Port Scanning

Ports are one of the main reasons that data packets are able to find their way to their desired destination. They serve as interfaces between computers and system services or programs and are used by the network protocols TCP and UDP. Together with the IP address, operating systems are able to find out which computer and application they’re meant to send the data to.

What to know about ports:

Each port is assigned a number from 0 to 65535. Here, there are three different types of numbers that need to be taken into account with one another:

  • The ports 0 to 1023 belong to the standardized ports, which the Internet Assigned Numbers Authority (IANA) are mostly responsible for assigning. Following this, the port 80 is reserved for HTTP connections and for this reason is the most important port for web server requests.
  • The port numbers 1024 to 49151 are reserved for registered services by default. However, these are also assigned to client programs, especially when it comes to Linux systems.
  • The ports 49152 to 65535 dynamically assign operating systems to clients.

In order to establish a connection via a certain port, this has to be opened, i.e. activated. Regarding online data transfer, this means having a high number of open ports, which carries with it a certain number or risks: if their respective applications contain security gaps, each open port presents a potential access point for attackers. For this reason, it’s important to always keep an eye on which ports are open on your system and which applications are operating behind this running flow of data. Tried-and-true solutions that allow you to track the opened ports are so-called port scanners.

What is port scanning?

Port scanning refers to the targeted process of checking the opened ports of a computer system with the help of special tools. Users don’t have to be registered in order to carry out such scans; instead, they only have to be connected to these via a local network or the internet. With the help of port scanners, users are able to send special data packets to different ports as tests and receive corresponding answers to error reports, which the tool then analyzes. Depending on the applied scanning program’s range of function, users are able to obtain information on which ports are opened and which are closed; they also can receive data on which operating system the targeted PC is using and how long the PC has been turned on or which services and/or applications the respective ports use.

Port scanning offers system administrators a very efficient means for monitoring data traffic in a network and filtering out potential points of weakness. In some cases, users are able to solve concrete network problems through this solution. Given that tools don’t have any noticeable influence on the performance of the systems they’re investigating, these can be used for security measures without having to worry about unintended consequences. Port scanners also make sense to use on home PCs: as soon as you install and use applications that require an internet connection, then ports are automatically opened, provided your firewall doesn’t prevent this. A port scan can help you keep an overview of things and shows you ports that are no longer needed, which users are then able to close in order to reduce security risks.

How does port scanning work?

Port scanner offer many different methods; most of these, however, involve the connection-oriented protocol TCP. In order to understand the basic processes that occur during port scanning, it’s helpful to take a look at the general TCP connection structure:

  • Also known as a three-way handshake, this process begins by sending the client a SYN packet to the corresponding target port.
  • Once the packet reaches an application this way, it receives a combined SYN/ACK packet, which then confirms that the connection has been established.
  • For the third and final step, the client then sends an ACK packet, which then establishes the connection, allowing the data exchange to begin.

If a closed port is contacted, then the client receives an RST packet during the second step as a reply, ending the handshake in the process.

Given that it would be both difficult and time consuming to exchange data with different types of applications, port scanning is only limited to simple attempts of establishing connections, as the following scan methods show.

TCP-SYN scan

When it comes to TCP-SYN scans, one often refers to these as half-open scans given that the goal here isn’t to create a complete TCP connection. Using the port scanner, this method sends typical SYN packets to individual ports and waits for an answer from the target host. If this then sends a SYN/ACK packet back, it signals that the respective port is open and that connection set-up is now possible. If the reply comes in the form of a RST packet, then the port is closed. If the target host still needs a reply, then this can probably be traced back to a packet filter (e.g. a firewall) that’s located upstream. TCP SYN scans are not visible to the inspected applications and for this reason do not generate any log data, which is why they are also referred to as stealth scans.

TCP connect scan

If you execute a connect scan with your port scanner, then you’re not actually generating and sending the data packet yourself; instead, use the system call, connect. This is available on almost every single operating system and is also used by web browsers in order to build up a connection to the respective servers. The scanning tool doesn’t actually have anything to do with the actual connection set-up, rather it’s there to instruct the operating system. This can result in one of two outcomes: either a connection is successfully set up, which confirms that the port is open or it can fail during the attempt, labeling the corresponding port as closed. In the log files of the respective application that also contains pen ports, it’s possible to see how this scan method is used with a completely executed connection set-up. However, this doesn’t reveal any information on the implemented filter programs. If you don’t have the rights to send raw data packets, then the TCP connect scan can be a useful alternative for SYN scans.

TCP-FIN, Xmas, and Null scans

These three port scanning methods allow you to differentiate between open and closed ports. To this end, two basic concepts are employed that are registered in the TCP’s RCF (Request for Comments): on the one hand, incoming packets (provided they are not RST packets) should always be answered by a closed port with its own RST packet. On the other hand, all packets not marked as SYN, RST, or ACK should be ignored by open ports. The three scan types exploit this situation when scanning RCF conformed systems with their own packets:

  • The Null scan doesn’t use any special markings.
  • For FIN scans, the port scanner sends FIN packets (finish)
  • Xmas scans use a combination of FIN, PSH (push) and URG markings (urgent); this makes the packet light up similarly to the way Christmas trees do.

All three scanning methods behave in the same way. Due to the RCF rules, the test packets ensure that closed ports answer with RST packets and that open ports don’t provide and response. Not all routers send error messages if a port is filtered. For this reason it could be the case that a filtered port is involved if no message appears (in addition to the possibility that an open port may be involved). And while this method is much more discrete than SYN cans, they have the disadvantage of not properly functioning if systems don’t perfectly adhere to the RFC 793. A prominent example of this is Windows.

UDP scan

With UPD scans, empty UDP headers without data are sent to all the empty ports. If a service also answers with a UDP packet, it’s then confirmed that the corresponding port is open. Once the port scanner receives the error message ‘Port unreachable’ from the router (type 3, code 3), it then recognizes that the port is closed. Other error messages inform users that packet filters are responsible for blocking ports. The problem with UDP port testing is the immense amount of time it requires. This is due to the fact that putting out error messages can take a long time for many systems due to security reasons. What’s more, many of these systems only sporadically reply to ports. The Linux kernel limits the number of reports on a per-second basis, meaning that 65,535 ports would take around 18 hours to fully scan.

Which port scanners are there?

There are many different scanners with different rages of functions and the most of these tools are available as freeware or open source options. Many of these feature classic command-line programs that can be used via separate graphical interfaces. What’s more, there are many online solutions that let users scan ports directly in the browser. Services like the port scanner by DNStools are limited in terms of their functions and only offer the ability to check individual ports. For this reason, they’re well suited options for quick checks on one’s home computer.

Netcat (short: nc) was published by an anonymous developer known only by their pseudonym ‘Hobbit’ in 1996. Originally written for Unix platforms, there are now many porting options for systems like Widows as well as other extensions like GNU Netcat, OpenBSD Netcat, Cryptcat, or Netcat6 (also supports the IPv6) that are implemented in many Linux distributers by default. The basic version of the command-line tool is designed first and foremost to send or read data via TCP and UDP network connections; it can also be used, however, for simple port scanning tasks. This allows users to check that status of the ports 20 to 30 on the executed system with the simple commands like:

nc -zv localhost 20-30

Checking UDP ports requires the additional parameter, -u. Furthermore, you can scan external systems in place of localhost, provided that you know the host name or the IP address.

Comprehensive network analysis with Nmap

A substantially more powerful tool, which is particularly useful for port scanning purposes, is Network Mapper, which is also often called Nmap. Designed for unixoid systems, Nmap is GPL licensed and has been available for Windows systems since 2000 (albeit with limitations). This means that TCP Connect scans take up a disproportionate amount of time and also means that scanning your own system ports is only possible by following indirect paths. Gernally, Nmap can be operated via a command line. Zenmap, on the other hand, features a high-performance graphical interface that allows users to easily use the network tool.

The Nmap creator, Gordon Lyon, and the Nmap developer team are responsible for furthering the development of the program and its port scanning functions. In particular its technologies like OS fingerprinting (i.e. recognizing a target host’s operating system) and reading out services that hide behind ports make Nmap one of the most popular port scanner solutions. The following table displays the variety of this program:

Port scanning methods

Nmap command

description

TCP connect-scan

nmap -sT Host

Classic check for non-administrators

TCP Syn Scan

nmap -sS Host

Quick, unnoticed inspection methods for administrators. 

TCP FIN-/XMAS-/Null-Scan

nmap -sF Host

nmap -sX Host

nmap -sN Host

Methods that can avoid firewalls 

TCP Ping-Scan

nmap -sP Host

To traditional port scan; helps check the availability of a host.

TCP ACK-Scan

nmap -sA Host

Determines delivered ports but doesn’t offer any distinction between open and closed ports

TCP-Window-Scan

nmap -sW Host

Comparable with the ACK scan; can verify some open and closed ports.

TCP-Maimon-Scan

nmap -sM Host

Combination of FIN and ACK scans.

TCP idle scan

nmap -sI Host

Least noticeable, most complex and hence slowest scanning method; runs via a third computer. 

UDP scan

nmap -sU Host

Scan methods for connectionless UDP ports

SCTP init scan

nmap -sY Host

Portscan with SCTP, an alternative to TCP and UDP

IP protocol scan

nmap -sO Host

No port scan; checks which IP-based protocol is supported on the target system

You can download both Nmap and the interface Zenmap on the official homepage your desired operating system. To this end, both the current (stable version) as well as a beta version (development) are available.

Why port scanning isn’t always legal

Nmap is popular with both computer users as well as film directors. Trinity, the leading female figure in the ‘Matrix’ trilogy, used the network tool in the second part of the science fiction saga in order to scan the ports of a power plant’s computer system. However, she wasn’t interested in optimizing the system’s security; instead, she used the result of the scan to gain access to the system. In order to achieve this, Trinity used malicious code that relies on the security gaps of the SSH protocol running via port 22. While this scene displays a very simplified attack, this is supposed to represent the potential dangers that port scanning can unleash.

Checking ports isn’t always legal. As soon as an exploit attempt is made, which is how experts refer to the action of abusing security gaps, then the person or group responsible for this could face potential legal consequences. It’s less clear, however, what the legal situation is when a computer system is paralyzed due to intensive port scans. Given that these monitoring methods present challenges to for the target system due to high frequencies of connection queries, it can sometimes be the case that this system then crashes. What’s more, those responsible for the target system could become aware of the attackers activities prior to the crash evaluate these actions as the first steps of an attack. Legal consequences shouldn’t be ruled out in such cases. If a foreign system is intentionally brought to collapse, then this is known as a DDoS attack, which in all likelihood may result in the attack victim seeking legal action.

You can always be sure that you’re allowed to run a port scan on the respective system and use this technology, provided that it’s for security purposes and not simply to satisfy your curiosity. These displayed ways of implementing port scans highlights how important it is to keep an eye on your own system’s ports, network computers as well as the services that are accessing these.