Port scanning involves attempting to connect to ports on a target system to discover which ports are open and what services they correspond to. It is done by software that scans a range of ports, usually 0 to 65,536, and analyzes responses to determine whether ports are open, closed, or filtered. Common port scanning tools include Nmap and Netcat. While port scanning can be used maliciously for hacking, it is also used by system administrators to diagnose network issues.
1. Port Scanning an Overview
Rav Gagan S.- Director IT Security EBSL Technologies Int’l
Before going into what port scanning is and entails, I will share a bit about what a port is and port
categorization.
A port can be defined as an application or process-specific software piece serving as a
communications endpoint. This endpoint is used by Transport Layer protocols of the Internet
protocol suite namely, TCP & UDP is used universally to communicate on the Internet. Each port
is also identified by a 16-bit unsigned integer called the port number.
“In TCP/IP terminology, a Port is a software identifier that corresponds to a specific application or
protocol running on a host.”- eg Http uses port 80- Network Security: A Practical Approach by Jan
Harrington
Port numbers are separated into three ranges
1) Well Known Ports
2) Registered Ports and
3) Dynamic and/or Private Ports.
In the world of IT Intrusion, Port Scanning is one of the most popular reconnaissance techniques
used to discover quot;hackablequot; services. In everyday terminology, it is analogous to a joyrider
walking by a group of cars and trying car doors to see which car doors are open, or flipping the
sun-visor to get keys. An important fact to keep in mind though, is that port scanning is used by
system administrators to diagnose problems on their networks.
In a nutshell all port scanning is, is a series of attempts by an intruder or administrator to see which
ports on a network is open by attempting to connect to a range of ports on a range of hosts and then
gathering information from responding open ports to see what applications or services are
associated or running on those ports.
Port Scanning is accomplished by implementing software to scan any one of the 0 to 65536
potentially available ports on a computer.
Types of port scans:
Vanilla Scan- This is an attempt to connect to all ports
Strobe Scan – Here only a selected number of port connection are attempted (usually under
20)
Stealth Scan – Integrating techniques when scanning which aims to prevent the “request for
connection” being logged.
FTP Bounce Scan – Attempting to disguise the origin of the scan by redirecting through an
FTP server
Fragmented Packets Scans in an attempt to bypass rules in some routers
UDP Scan
Sweep Scan here the attacker will scan the same port on several computers.
1
2. The simplest port scan may be the quot;TCP connect()quot; scan. This scan uses a normal TCP connection
to determine port availability and utilizes a TCP handshake connection that typically every other
TCP application will use on a network.
The more expert and malicious intruder will implement what is call a strobe which is a method of
scanning fewer ports, usually no more than 20.Of note is the fact that port scanning is easily
logged by the services listening at the ports, so, any incoming connection with no data is logged as
an error. There is however a number of stealth scan techniques geared toward avoiding detection
and an intruder can implement an FTP bounce scan to hide a point of origin.
Other methods of stealth port scanning are
1) Splitting the TCP header into several IP fragments- Fragmented packets
2) Half-open scanning or SYN scanning
3) FIN scanning
4) NULL scans
The result of a port scan is usually generalized as follows:
1) Open or Accepted
2) Closed or Denied or Not Listening
3) Filtered, Dropped or Blocked
Port scanning is typically accomplished with specific software. Basically a port scan occurs when
the system sends out a request to connect to the target computer on each port sequentially and
registering which if any ports responded. If there was response/s then these responding ports will
be open to more in-depth probing.
Two common tools to implement port scanning are NMap and Netcat. Netcat can read and write
data across TCP and UDP network connections, in addition the Netcat utility can also do a host of
other “tricks” such as being utilized as a backdoor, a port redirector and a port listener to name a
few.
E.g.: Netcat port scanner running the command quot;nc -v -w 2 -z target 20-30quot; will result in a
connection to targeted ports between 20 and 30, and possibly indicate the presence of an FTP
server or telnet server. Including the “-z” switch should prevent data transmission to a TCP
connection as well as a limited one to a UDP connection. To instigate a delay between probes
simply add a –i switch.
E.g. NMap which is probably the most popular scanner in the world, a basic TCP scan using nmap
can be run with the command nmap – sT
References:
http://www.insecure.org/nmap/n map-fingerprinting-article.htm l
http://en.wikipedia.org/wiki/P ort_scanning
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1178844,00.html