What is a Port Scan?
A port scan is a common technique hackers use to discover open doors or weak points in a network. A port scan attack helps cyber criminals find open ports and figure out whether they are receiving or sending data. It can also reveal whether active security devices like firewalls are being used by an organization.
When hackers send a message to a port, the response they receive determines whether the port is being used and if there are any potential weaknesses that could be exploited.
Businesses can also use the port scanning technique to send packets to specific ports and analyze responses for potential vulnerabilities. They can then use tools like IP scanning, network mapper (Nmap), and Netcat to ensure their network and systems are secure.
Port scanning can provide information such as:
- Services that are running
- Users who own services
- Whether anonymous logins are allowed
- Which network services require authentication
What is a Port?
A port is a point on a computer where information exchange between programs and the internet to devices or other computers takes place. To ensure consistency and simplify programming processes, ports are assigned port numbers. This, in conjunction with an IP address, forms vital information that each internet service provider (ISP) uses to fulfill requests.
Port numbers range from 0 through to 65,536 and are ranked in terms of popularity. Ports numbered 0 to 1,023 are called “well-known" ports, which are typically reserved for internet usage but can also have specialized purposes. These ports, which are assigned by the Internet Assigned Numbers Authority (IANA), are held by leading businesses and Structured Query Language (SQL) services.
Ports are generally managed by the Transmission Control Protocol (TCP), which defines how to establish and maintain a network conversation between applications, and User Datagram Protocol (UDP), which is primarily used for establishing low-latency and loss-tolerating connections between applications. Some of the most popular and most frequently used ports include:
- Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data
- Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins
- Port 23 (TCP): The Telnet protocol used for unencrypted communication
- Port 53 (UDP): The Domain Name System (DNS), which translates internet domain names into machine-readable IP addresses
- Port 80 (TCP): The World Wide Web Hypertext Transfer Protocol (HTTP)
Ports numbered from 1,024 to 49,151 are considered “registered ports,” and they are registered by software companies. The ports numbered from 49,152 to 65,536 are considered dynamic and private ports, which can be used by almost everyone on the internet.
What are the Port Scanning Techniques?
A port scan sees packets sent to destination port numbers using various techniques. Several of these include:
- Ping scans: A ping scan is considered the simplest port scanning technique. They are also known as internet control message protocol (ICMP) requests. Ping scans send a group of several ICMP requests to various servers in an attempt to get a response. A ping scan can be used by administrators to troubleshoot issues, and pings can be blocked and disabled by a firewall.
- Vanilla scan: Another basic port scanning technique, a vanilla scan attempts to connect to all of the 65,536 ports at the same time. It sends a synchronize (SYN) flag, or a connect request. When it receives a SYN-ACK response, or an acknowledgment of connection, it responds with an ACK flag. This scan is accurate but easily detectable because a full connection is always logged by firewalls.
- SYN scan: Also called a half-open scan, this sends a SYN flag to the target and waits for a SYN-ACK response. In the event of a response, the scanner does not respond back, which means the TCP connection was not completed. Therefore, the interaction is not logged, but the sender learns if the port is open. This is a quick technique that hackers use to find weaknesses.
- XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are more discrete attack methods. XMAS scans take their name from the set of flags that are turned on within a packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like a Christmas tree. This type of scan sends a set of flags, which, when responded to, can disclose insights about the firewall and the state of the ports. A FIN scan sees an attacker send a FIN flag, often used to end an established session, to a specific port. The system’s response to it can help the attacker understand the level of activity and provide insight into the organization's firewall usage.
- FTP bounce scan: This technique enables the sender to disguise their location by using an FTP server to bounce a packet.
- Sweep scan: This preliminary port scanning technique sends traffic to a port across several computers on a network to identify those that are active. It does not share any information about port activity but informs the sender whether any systems are in use.