Port Scanning
A computer hardware port is a connection point or interface between a computer and an external or internal physical device. Internal ports may connect such devices as hard drives and CD ROM or DVD drives; external ports may connect modems, printers, mice and other devices. These are physical in nature. E.g Serial Port, Parallel Port, SCSI Port, USB Port etc.
In computer networking, a port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is a virtual point where network connections start and end. Ports are software-based and managed by a computer’s operating system. A port number is always associated with an IP address of a host and the type of transport protocol used for communication. Each port is associated with a specific process or service. Ports allow computers to easily differentiate between different kinds of traffic. E.g. emails go to a SMTP port 25, Webpages go t a HTTP Port 80 and HTTPS uses port 443. Etc
A port scanner is a software program that is designed to examine the hosts which reside at an IP addresses and record which ports are open on each host along with which known vulnerabilities are present. For network architecture or a Cyber security analyst port scanners can be extremely valuable. These port scanners can provide a useful way of identifying and evaluating the strengths and weaknesses of a network. As the same port scanner information that can be used by a network administrator or Cyber security analyst to evaluate the security of a network. It can also be used by Cyber criminals in order to identify network weaknesses or to assess how or at which point to attack a network. Now a day’s high quality port scanner software are freely available online for Cyber Security engineers and to Cyber criminals. As with so many other tools that exists online; port scanners can be used with good intention or can be used to cause harm depending upon the goal of the user who is possess the tool.
A port scanner is a simple computer program that checks all of those ports – and responds with one of three possible responses: Open, Closed, or Filtered. There are two kinds of ports on each computer – TCP, and UDP – and 65,536 of each. The first 1024 TCP ports are the well-known ports like FTP(21), HTTP(80), or SSH(22). Anything above 1024 is available for use by services or applications.
Port scanning is quite simple: a port scanner sends a request to connect to a port on a computer and records the response. There are three possible responses:
- Open / Accepted: The computer responds and asks if there is anything it can do in response.
- Closed / Not Listening: The computer responds that “This port is currently in use and unavailable at this time.”
- Filtered / Dropped / Blocked: The computer doesn’t even to respond to this requests.
Cybercriminals are looking for open ports that they can use as communication relays or penetration vectors into a network. Any open port they can find is a possible access point for further infiltration into the network.
Ping Scan: The simplest port scans are ping scans. A ping is an Internet Control Message Protocol (ICMP) echo request – attackers are looking for any ICMP reply, which indicates that the target is alive. A ping scan is an automated blast of many ICMP echo requests to different targets to see who responds. Administrators usually disable ping either on the firewall or on the router. It’s quick and easy to turn off this functionality and make it impossible to scout the network this way. However, ping is a good troubleshooting tool, and turning it off makes tracking down network problems a little more difficult.
TCP Half-Open: One of the more common and popular port scanning techniques is the TCP Half-Open port scan, sometimes referred to as SYN scan. It’s a fast and sneaky scan that tries to find potential open ports on the target computer. This scan is fast because it never completes the full TCP 3 way-handshake. The scanner sends a SYN message and just notes the SYN-ACK responses. The scanner doesn’t complete the connection by sending the final ACK: it leaves the target hanging. Any SYN-ACK responses are possible connections: an RST(reset) response means the port is closed, but there is a live computer here. No responses indicate SYN is filtered on the network. Any SYN-ACK replies are a quick way cybercriminals can find the next potential target.
TCP Connect: This port scanning technique is basically the same as the TCP Half-Open scan, but instead of leaving the target hanging, the port scanner completes the TCP connection. It’s not as popular a technique as the TCP Half-Open. First, attacker has to send one more packet per scan, which increases the amount of traffic attacker are causing on the network. Second, since the attacker completes the connection with the target, it might trip an alarm that the Half-Open scan wouldn’t.
UDP Connect: When attacker runs a UDP port scan, he sends either an empty packet or a packet that has a different payload per port, depending on attacker purpose. The trick with a UDP scan is that the attacker will only get a response if the port is closed, which means the attacker might know that there is a computer there. Depending on which port responded attacker might know that it has DNS or SNMP running, but that’s pretty much it. No response means that either the port is open or it’s filtered, and attacker might have to run the scan more than once before he figures anything out about the target. Attacker could be waiting a while to get a response that might never come. One more logical use of a UDP scan is to send a DNS request to UDP port 53 and see if he get a DNS reply. If attacker does get a reply, then he knows that there is a DNS server on that computer. A UDP scan can be useful to scout for active services that way, and the nmap port scanner is preconfigured to send requests for many standard services.
Difference between TCP and UDP
TCP and UDP are the two most common protocols in use for Internet Protocol (IP) networks. Transmission Control Protocol (TCP) is a nice orderly transaction protocol: TCP sends each packet in order, complete with error checking, verification, and a 3-way handshake to confirm each packet delivery is successful. UDP doesn’t have any of the error checking, but gains on speed: live streaming and online video games often use UDP for this reason. Programs that use UDP just send the data – and it misses a packet, receiver will never get it again.
Stealth Scanning: Sometimes an attacker wants to run a port scan that is even quieter and less obvious than the other kinds of scans. Thankfully, TCP includes some flags that allow attackers to do just that. When attacker sends a port scan with a packet and the FIN flag, attacker are sending the packet and not expecting a response. If he does get an RST he can assume that the port is closed. If he get nothing back that indicates the port is open. Firewalls are looking for SYN packets, so FIN packets slip through undetected. The X-MAS scan sends a packet with the FIN, URG, and PUSH flags, and expects an RST or no response, just like the FIN scan. There isn’t much practical use for this scan, but it does make the packet resemble a Christmas tree. Attacker can also send packets with no flags, called a NULL packet, and the response is either an RST or nothing. The good thing – for the hacker – about these scans is that they don’t usually show up in logs. More recent Intrusion Detection Software (IDS) and WireShark tool will catch these scans. If the target is a Microsoft OS, attacker will only see closed ports – but if attacker does find an open port he can assume that it’s not a Windows machine. The biggest advantage of using these flags is that they can slip past the firewall, which makes the results more reliable. Port scanning and penetration testing are important parts of the cyber kill-chain that can lead to intrusion, exploitation, privilege escalation, and more. Port scanning is often just one part of the bigger picture in a cyber-attack.