What is port scanning?
Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities. This scanning process can’t take place without identifying a list of active hosts and mapping those hosts to their IP addresses. After a thorough network scan is complete and a host list is compiled, a proper port scan can take place. The organization of IP addresses, hosts, and ports allows the scanner to properly identify open or vulnerable server locations with the goal of diagnosing security levels.
These scans reveal the presence of security in place such as a firewall between the server and the user’s device.
Both cyber attackers and administrators are able to use these scans to verify or check security policies of a network and identify vulnerabilities; and in the attackers’ case, identify weak entry points.
The general protocols used for port scanning are TCP (transmission control protocol) and UDP (user datagram protocol). They are both data transmission methods for the internet, but have different mechanisms. TCP is a reliable, two way connection-based transmission of data that relies on the destination’s status in order to complete a successful send. UDP is connectionless and unreliable. The data is sent without concern for the destination; therefore, it is not guaranteed that the data will even make it. There are several different methods of performing port scans using these two protocols, which will be explained in the techniques section below.
What is a port?
Computer ports are the central docking point for the flow of information from a program or the internet to a device or another computer in the network and vice versa. It’s the parking spot for data to be exchanged through electronic, software, or programming-related mechanisms. Port numbers are used for consistency and programming. The port number combined with an IP address form the vital information kept by every Internet Service Provider in order to fulfill requests. Ports range from 0 to 65,536 and basically rank by popularity.
Ports 0 to 1023 are well known port numbers that are designed for internet use, although they can have specialized purposes as well. They are administered by the Internet Assigned Numbers Authority (IANA). These ports are held by top-tier companies like Apple QuickTime, MSN, SQL services, and other prominent organizations. You may recognize some of the more prominent ports and their assigned services:
- Port 20 (UDP) holds File Transfer Protocol (FTP) used for data transfer
- Port 22 (TCP) holds Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
- Port 53 (UDP) is the Domain Name System (DNS) which translates names to IP addresses
- Port 80 (TCP) is the World Wide Web HTTP
Numbers 1024 through 49151 are considered “registered ports” meaning they are registered by software corporations. Ports 49,151 through 65,536 are dynamic and private ports - and can be used by nearly everyone.
What type of results can you get from a port scan?
Port scans report back to the user revealing the status of the network or server, described in one of three categories: open, closed, or filtered.
Open ports indicate:
- The target server or network is actively accepting connections or datagrams and responded with a packet that indicates it is listening. It also indicates that the service used for the scan (typically TCP or UDP) is in use as well. Finding open ports is typically the overall goal of port scanning and a victory for a cyber criminal looking for an attack avenue. Administrators attempt to barricade these ports by installing firewalls to protect them without limiting access for legitimate users.
Closed ports indicate:
- The server or network received the request but there is no service “listening” on that port. A closed port is still accessible and can be useful in showing that a host is on an IP address. These ports should still be monitored, as they can open up and create vulnerabilities. Admins should consider blocking them with a firewall, where they would then become “filtered” ports.
Filtered ports indicate:
- That a request packet was sent, but the host did not respond and is not listening. This usually means that a request packet was filtered out and/or blocked by a firewall. Packets do not reach their target location, and therefore attackers cannot find out more information. They often respond with error messages reading “destination unreachable” or “communication prohibited.”
What are port scanning techniques?
There are several different port scanning techniques that send packets to destinations for various reasons. Listed below are a few of the many techniques and how they work:
- The simplest port scans are called ping scans. These are internet control message protocol (ICMP) requests. Ping scans send out an automated blast of several ICMP requests to different servers to bait responses. Administrators may use this technique to troubleshoot, or disable the ping by using a firewall - which makes it impossible for bad actors to find the network through pings.
- A half-open scan, or “SYN” scan, only sends a SYN (short for synchronize) message and doesn’t complete the connection, leaving the target hanging. It’s a quick and sneaky technique aimed at finding potential open ports on target devices.
- XMAS scans are even quieter and less noticeable. Sometimes FIN packets (message meaning “no more data is available from the sender”) go unnoticed by firewalls because they are mostly looking for SYN packets. For this reason, XMAS scans send packets with all of the flags, including FIN, expecting no response, which would mean the port is open. Receiving a RST response would mean the port is closed. This is simply a more sneaky way to learn about a network’s protection and firewall, as this scan rarely show up in logs.
How can cyber criminals use port scanning as an attack method?
According to the SANS Institute, port scanning happens to be one of the most popular tactics used by cyber attackers when searching for a vulnerable server to breach.
These cyber criminals often use port scanning as a preliminary step when targeting networks. They use the scan to scope out the security levels of various organizations and determine who has a strong firewall and who may have a vulnerable server or network. A number of TCP protocol techniques actually make it possible for attackers to conceal their network location and use “decoy traffic” to perform port scans without revealing any network address to the target.
They probe networks and systems to see how each port will react - open, closed, or filtered. Open and closed responses alert hackers that your network is in fact on the receiving end of the scan. These cyber criminals can then determine the level of security and what type of operating system your business has. Port scanning is an old technique that requires security changes and up-to-date threat intelligence as protocols and security tools are evolving daily. Port scan alerts and firewalls are necessary to monitor traffic to your ports and ensure malicious traffic doesn’t detect your network.
- What is an IPS? (Intrusion Prevention System)
- What is an IDS? (Intrusion Detection System)
- What is Defense in Depth in Network Security?
MSSPs: Surviving and Prospering in the New Network Security Reality. The Avast Business "Easy Button" Solution.
See How a Secure Internet Gateway with Powerful Next Gen Firewall Capabilities (NGFW) Provides Complete Security.