What is a Port Scan?
A port scan is a common technique hackers use to discover open doors or weak points in a network. A port scan attack helps cyber criminals find open ports and figure out whether they are receiving or sending data. It can also reveal whether active security devices like firewalls are being used by an organization.
When hackers send a message to a port, the response they receive determines whether the port is being used and if there are any potential weaknesses that could be exploited.
Businesses can also use the port scanning technique to send packets to specific ports and analyze responses for potential vulnerabilities. They can then use tools like IP scanning, network mapper (Nmap), and Netcat to ensure their network and systems are secure.
Port scanning can provide information such as:
- Services that are running
- Users who own services
- Whether anonymous logins are allowed
- Which network services require authentication
What is a Port?
A port is a point on a computer where information exchange between programs and the internet to devices or other computers takes place. To ensure consistency and simplify programming processes, ports are assigned port numbers. This, in conjunction with an IP address, forms vital information that each internet service provider (ISP) uses to fulfill requests.
Port numbers range from 0 through to 65,536 and are ranked in terms of popularity. Ports numbered 0 to 1,023 are called “well-known" ports, which are typically reserved for internet usage but can also have specialized purposes. These ports, which are assigned by the Internet Assigned Numbers Authority (IANA), are held by leading businesses and Structured Query Language (SQL) services.
Ports are generally managed by the Transmission Control Protocol (TCP), which defines how to establish and maintain a network conversation between applications, and User Datagram Protocol (UDP), which is primarily used for establishing low-latency and loss-tolerating connections between applications. Some of the most popular and most frequently used ports include:
- Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data
- Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins
- Port 23 (TCP): The Telnet protocol used for unencrypted communication
- Port 53 (UDP): The Domain Name System (DNS), which translates internet domain names into machine-readable IP addresses
- Port 80 (TCP): The World Wide Web Hypertext Transfer Protocol (HTTP)
Ports numbered from 1,024 to 49,151 are considered “registered ports,” and they are registered by software companies. The ports numbered from 49,152 to 65,536 are considered dynamic and private ports, which can be used by almost everyone on the internet.
What are the Port Scanning Techniques?
A port scan sees packets sent to destination port numbers using various techniques. Several of these include:
- Ping scans: A ping scan is considered the simplest port scanning technique. They are also known as internet control message protocol (ICMP) requests. Ping scans send a group of several ICMP requests to various servers in an attempt to get a response. A ping scan can be used by administrators to troubleshoot issues, and pings can be blocked and disabled by a firewall.
- Vanilla scan: Another basic port scanning technique, a vanilla scan attempts to connect to all of the 65,536 ports at the same time. It sends a synchronize (SYN) flag, or a connect request. When it receives a SYN-ACK response, or an acknowledgment of connection, it responds with an ACK flag. This scan is accurate but easily detectable because a full connection is always logged by firewalls.
- SYN scan: Also called a half-open scan, this sends a SYN flag to the target and waits for a SYN-ACK response. In the event of a response, the scanner does not respond back, which means the TCP connection was not completed. Therefore, the interaction is not logged, but the sender learns if the port is open. This is a quick technique that hackers use to find weaknesses.
- XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are more discrete attack methods. XMAS scans take their name from the set of flags that are turned on within a packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like a Christmas tree. This type of scan sends a set of flags, which, when responded to, can disclose insights about the firewall and the state of the ports. A FIN scan sees an attacker send a FIN flag, often used to end an established session, to a specific port. The system’s response to it can help the attacker understand the level of activity and provide insight into the organization's firewall usage.
- FTP bounce scan: This technique enables the sender to disguise their location by using an FTP server to bounce a packet.
- Sweep scan: This preliminary port scanning technique sends traffic to a port across several computers on a network to identify those that are active. It does not share any information about port activity but informs the sender whether any systems are in use.
Port Scanning vs. Network Scanning
Network scanning is a process that identifies a list of active hosts on a network and maps them to their IP addresses, which need to be compiled before running a port scan.
The network scanning process is also known as host discovery, which is often the first step hackers take in staging an attack. They use two primary protocols: Address Resolution Protocol (ARP) scans and various ICMP scans. An ARP scan maps IP addresses to media access control (MAC) addresses and can be used to determine hosts that are active. It only works within a local-area network (LAN), so the attacker must be connected to the internal network.
Various ICMP packets can be used to conduct a network scan outside the LAN, such as address mark, echo, and timestamp requests. Discovering hosts depends on receiving a reply from targeted hosts. Not receiving a response means there is no host at the target address or the request was blocked by a firewall or packet filter.
Once the network scan has been completed and a list of available hosts compiled, a port scan attack can identify the usage of specific ports. It will typically classify ports as open, closed, or filtered.
Port Scanning and Cyber Threat
Port scanning is a popular method cyber criminals use to search for vulnerable servers. They often use it to discover organizations’ security levels, determine whether businesses have effective firewalls, and detect vulnerable networks or servers. Some TCP methods also enable attackers to hide their location.
Cyber criminals search through networks to assess how ports react, which enables them to understand the business's security levels and the systems they deploy.
Preventing a port scan attack is reliant on having effective, updated threat intelligence that is in line with the evolving threat landscape. Businesses also require strong security software, port scanning tools, and security alerts that monitor ports and prevent malicious actors from reaching their network. Useful tools include IP scanning, Nmap, and Netcat.
Other defense mechanisms include:
- A strong firewall: A firewall can prevent unauthorized access to a business’s private network. It controls ports and their visibility, as well as detects when a port scan is in progress before shutting it down.
- TCP wrappers: These enable administrators to have the flexibility to permit or deny access to servers based on IP addresses and domain names.
- Uncover network holes: Businesses can conduct their own internal port scans to determine whether more ports are open than required. They need to regularly check their systems to identify potential weak points or vulnerabilities that could be exploited by an attacker.
Port Scanning Tool
The Fortinet intrusion prevention system (IPS) is critical to securing business networks from known threats and protecting traffic, while the Fortinet next-generation firewall (NGFW) filters network traffic to protect the organization from external threats. Tools include network monitoring, packet filtering, and IP mapping, which improve businesses’ ability to identify attacks and offer advanced visibility across their networks.
Port scanning is a highly common technique that cyber criminals use to identify potential attack targets. The high frequency of port scans means businesses need to have the security defenses in place to keep their networks secure at all times.
What is a port scan attack?
Hackers use a port scan attack to discover weak points or vulnerabilities in a business’s network. When hackers send a message to a port, the response they receive tells them whether it is open and helps them discover potential weaknesses.
Are port scans dangerous?
Port scans can be dangerous because they can tell hackers whether a business is vulnerable to an attack. The scan can inform an attacker of existing weak points within a company’s network or system, which they can then exploit to gain unauthorized access.
What ports do hackers use?
Commonly used ports are typically highly secure, while other ports may be overlooked and vulnerable to hackers. Commonly hacked TCP ports include port 21 (FTP), port 22 (SSH), port 23 (Telnet), port 25 (Simple Mail Transfer Protocol or SMTP), port 110 (POP3), and port 443 (HTTP and Hypertext Transfer Protocol Secure or HTTPS). Commonly targeted TCP and UDP ports include port 53 (DNS), ports 137 to 139 (Windows NetBIOS over TCP/IP), and 1433 and 1434 (Microsoft SQL Server).
What are some common open ports?
Common open ports include port 20, which holds FTP; port 22, which is used for secure logins; port 53, which is the DNS; and port 80, which is the World Wide Web HTTP.