Port scanning is used to find open TCP/IP ports in a computer system.
Security professionals and cyber criminals both use network scanning and port scanning to check for vulnerabilities in a network system. Once cyber criminals find vulnerabilities in a network system, they can attack those vulnerabilities, while when security professionals find vulnerabilities, they can fix those issues and make the system more secure.
In this tutorial, we’ll learn about port scanning and its types and methods.
2. What Is a Port?
A port is a numbered virtual address for network traffic on an operating system. Moreover, different services run on different ports, and each service receives its own network traffic. In addition, ports range from 0 to 65536.
Firewalls control the network traffic over computer ports. A firewall can allow or restrict traffic over a particular port.
Some port numbers and the services that use them by default are:
- Ports 20 and 21: File Transfer Protocol (FTP). users use FTP for the transfer of computer files from a server to a client on a network
- Port 22: Secure Shell (SSH). Users use SSH for remote login and command-line execution
- Port 25: Simple Mail Transfer Protocol (SMTP). Users use SMTP for electronic mail transmission
- Port 53: Domain Name System (DNS). DNS maps domain names to their corresponding IP addresses
- Port 80: Hypertext Transfer Protocol (HTTP). HTTP is an application layer protocol in the TCP/IP model for transmitting hypermedia information
To do port scanning, we can use Nmap (Network Mapper), which is one of the best and most popular port scanners around. It’s also free and open source.
3. Port Scanning Types and Results
There are two types of port scanning:
- Horizontal port scanning is scanning a set of IP addresses for a specific port address
- Vertical port scanning is scanning a specific IP address for multiple port addresses
For example, a horizontal port scanning will look something like this:
Port scanning reveals the status of each port and the service that is running on it. The port status can be open, closed, or filtered.
- If a port is open, it means there is a service listening on that port and is accepting connections
- If a port is closed, it means there is no service listening on that port
- If a port is filtered, it means a network obstacle, like a firewall, is blocking the port, and the scanning tool can’t tell if the port is open or closed
- If a port is open|filtered, it means the scanner can’t tell if the port is open or filtered
4. Port Scanning Methods
There are several port scanning methods. Each of them uses either transmission control protocol (TCP) or user datagram protocol (UDP) as transport layer protocol:
4.1. TCP SYN Scan
It’s the most popular port scanning method. It’s quick and relatively stealthy since it doesn’t complete a full TCP connection. It’s also referred to as half-open scanning.
After sending a SYN packet to the system, if the response is a SYN/ACK, it means that the port is open and listening. An RST packet means the port is closed. In addition, if there weren’t any responses after multiple requests, the port is considered filtered.
4.2. TCP Connect Scan
In this method, the tool asks the operating system to open a full TCP connection with the target system via a system call. Users can use this method as an alternative when they don’t have raw packet privileges required by SYN scan.
This method takes longer and requires more packets than a SYN scan to obtain the same amount of information. In addition, since it opens a full TCP connection with the target systems, they are more likely to log the connection.
4.3. TCP ACK Scan
We can use this method to outline firewall rulesets, find out whether the firewall is stateful or stateless, and determine which ports are filtered.
In this method, the TCP ACK probe packet has only the ACK flag set. When the scanner sends the ACK packet to the target system, if the response is an RST packet, it means that the port is unfiltered. However, whether the port is open or closed is unknown.
4.4. TCP NULL, FIN, and XMAS Scans
These three methods exploit a loophole in TCP RFC 793 to find open and closed ports. If the server receives any packet that doesn’t contain SYN, RST, or ACK bits, it’ll send out an RST packet if the port is closed and no response if the port is open|filtered. If an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received, the port is considered filtered:
- TCP NULL scan does not set any bits
- FIN scan sets the TCP FIN bit
- XMAS scan sets the FIN, PSH, and URG bits
For example, this is the result of an XMAS scan:
4.5. UDP Scan
In this method, the scanner sends a UDP packet to the target system. If the machine responds with an ICMP port unreachable error (type 3, code 3), the port is considered closed. Further, if the machine responds with other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13), it means the port is filtered. Furthermore, if the machine responds with a UDP packet, it means the port is open. Finally, if the machine didn’t respond even after retransmissions, the port is considered open|filtered.
In this article, we learned about ports and port scanning types and methods. Cybercriminals use port scanning results to prepare for an attack, while security professionals use them to better protect organizations.