What is port scanning?
Ports are one of the main reasons that data packets are able to find their way to their desired destination. They serve as interfaces between computers and system services or programs and are used by the TCP and UDP network protocols. Together with the IP address, operating systems are able to find out which computer and application they are supposed to send data to.
What is port scanning? A brief explanation
Port scanning refers to the targeted process of checking open ports in a computer system with the help of special tools. Before we delve into what port scanning is, it might help to first take a look at what ports are. Ports serve as an interface between active programs and the internet. They are used to route inbound and outbound data packets to the correct applications and are managed by operating systems.
For an application to communicate via a port, it needs to be opened. Opening ports, however, presents a risk. If one of the applications that is using the port has security vulnerabilities, the port can serve as a potential entry point for attackers. To minimise the risk of an attack, you should always be aware of which ports are open on your system and which applications are associated with them.
You don’t need to be logged into the target system in order to perform a port scan on it. You just have to be connected to it via a local network or the internet. With the help of port scanners, you can send special data packets as tests to different ports. You’ll then receive answers or error messages, which the tool you are using will analyse. Depending on the scanning program’s range of function, you can obtain information on which ports are open and which are closed. You can also receive data on which services and/or applications the respective ports use.
Port scanning offers system administrators a very efficient means for monitoring data traffic in a network. With port scanning, potential weaknesses can be filtered out, and the system’s attack surface can be reduced. In some cases, it can help administrators to solve concrete network problems . Additionally, the tools don’t have any noticeable influence on the performance of the systems they’re scanning. As a result, they can be used for security measures without needing to worry about unintended effects on the system’s performance.
Port scanners are also useful for home PCs. As soon as you start using applications that require an internet connection, ports are automatically opened, unless your firewall prevents them from being opened. A port scan can help you keep an overview of things, showing you ports that are no longer needed. You can then close them in order to reduce security risks.
- Protection against ransomware attacks
- Regular virus scans
- Automatic backups and simple file recovery
How does port scanning work?
Port scanners offer many different methods. Most of these, however, involve the connection-oriented protocol TCP. In order to understand the basic processes that occur during port scanning, it’s helpful to take a look at the general structure of TCP connections:
-
Also known as a three-way handshake, this process begins with the client sending a SYN packet (synchronise) to the destination port.
-
Once the packet reaches an application, the client receives a combined SYN/ACK packet (synchronise/acknowledge), which confirms that the connection has been established.
-
For the third and final step, the client sends an ACK packet (acknowledge), which establishes the connection, allowing the data exchange to begin.
If a closed port is contacted, the client will receive an RST packet (reset) during the second step, ending the handshake.
Since it would be difficult and time consuming to exchange data with different types of applications, port scanning is limited to simple attempts at establishing connections as the following scan methods show.
TCP-SYN scan
The goal of a TCP-SYN scan is not to establish a complete TCP connection. This is why this type of scan is commonly referred to as a half-open port scan. Using the port scanner, this method sends typical SYN packets to individual ports and waits for an answer from the target host. If the host sends a SYN/ACK packet back, it signals that the respective port is open, and it is possible to set up a connection. If the reply is an RST packet, it means the port is closed. If there isn’t a reply, this can probably be traced back to a packet filter (e.g. a firewall) that’s located upstream.
TCP-SYN scans are not visible to the applications that are being assessed and for this reason, do not generate any log data. This is why they are also referred to as stealth scans.
TCP connect scan
If you execute a connect scan with your port scanner, you’re not actually generating and sending the data packet yourself. Instead, you are using the system call connect. This is available on almost every single operating system. If a connection attempt is successful, it means the port is open. If the connection attempt fails, it means the port is closed. If a connection was successfully established (i.e. a port was open), you’ll be able to see that this scanning technique was used in the log files of the application. However, information about filtering programs that were used won’t be provided. If you don’t have the rights to send raw data packets, the TCP connect scan can be a useful alternative to SYN scans.
TCP-FIN, Xmas, and Null scans
These three port scanning methods also allow you to differentiate between open and closed ports. Here, two basic concepts are employed, which are documented in the RFC 793“):
- Closed ports should always answer packets (as long as they are not RST packets) with their own RST packet.
- Open ports should ignore all packets not marked as SYN, RST or ACK.
When scanning RCF-compliant systems, these scanning methods exploit these principles using their own packets:
- The Null scan doesn’t use any special markings.
- With FIN scans, the port scanner sends FIN packets (finish)
- Xmas scans use a combination of FIN, PSH (push) and URG markings (urgent), which makes the packets light up like a Christmas tree.
All three scanning methods behave in the same way. Due to the RCF rules, the test packets ensure that closed ports answer with RST packets and that open ports don’t provide a response. Not all routers send error messages if a port is filtered, which could mean that a filtered port is involved if no message appears (in addition to the possibility that it may be an open port). And while this method is much more discrete than SYN scans, it may not work properly if systems don’t perfectly adhere to RFC 793. A prominent example of this is Windows.
UDP scan
With UPD scans, empty UDP headers without data are sent to all empty ports. If a service answers with a UDP packet, the corresponding port is open. If the port scanner receives the error message ‘Port unreachable’ from the router (type 3, code 3), it recognises the port as closed. Other error messages serve to inform users that packet filters are responsible for blocking ports. The problem with UDP port testing is the immense amount of time it requires. This is because, for many systems, it can take a long time to put out error messages due to security reasons. What’s more, many of these systems only reply to ports sporadically. The Linux kernel limits the number of reports on a per-second basis, meaning that it would take around 18 hours to fully scan 65,535 ports.
What port scanners are there?
There are many different scanners that differ in the range of functions that they offer. Most of these tools are available as freeware or open-source options. Many of these feature classic command-line programs that can be used via separate graphical interfaces. What’s more, there are many online solutions that let users scan ports directly in a browser. Services like the port scanner by DNS tools are limited in terms of their features and only offer the ability to check individual ports. For this reason, they’re well suited options for conducting quick checks on personal computers.
Netcat
Netcat (short: nc) was published by an anonymous developer known as ‘Hobbit’ in 1996. Originally written for Unix platforms, there are now many porting options for systems like Windows as well as other extensions like GNU Netcat, OpenBSD Netcat, Cryptcat and Netcat6 (also supports the IPv6), which are included in many Linux distributions by default. The basic version of the command-line tool is primarily designed to send or read data via TCP and UDP network connections. It can also be used, however, for simple port scanning tasks. This allows users to check the status of ports 20 to 30 on a specified system with simple commands like:
nc -zv localhost 20-30
bashChecking UDP ports requires the additional parameter, -u. You can also use the host name or the IP address of an external system (if you know it) in place of localhost.
Nmap
A substantially more powerful tool, which is particularly useful for port scanning, is Network Mapper, which is often called Nmap. Designed for unixoid systems, Nmap is GPL licensed and has been available for Windows systems since 2000 (albeit with limitations). This means that TCP Connect scans take up a disproportionate amount of time and that scanning your own system ports is only possible using indirect paths. Generally, Nmap can be operated via a command line. Zenmap, on the other hand, features a high-performance graphical interface that allows users to easily use the network tool.
The Nmap creator, Gordon Lyon, and the Nmap developer team are responsible for furthering the development of the program and its port scanning features. In particular, technologies like OS fingerprinting (i.e. recognising a target host’s operating system) and reading out services that hide behind ports make Nmap one of the most popular port scanner solutions. The following table displays the variety of methods this program has to offer:
Port scanning methods | Nmap command | Description |
---|---|---|
TCP connect-scan | nmap -sT host | Classic check for non-administrators |
TCP Syn scan | nmap -sS host | Quick, unnoticed inspection methods for administrators. |
TCP FIN-/XMAS-/Null scan | nmap -sF host nmap -sX host nmap -sN host | Methods that can avoid firewalls |
TCP ping scan | nmap -sP host | For traditional port scans; helps check the availability of a host. |
TCP ACK scan | nmap -sA host | Determines delivered ports but doesn’t offer any distinction between open and closed ports |
TCP Window scan | nmap -sW host | Comparable with the ACK scan; can verify some open and closed ports. |
TCP Maimon scan | nmap -sM host | Combination of FIN and ACK scans. |
TCP idle scan | nmap -sI zombie host host | Least noticeable, most complex and hence slowest scanning method; runs via a third computer that is labelled as a ‘zombie’ by Nmap. |
UDP scan | nmap -sU host | Scan methods for connectionless UDP ports |
SCTP init scan | nmap -sY host | Port scan with SCTP, an alternative to TCP and UDP |
IP protocol scan | nmap -sO host | No port scan; checks which IP-based protocol is supported on the target system |
You can download both Nmap and the interface Zenmap for your operating system on Nmap’s official website. Both the current (stable) version and a beta version (development) are available.
Why port scanning isn’t always legal
Checking ports isn’t always legal. As soon as an attempt at anexploit (the term used by cybersecurity professionals to refer to the act of taking advantage of a security flaw or gap) is made, the person or group responsible for this could face potential legal consequences.
It’s less clear, however, what the legal situation is when a computer system is brought to a halt due to intensive port scanning. Due to the high frequency of connection requests, such monitoring methods can present challenges to the target system, sometimes resulting in the system crashing. What’s more, administrators of the system that is being targeted could become aware of the attackers activities prior to the crash and interpret the actions as being the first steps of an attack.
In such cases, it’s important not to rule out legal consequences. If the targeted system is intentionally overloaded, it could be considered a DDoS attack, which can result in the victim of the attack seeking legal action.
You should always ensure that you are authorised to perform a port scan on a system and only use the technique for security purposes and not simply to satisfy your curiosity. The port scanning methods discussed here highlight how important it is to keep an eye on your own system’s ports and network computers as well as the services that are accessing them.