers range from 1024 to 49151. For the complete list of registered port numbers, visit the IANA website.
Dynamic or Private Ports
These port numbers range from 49152 to 65535. Dynamic ports are client ports and are used for private or customized services. These cannot be registered with IANA.
Port Scanning Protocols
Generally, TCP and User Datagram Protocol (UDP) are the most used protocols for port scanning.
The most commonly used method of TCP scanning is synchronized acknowledged (SYN) scans. SYN scanning involves creating a partial connection to the host on the target port by sending a SYN packet and then evaluating the response from the host. It is also known as a stealth scan since it is used by hackers to make changes to a network while remaining undetected.
Another method of TCP scanning is the TCP connect scan. It is slow and methodical, involves establishing a full connection, and then subsequently tearing it down.
UDP is a connectionless protocol that facilitates the exchange of messages between computing devices in a network. Often used for videoconferencing applications or computer games, UDP protocol enables real-time performance. It is the preferred protocol for applications that do not need guaranteed delivery of every data packet, unlike TCP.
Port Scanning Techniques and Methods
There are various port scanning techniques available. The most significant ones are:
- TCP SYN Scan – As mentioned above, SYN scan is the most popular scanning method. It is also known as Half Open Scan since it is a two-way communication channel and the scanner doesn’t close the open connections.
- TCP FIN Scan – This scan, mostly used by attackers, has the ability to pass through firewalls and other scan detection programs. When the attacking system sends FIN packets to the targeted system, the closed ports will respond with a reset response while the open ports will ignore the packets.
- TCP XMAS Scan – This scan is used to identify the listening ports on the targeted system.
- TCP Null Scan – An extremely stealthy scam, TCP Null Scam sets all the header fields to null, which means when an attacker sends a packet, instead of turning on the flags in the header that would cause the packet to be received as invalid by the host, the NULL scan turns off the header flags.
- Vanilla TCP Connect Scan – An easily detectable scan, the Vanilla scan uses the connect system call of an operating system on a target system to open a connection to every open port.
- Ping Scan – The Ping scan utilizes the “ping” command to scan the computers that are active.
Port Status
As mentioned earlier, the status of a port is either open, closed or filtered. Let’s take a look at what each of these statuses mean.
- Open – An open port implies that when someone tries to connect to that port on the server, the server might respond in some way.
- Closed – As the name suggests, a closed port indicates that the server isn’t responding to any connections.
- Filtered – A filtered port indicates that a firewall or some antivirus/anti-malware program is blocking the port to avoid certain connections.
What Is The Purpose of Port Scanning
The purpose of port scanning is to acquire information from the servers to which the ports are attached. Port scanning is carried out by system administrators to monitor endpoints as well as by attackers for malicious purposes.
Is Port Scanning Active or Passive?
As mentioned above, when port scanning is carried out by system administrators or other IT technicians as a part of the device monitoring process, it is mostly passive. However, when carried out by hackers looking to find a gateway to the company servers, it is mostly an active process.
What Is the Most Widely Used Port Scanning Tool?
“Nmap,” which stands for Network Mapper, is the most widely used port scanning tool. A favorite of system administrators, it can be installed on Windows, Linux, MacOS or built from source code. Released 16 years ago as a Linux-only port scanner, Nmap detection has evolved over the years and has some very valuable features like OS detection, version detection, the Nmap Scripting Engine, a Windows port, a graphical user interface and more.
The Nmap scanner is now undergoing rapid development and is also being used to scan online web services, which means users can scan their own machines from the cloud to identify any open vulnerabilities.
Why Is Port Scanning Important?
Since port scanning identifies open ports and services available on a network, it is used by security professionals to identify any security vulnerabilities on that particular network. While it is highly essential for network management, it is unfortunately being used extensively by cybercriminals as well.
Are Open Ports a Security Risk?
Ports are doors to devices. That’s why open ones pose a security risk since they provide easy access to cybercriminals unless protected by firewalls. A firewall monitors incoming and outgoing connections on a device and filters unwanted access. With the use of a firewall software, devices can be made less vulnerable to attacks.
Port Scanning as Part of Vulnerability Scanning
Security professionals in organizations run vulnerability scans that scan a specified set of ports on a remote host and test the service offered at each port for known vulnerabilities.
RapidFire Tools’ Inspector 2, the industry-leading tool for vulnerability scanning and management, performs routine scans to identify threats on all systems associated with your network. Designed specifically for MSPs, the application checks all the ports on any device connected to a network including servers, desktops, laptops, virtual machines, mobile devices, firewalls, switches and printers. For ports that are open, the system attempts to identify what device or software has opened it and runs tests for all known associated vulnerabilities.
Inspector 2 is highly scalable and designed to work across multiple disjointed networks and multiple subnets. With built-in automation, MSPs do not have to worry about forgotten scans and can expect an increase in their operational efficiency.
Learn more about Inspector 2 by requesting a free demo here.