Cybercrime is at an all-time high. One of the easiest ways for cybercriminals to gain access to an organization’s devices is through open ports. System administrators and security professionals run port scans as part of vulnerability scans to identify such open ports and avoid any kind of intrusion. In this blog, we’ll take a deep dive into the various aspects of port scanning and the role it plays in vulnerability scanning.
What Is Port Scanning?
The process of scanning a computer’s port is called port scanning. It provides information on whether a device’s ports are open, closed or filtered. It is mainly performed to identify if a port is sending or receiving any information.
Port scanning also involves the sending of data to specific ports and analyzing the responses to identify vulnerabilities.
It is also one of the techniques used by attackers to discover devices/services they can break into.
How Does Port Scanning Work?
A port scanner inspects your IP address block for hosts and open ports using Transmission Control Protocol/Internet Protocol (TCP/IP) network protocols.
To learn how it exactly works, we need to deep dive into the basic components of port scanning – ports, port numbers and the techniques used to accomplish it.
Ports and Port Numbers
Ports are communication endpoints that connect network devices. Each port is identified with a 16-bit unsigned port number. The various types of port numbers are as follows:
- Well-Known TCP/IP Port Numbers
Port numbers from 0 to 1024 are reserved for privileged services and designated as well-known ports. Here’s the list of well-known port numbers as provided by Webopedia.
|1||TCP Port Service Multiplexer (TCPMUX)|
|5||Remote Job Entry (RJE)|
|18||Message Send Protocol (MSP)|
|20||FTP — Data|
|21||FTP — Control|
|22||SSH Remote Login Protocol|
|25||Simple Mail Transfer Protocol (SMTP)|
|42||Host Name Server (Nameserv)|
|49||Login Host Protocol (Login)|
|53||Domain Name System (DNS)|
|69||Trivial File Transfer Protocol (TFTP)|
|108||SNA Gateway Access Server|
|115||Simple File Transfer Protocol (SFTP)|
|137||NetBIOS Name Service|
|139||NetBIOS Datagram Service|
|143||Interim Mail Access Protocol (IMAP)|
|150||NetBIOS Session Service|
|179||Border Gateway Protocol (BGP)|
|190||Gateway Access Control Protocol (GACP)|
|194||Internet Relay Chat (IRC)|
|197||Directory Location Service (DLS)|
|389||Lightweight Directory Access Protocol (LDAP)|
|396||Novell Netware over IP|
|444||Simple Network Paging Protocol (SNPP)|
These port numbers are registered with Internet Assigned Numbers Authority (IANA) and can be used by anyone for their servers or as ephemeral (temporary and valid only till the connection lasts) numbers for their clients. The registered port numbers range from 1024 to 49151. For the complete list of registered port numbers, visit the IANA website.
Dynamic or Private Ports
These port numbers range from 49152 to 65535. Dynamic ports are client ports and are used for private or customized services. These cannot be registered with IANA.
Port Scanning Protocols
Generally, TCP and User Datagram Protocol (UDP) are the most used protocols for port scanning.
The most commonly used method of TCP scanning is synchronized acknowledged (SYN) scans. SYN scanning involves creating a partial connection to the host on the target port by sending a SYN packet and then evaluating the response from the host. It is also known as a stealth scan since it is used by hackers to make changes to a network while remaining undetected.
Another method of TCP scanning is the TCP connect scan. It is slow and methodical, involves establishing a full connection, and then subsequently tearing it down.
UDP is a connectionless protocol that facilitates the exchange of messages between computing devices in a network. Often used for videoconferencing applications or computer games, UDP protocol enables real-time performance. It is the preferred protocol for applications that do not need guaranteed delivery of every data packet, unlike TCP.
Port Scanning Techniques and Methods
There are various port scanning techniques available. The most significant ones are:
- TCP SYN Scan – As mentioned above, SYN scan is the most popular scanning method. It is also known as Half Open Scan since it is a two-way communication channel and the scanner doesn’t close the open connections.
- TCP FIN Scan – This scan, mostly used by attackers, has the ability to pass through firewalls and other scan detection programs. When the attacking system sends FIN packets to the targeted system, the closed ports will respond with a reset response while the open ports will ignore the packets.
- TCP XMAS Scan – This scan is used to identify the listening ports on the targeted system.
- TCP Null Scan – An extremely stealthy scam, TCP Null Scam sets all the header fields to null, which means when an attacker sends a packet, instead of turning on the flags in the header that would cause the packet to be received as invalid by the host, the NULL scan turns off the header flags.
- Vanilla TCP Connect Scan – An easily detectable scan, the Vanilla scan uses the connect system call of an operating system on a target system to open a connection to every open port.
- Ping Scan – The Ping scan utilizes the “ping” command to scan the computers that are active.
As mentioned earlier, the status of a port is either open, closed or filtered. Let’s take a look at what each of these statuses mean.
- Open – An open port implies that when someone tries to connect to that port on the server, the server might respond in some way.
- Closed – As the name suggests, a closed port indicates that the server isn’t responding to any connections.
- Filtered – A filtered port indicates that a firewall or some antivirus/anti-malware program is blocking the port to avoid certain connections.
What Is The Purpose of Port Scanning
The purpose of port scanning is to acquire information from the servers to which the ports are attached. Port scanning is carried out by system administrators to monitor endpoints as well as by attackers for malicious purposes.
Is Port Scanning Active or Passive?
As mentioned above, when port scanning is carried out by system administrators or other IT technicians as a part of the device monitoring process, it is mostly passive. However, when carried out by hackers looking to find a gateway to the company servers, it is mostly an active process.
What Is the Most Widely Used Port Scanning Tool?
“Nmap,” which stands for Network Mapper, is the most widely used port scanning tool. A favorite of system administrators, it can be installed on Windows, Linux, MacOS or built from source code. Released 16 years ago as a Linux-only port scanner, Nmap detection has evolved over the years and has some very valuable features like OS detection, version detection, the Nmap Scripting Engine, a Windows port, a graphical user interface and more.
The Nmap scanner is now undergoing rapid development and is also being used to scan online web services, which means users can scan their own machines from the cloud to identify any open vulnerabilities.
Why Is Port Scanning Important?
Since port scanning identifies open ports and services available on a network, it is used by security professionals to identify any security vulnerabilities on that particular network. While it is highly essential for network management, it is unfortunately being used extensively by cybercriminals as well.
Are Open Ports a Security Risk?
Ports are doors to devices. That’s why open ones pose a security risk since they provide easy access to cybercriminals unless protected by firewalls. A firewall monitors incoming and outgoing connections on a device and filters unwanted access. With the use of a firewall software, devices can be made less vulnerable to attacks.
Port Scanning as Part of Vulnerability Scanning
Security professionals in organizations run vulnerability scans that scan a specified set of ports on a remote host and test the service offered at each port for known vulnerabilities.
RapidFire Tools’ Network Detective, the industry-leading tool for vulnerability scanning and management, performs routine scans to identify threats on all systems associated with your network. Designed specifically for MSPs, the application checks all the ports on any device connected to a network including servers, desktops, laptops, virtual machines, mobile devices, firewalls, switches and printers. For ports that are open, the system attempts to identify what device or software has opened it and runs tests for all known associated vulnerabilities.
Network Detective is highly scalable and designed to work across multiple disjointed networks and multiple subnets. With built-in automation, MSPs do not have to worry about forgotten scans and can expect an increase in their operational efficiency.