Ports are one of the main reasons that data packets are able to find their way to their desired des­tin­a­tion. They serve as in­ter­faces between computers and system services or programs and are used by the TCP and UDP network protocols. Together with the IP address, operating systems are able to find out which computer and ap­plic­a­tion they are supposed to send data to.

What is port scanning? A brief ex­plan­a­tion

Port scanning refers to the targeted process of checking open ports in a computer system with the help of special tools. Before we delve into what port scanning is, it might help to first take a look at what ports are. Ports serve as an interface between active programs and the internet. They are used to route inbound and outbound data packets to the correct ap­plic­a­tions and are managed by operating systems.

Note

For an ap­plic­a­tion to com­mu­nic­ate via a port, it needs to be opened. Opening ports, however, presents a risk. If one of the ap­plic­a­tions that is using the port has security vul­ner­ab­il­it­ies, the port can serve as a potential entry point for attackers. To minimise the risk of an attack, you should always be aware of which ports are open on your system and which ap­plic­a­tions are as­so­ci­ated with them.

You don’t need to be logged into the target system in order to perform a port scan on it. You just have to be connected to it via a local network or the internet. With the help of port scanners, you can send special data packets as tests to different ports. You’ll then receive answers or error messages, which the tool you are using will analyse. Depending on the scanning program’s range of function, you can obtain in­form­a­tion on which ports are open and which are closed. You can also receive data on which services and/or ap­plic­a­tions the re­spect­ive ports use.

Port scanning offers system ad­min­is­trat­ors a very efficient means for mon­it­or­ing data traffic in a network. With port scanning, potential weak­nesses can be filtered out, and the system’s attack surface can be reduced. In some cases, it can help ad­min­is­trat­ors to solve concrete network problems . Ad­di­tion­ally, the tools don’t have any no­tice­able influence on the per­form­ance of the systems they’re scanning. As a result, they can be used for security measures without needing to worry about un­in­ten­ded effects on the system’s per­form­ance.

Port scanners are also useful for home PCs. As soon as you start using ap­plic­a­tions that require an internet con­nec­tion, ports are auto­mat­ic­ally opened, unless your firewall prevents them from being opened. A port scan can help you keep an overview of things, showing you ports that are no longer needed. You can then close them in order to reduce security risks.

MyDe­fend­er
Safeguard your data with easy cyber security
  • Regular virus scans
  • Automatic backups and simple file recovery

How does port scanning work?

Port scanners offer many different methods. Most of these, however, involve the con­nec­tion-oriented protocol TCP. In order to un­der­stand the basic processes that occur during port scanning, it’s helpful to take a look at the general structure of TCP con­nec­tions:

  • Also known as a three-way handshake, this process begins with the client sending a SYN packet (syn­chron­ise) to the des­tin­a­tion port.

  • Once the packet reaches an ap­plic­a­tion, the client receives a combined SYN/ACK packet (syn­chron­ise/ac­know­ledge), which confirms that the con­nec­tion has been es­tab­lished.

  • For the third and final step, the client sends an ACK packet (ac­know­ledge), which es­tab­lishes the con­nec­tion, allowing the data exchange to begin.

If a closed port is contacted, the client will receive an RST packet (reset) during the second step, ending the handshake.

Since it would be difficult and time consuming to exchange data with different types of ap­plic­a­tions, port scanning is limited to simple attempts at es­tab­lish­ing con­nec­tions as the following scan methods show.

TCP-SYN scan

The goal of a TCP-SYN scan is not to establish a complete TCP con­nec­tion. This is why this type of scan is commonly referred to as a half-open port scan. Using the port scanner, this method sends typical SYN packets to in­di­vidu­al ports and waits for an answer from the target host. If the host sends a SYN/ACK packet back, it signals that the re­spect­ive port is open, and it is possible to set up a con­nec­tion. If the reply is an RST packet, it means the port is closed. If there isn’t a reply, this can probably be traced back to a packet filter (e.g. a firewall) that’s located upstream.

TCP-SYN scans are not visible to the ap­plic­a­tions that are being assessed and for this reason, do not generate any log data. This is why they are also referred to as stealth scans.

TCP connect scan

If you execute a connect scan with your port scanner, you’re not actually gen­er­at­ing and sending the data packet yourself. Instead, you are using the system call connect. This is available on almost every single operating system. If a con­nec­tion attempt is suc­cess­ful, it means the port is open. If the con­nec­tion attempt fails, it means the port is closed. If a con­nec­tion was suc­cess­fully es­tab­lished (i.e. a port was open), you’ll be able to see that this scanning technique was used in the log files of the ap­plic­a­tion. However, in­form­a­tion about filtering programs that were used won’t be provided. If you don’t have the rights to send raw data packets, the TCP connect scan can be a useful al­tern­at­ive to SYN scans.

TCP-FIN, Xmas, and Null scans

These three port scanning methods also allow you to dif­fer­en­ti­ate between open and closed ports. Here, two basic concepts are employed, which are doc­u­mented in the RFC 793“):

  1. Closed ports should always answer packets (as long as they are not RST packets) with their own RST packet.
  2. Open ports should ignore all packets not marked as SYN, RST or ACK.

When scanning RCF-compliant systems, these scanning methods exploit these prin­ciples using their own packets:

  • The Null scan doesn’t use any special markings.
  • With FIN scans, the port scanner sends FIN packets (finish)
  • Xmas scans use a com­bin­a­tion of FIN, PSH (push) and URG markings (urgent), which makes the packets light up like a Christmas tree.

All three scanning methods behave in the same way. Due to the RCF rules, the test packets ensure that closed ports answer with RST packets and that open ports don’t provide a response. Not all routers send error messages if a port is filtered, which could mean that a filtered port is involved if no message appears (in addition to the pos­sib­il­ity that it may be an open port). And while this method is much more discrete than SYN scans, it may not work properly if systems don’t perfectly adhere to RFC 793. A prominent example of this is Windows.

UDP scan

With UPD scans, empty UDP headers without data are sent to all empty ports. If a service answers with a UDP packet, the cor­res­pond­ing port is open. If the port scanner receives the error message ‘Port un­reach­able’ from the router (type 3, code 3), it re­cog­nises the port as closed. Other error messages serve to inform users that packet filters are re­spons­ible for blocking ports. The problem with UDP port testing is the immense amount of time it requires. This is because, for many systems, it can take a long time to put out error messages due to security reasons. What’s more, many of these systems only reply to ports sporad­ic­ally. The Linux kernel limits the number of reports on a per-second basis, meaning that it would take around 18 hours to fully scan 65,535 ports.

What port scanners are there?

There are many different scanners that differ in the range of functions that they offer. Most of these tools are available as freeware or open-source options. Many of these feature classic command-line programs that can be used via separate graphical in­ter­faces. What’s more, there are many online solutions that let users scan ports directly in a browser. Services like the port scanner by DNS tools are limited in terms of their features and only offer the ability to check in­di­vidu­al ports. For this reason, they’re well suited options for con­duct­ing quick checks on personal computers.

Netcat

Netcat (short: nc) was published by an anonymous developer known as ‘Hobbit’ in 1996. Ori­gin­ally written for Unix platforms, there are now many porting options for systems like Windows as well as other ex­ten­sions like GNU Netcat, OpenBSD Netcat, Cryptcat and Netcat6 (also supports the IPv6), which are included in many Linux dis­tri­bu­tions by default. The basic version of the command-line tool is primarily designed to send or read data via TCP and UDP network con­nec­tions. It can also be used, however, for simple port scanning tasks. This allows users to check the status of ports 20 to 30 on a specified system with simple commands like:

nc -zv localhost 20-30
bash

Checking UDP ports requires the ad­di­tion­al parameter, -u. You can also use the host name or the IP address of an external system (if you know it) in place of localhost.

Nmap

A sub­stan­tially more powerful tool, which is par­tic­u­larly useful for port scanning, is Network Mapper, which is often called Nmap. Designed for unixoid systems, Nmap is GPL licensed and has been available for Windows systems since 2000 (albeit with lim­it­a­tions). This means that TCP Connect scans take up a dis­pro­por­tion­ate amount of time and that scanning your own system ports is only possible using indirect paths. Generally, Nmap can be operated via a command line. Zenmap, on the other hand, features a high-per­form­ance graphical interface that allows users to easily use the network tool.

The Nmap creator, Gordon Lyon, and the Nmap developer team are re­spons­ible for fur­ther­ing the de­vel­op­ment of the program and its port scanning features. In par­tic­u­lar, tech­no­lo­gies like OS fin­ger­print­ing (i.e. re­cog­nising a target host’s operating system) and reading out services that hide behind ports make Nmap one of the most popular port scanner solutions. The following table displays the variety of methods this program has to offer:

Port scanning methods Nmap command De­scrip­tion
TCP connect-scan nmap -sT host Classic check for non-ad­min­is­trat­ors
TCP Syn scan nmap -sS host Quick, unnoticed in­spec­tion methods for ad­min­is­trat­ors.
TCP FIN-/XMAS-/Null scan nmap -sF host nmap -sX host nmap -sN host Methods that can avoid firewalls
TCP ping scan nmap -sP host For tra­di­tion­al port scans; helps check the avail­ab­il­ity of a host.
TCP ACK scan nmap -sA host De­term­ines delivered ports but doesn’t offer any dis­tinc­tion between open and closed ports
TCP Window scan nmap -sW host Com­par­able with the ACK scan; can verify some open and closed ports.
TCP Maimon scan nmap -sM host Com­bin­a­tion of FIN and ACK scans.
TCP idle scan nmap -sI zombie host host Least no­tice­able, most complex and hence slowest scanning method; runs via a third computer that is labelled as a ‘zombie’ by Nmap.
UDP scan nmap -sU host Scan methods for con­nec­tion­less UDP ports
SCTP init scan nmap -sY host Port scan with SCTP, an al­tern­at­ive to TCP and UDP
IP protocol scan nmap -sO host No port scan; checks which IP-based protocol is supported on the target system

You can download both Nmap and the interface Zenmap for your operating system on Nmap’s official website. Both the current (stable) version and a beta version (de­vel­op­ment) are available.

Why port scanning isn’t always legal

Checking ports isn’t always legal. As soon as an attempt at anexploit (the term used by cy­ber­se­cur­ity pro­fes­sion­als to refer to the act of taking advantage of a security flaw or gap) is made, the person or group re­spons­ible for this could face potential legal con­sequences.

It’s less clear, however, what the legal situation is when a computer system is brought to a halt due to intensive port scanning. Due to the high frequency of con­nec­tion requests, such mon­it­or­ing methods can present chal­lenges to the target system, sometimes resulting in the system crashing. What’s more, ad­min­is­trat­ors of the system that is being targeted could become aware of the attackers activ­it­ies prior to the crash and interpret the actions as being the first steps of an attack.

In such cases, it’s important not to rule out legal con­sequences. If the targeted system is in­ten­tion­ally over­loaded, it could be con­sidered a DDoS attack, which can result in the victim of the attack seeking legal action.

You should always ensure that you are au­thor­ised to perform a port scan on a system and only use the technique for security purposes and not simply to satisfy your curiosity. The port scanning methods discussed here highlight how important it is to keep an eye on your own system’s ports and network computers as well as the services that are accessing them.

Go to Main Menu