Port Scan Basics

A port scan is a method for determining which ports on a network are open. As ports on a computer are the place where information is sent and received, port scanning is analogous to knocking on doors to see if someone is home. Running a port scan on a network or server reveals which ports are open and listening (receiving information), as well as revealing the presence of security devices such as firewalls that are present between the sender and the target. This technique is known as fingerprinting. It is also valuable for testing network security and the strength of the system’s firewall. Due to this functionality, it is also a popular reconnaissance tool for attackers seeking a weak point of access to break into a computer.

Ports vary in their services offered. They are numbered from 0 to 65535, but certain ranges are more frequently used. Ports 0 to 1023 are identified as the “well-known ports” or standard ports and have been assigned services by the Internet Assigned Numbers Authority (IANA). Some of the most prominent ports and their assigned services include:

  • Port 20 (udp) – File Transfer Protocol (FTP) for data transfer
  • Port 22 (tcp) – Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
  • Port 23 (tcp) – Telnet protocol for unencrypted text commutations
  • Port 53 (udp) – Domain Name System (DNS) translates names of all computers on internet to IP addresses
  • Port 80 (tcp) – World Wide Web HTTP

There are standard services offered on ports after 1023 as well, and ports that, if open, indicate an infected system due to its popularity with some far-reaching Trojans and viruses.

A port scan sends a carefully prepared packet to each destination port number. The basic techniques that port scanning software is capable of include:

  • Vanilla– the most basic scan; an attempt to connect to all 65,536 ports one at a time. A vanilla scan is a full connect scan, meaning it sends a SYN flag (request to connect) and upon receiving a SYN-ACK (acknowledgement of connection) response, sends back an ACK flag. This SYN, SYN-ACK, ACK exchange comprises a TCP handshake. Full connect scans are accurate, but very easily detected because full connections are always logged by firewalls.
  • SYN Scan– Also referred to as a half-open scan, it only sends a SYN, and waits for a SYN-ACK response from the target. If a response is received, the scanner never responds. Since the TCP connection was not completed, the system doesn’t log the interaction, but the sender has learned if the port is open or not.
  • XMAS and FIN Scans– an example of a suite of scans used to gather information without being logged by the target system. In a FIN scan, an unsolicited FIN flag (used normally to end an established session) will be sent to a port. The system’s response to this random flag can reveal the state of the port or insight about the firewall. For example, a closed port that receives an unsolicited FIN packet, will respond with a RST (an instantaneous abort) packet, but an open port will ignore it. An XMAS scan simply sends a set of all the flags, creating a nonsensical interaction. The system’s response by can be interpreted to better understand the system’s ports and firewall.
  • FTP Bounce Scan– allows for the sender’s location to be disguised by bouncing the packet through an FTP server. This is also designed for the sender to go undetected.
  • Sweep scan– pings the same port across a number of computers to identify which computers on the network are active. This does not reveal information about the port’s state, instead it tells the sender which systems on a network are active. Thus, it can be used as a preliminary scan.

Scans that are developed for the sender to go undetected by a receiving system’s log are known as stealth scans and are of particular interest to attackers. Despite its popularity in this area, port scanning is a valuable tool for fingerprinting a network and for a penetration tester to assess the strength of network security.

Ignite 2017 Vancouver