What is port scanning?

IONOS editorial team05/07/2024

Ports are one of the main reasons that data packets are able to find their way to their desired destination. They serve as interfaces between computers and system services or programs and are used by the TCP and UDP network protocols. Together with the IP address, operating systems are able to find out which computer and application they are supposed to send data to.

What is port scanning? A brief explanation

Port scanning refers to the targeted process of checking open ports in a computer system with the help of special tools. Before we delve into what port scanning is, it might help to first take a look at what ports are. Ports serve as an interface between active programs and the internet. They are used to route inbound and outbound data packets to the correct applications and are managed by operating systems.

Note

For an application to communicate via a port, it needs to be opened. Opening ports, however, presents a risk. If one of the applications that is using the port has security vulnerabilities, the port can serve as a potential entry point for attackers. To minimize the risk of an attack, you should always be aware of which ports are open on your system and which applications are associated with them.

You don’t need to be logged into the target system in order to perform a port scan on it. You just have to be connected to it via a local network or the internet. With the help of port scanners, you can send special data packets as tests to different ports. You’ll then receive answers or error messages, which the tool you are using will analyze. Depending on the scanning program’s range of function, you can obtain information on which ports are open and which are closed. You can also receive data on which services and/or applications the respective ports use.

Port scanning offers system administrators a very efficient means for monitoring data traffic in a network. With port scanning, potential weaknesses can be filtered out, and the system’s attack surface can be reduced. In some cases, it can help administrators to solve concrete network problems . Additionally, the tools don’t have any noticeable influence on the performance of the systems they’re scanning. As a result, they can be used for security measures without needing to worry about unintended effects on the system’s performance.

Port scanners are also useful for home PCs. As soon as you start using applications that require an internet connection, ports are automatically opened, unless your firewall prevents them from being opened. A port scan can help you keep an overview of things, showing you ports that are no longer needed. You can then close them in order to reduce security risks.

MyDefender

Easy cyber security

Regular virus and malware scans
Automatic backups and simple file recovery

How does port scanning work?

Port scanners offer many different methods. Most of these, however, involve the connection-oriented protocol TCP. In order to understand the basic processes that occur during port scanning, it’s helpful to take a look at the general structure of TCP connections:

Also known as a three-way handshake, this process begins with the client sending a SYN packet (synchronize) to the destination port.
Once the packet reaches an application, the client receives a combined SYN/ACK packet (synchronize/acknowledge), which confirms that the connection has been established.
For the third and final step, the client sends an ACK packet (acknowledge), which establishes the connection, allowing the data exchange to begin.

If a closed port is contacted, the client will receive an RST packet (reset) during the second step, ending the handshake.

Since it would be difficult and time consuming to exchange data with different types of applications, port scanning is limited to simple attempts at establishing connections as the following scan methods show.

TCP-SYN scan

The goal of a TCP-SYN scan is not to establish a complete TCP connection. This is why this type of scan is commonly referred to as a half-open port scan. Using the port scanner, this method sends typical SYN packets to individual ports and waits for an answer from the target host. If the host sends a SYN/ACK packet back, it signals that the respective port is open, and it is possible to set up a connection. If the reply is an RST packet, it means the port is closed. If there isn’t a reply, this can probably be traced back to a packet filter (e.g., a firewall) that’s located upstream.

TCP-SYN scans are not visible to the applications that are being assessed and for this reason, do not generate any log data. This is why they are also referred to as stealth scans.

TCP connect scan

If you execute a connect scan with your port scanner, you’re not actually generating and sending the data packet yourself. Instead, you are using the system call connect. This is available on almost every single operating system. If a connection attempt is successful, it means the port is open. If the connection attempt fails, it means the port is closed. If a connection was successfully established (i.e., a port was open), you’ll be able to see that this scanning technique was used in the log files of the application. However, information about filtering programs that were used won’t be provided. If you don’t have the rights to send raw data packets, the TCP connect scan can be a useful alternative to SYN scans.

TCP-FIN, Xmas, and Null scans

These three port scanning methods also allow you to differentiate between open and closed ports. Here, two basic concepts are employed, which are documented in the RFC 793“):

Closed ports should always answer packets (as long as they are not RST packets) with their own RST packet.
Open ports should ignore all packets not marked as SYN, RST or ACK.

When scanning RCF-compliant systems, these scanning methods exploit these principles using their own packets:

The Null scan doesn’t use any special markings.
With FIN scans, the port scanner sends FIN packets (finish)
Xmas scans use a combination of FIN, PSH (push) and URG markings (urgent), which makes the packets light up like a Christmas tree.

All three scanning methods behave in the same way. Due to the RCF rules, the test packets ensure that closed ports answer with RST packets and that open ports don’t provide a response. Not all routers send error messages if a port is filtered, which could mean that a filtered port is involved if no message appears (in addition to the possibility that it may be an open port). And while this method is much more discrete than SYN scans, it may not work properly if systems don’t perfectly adhere to RFC 793. A prominent example of this is Windows.

UDP scan

With UPD scans, empty UDP headers without data are sent to all empty ports. If a service answers with a UDP packet, the corresponding port is open. If the port scanner receives the error message “Port unreachable” from the router (type 3, code 3), it recognizes the port as closed. Other error messages serve to inform users that packet filters are responsible for blocking ports. The problem with UDP port testing is the immense amount of time it requires. This is because, for many systems, it can take a long time to put out error messages due to security reasons. What’s more, many of these systems only reply to ports sporadically. The Linux kernel limits the number of reports on a per-second basis, meaning that it would take around 18 hours to fully scan 65,535 ports.

What port scanners are there?

There are many different scanners that differ in the range of functions that they offer. Most of these tools are available as freeware or open-source options. Many of these feature classic command-line programs that can be used via separate graphical interfaces. What’s more, there are many online solutions that let users scan ports directly in a browser. Services like the port scanner by DNS tools are limited in terms of their features and only offer the ability to check individual ports. For this reason, they’re well suited options for conducting quick checks on personal computers.

Netcat

Netcat (short: nc) was published by an anonymous developer known as “Hobbit” in 1996. Originally written for Unix platforms, there are now many porting options for systems like Windows as well as other extensions like GNU Netcat, OpenBSD Netcat, Cryptcat and Netcat6 (also supports the IPv6), which are included in many Linux distributions by default. The basic version of the command-line tool is primarily designed to send or read data via TCP and UDP network connections. It can also be used, however, for simple port scanning tasks. This allows users to check the status of ports 20 to 30 on a specified system with simple commands like:

nc -zv localhost 20-30

bash

Checking UDP ports requires the additional parameter, -u. You can also use the host name or the IP address of an external system (if you know it) in place of localhost.

Nmap

A substantially more powerful tool, which is particularly useful for port scanning, is Network Mapper, which is often called Nmap. Designed for unixoid systems, Nmap is GPL licensed and has been available for Windows systems since 2000 (albeit with limitations). This means that TCP Connect scans take up a disproportionate amount of time and that scanning your own system ports is only possible using indirect paths. Generally, Nmap can be operated via a command line. Zenmap, on the other hand, features a high-performance graphical interface that allows users to easily use the network tool.

The Nmap creator, Gordon Lyon, and the Nmap developer team are responsible for furthering the development of the program and its port scanning features. In particular, technologies like OS fingerprinting (i.e., recognizing a target host’s operating system) and reading out services that hide behind ports make Nmap one of the most popular port scanner solutions. The following table displays the variety of methods this program has to offer:

Port scanning methods	Nmap command	Description
TCP connect-scan	nmap -sT host	Classic check for non-administrators
TCP Syn scan	nmap -sS host	Quick, unnoticed inspection methods for administrators.
TCP FIN-/XMAS-/Null scan	nmap -sF host nmap -sX host nmap -sN host	Methods that can avoid firewalls
TCP ping scan	nmap -sP host	For traditional port scans; helps check the availability of a host.
TCP ACK scan	nmap -sA host	Determines delivered ports but doesn’t offer any distinction between open and closed ports
TCP Window scan	nmap -sW host	Comparable with the ACK scan; can verify some open and closed ports.
TCP Maimon scan	nmap -sM host	Combination of FIN and ACK scans.
TCP idle scan	nmap -sI zombie host host	Least noticeable, most complex and hence slowest scanning method; runs via a third computer that is labelled as a “zombie” by Nmap.
UDP scan	nmap -sU host	Scan methods for connectionless UDP ports
SCTP init scan	nmap -sY host	Port scan with SCTP, an alternative to TCP and UDP
IP protocol scan	nmap -sO host	No port scan; checks which IP-based protocol is supported on the target system

You can download both Nmap and the interface Zenmap for your operating system on Nmap’s official website. Both the current (stable) version and a beta version (development) are available.

Why port scanning isn’t always legal

Checking ports isn’t always legal. As soon as an attempt at anexploit (the term used by cybersecurity professionals to refer to the act of taking advantage of a security flaw or gap) is made, the person or group responsible for this could face potential legal consequences.

It’s less clear, however, what the legal situation is when a computer system is brought to a halt due to intensive port scanning. Due to the high frequency of connection requests, such monitoring methods can present challenges to the target system, sometimes resulting in the system crashing. What’s more, administrators of the system that is being targeted could become aware of the attackers activities prior to the crash and interpret the actions as being the first steps of an attack.

In such cases, it’s important not to rule out legal consequences. If the targeted system is intentionally overloaded, it could be considered a DDoS attack, which can result in the victim of the attack seeking legal action.

You should always ensure that you are authorized to perform a port scan on a system and only use the technique for security purposes and not simply to satisfy your curiosity. The port scanning methods discussed here highlight how important it is to keep an eye on your own system’s ports and network computers as well as the services that are accessing them.

Was this article helpful?

agsandrewshutterstock

What is a penetration test (pen test)?

The more complex a network is, the more vulnerable it is to attacks. In times when customers and partners have access to internal network structures via the internet, and can control various applications via web interfaces, IT employees are encountering more and more problems.…

Security
Encryption

What is IP Spoofing?

Sending data over networks is one of the most important and highest utilized functions of the modern computer era. But the structure of the necessary TCP/IP connections makes it all too easy for criminals to intercept data packets along their way and either view or alter their…

Security
Encryption

Gustavo FrazaoShutterstock

How Scamming works and how to protect against it

The internet is not new territory for scammers: Scamming encompasses all tricks that criminals use online in chats, via mail, or over social networks, to get unsuspecting people to give them their money. The criminals play their victims through deceitful methods on almost every…

Data Protection
Security

How to detect and remove Trojans

In an ideal world, Trojans are removed before the malware can cause major damage. But detecting a well-disguised Trojan isn’t easy. Apart from the usual signs of a Trojan infection, antivirus programs and malware tools are the best way to reliably detect and remove Trojans. But…

Security

How to recognize and remove malware

Practically every PC user fears Trojan horses and computer viruses. Security is paramount if you are managing sensitive data or setting up a server. You need a comprehensive security concept to protect yourself against insidious malware. It’s helpful to know the different types…

Data Protection
Encryption