A port scanner is an application which is made to probe a host or server to identify open ports. Bad actors can use port scanners to exploit vulnerabilities by finding network services running on a host. They can also be used by security analysts to confirm network security policies.
Running a port scan on a network or server reveals which ports are open and listening (receiving information) as well as revealing the presence of security devices, such as firewalls, that are present between the sender and the target. This technique is known as fingerprinting.
It is also valuable for testing network security and the strength of the system’s firewall. Due to this functionality, it is also a popular reconnaissance tool for attackers seeking a weak point of access to break into a computer.
Ports vary in their services offered. They are numbered from 0 to 65535, but certain ranges are more frequently used. Ports 0 to 1023 are identified as the “well-known ports” or standard ports and have been assigned services by the Internet Assigned Numbers Authority (IANA). Some of the most prominent ports and their assigned services include:
There are standard services offered on ports after 1023 as well and ports that, if open, indicate an infected system due to its popularity with some far-reaching Trojans and viruses.
A port scan sends a carefully prepared packet to each destination port number. The basic techniques that port scanning software is capable of include:
A port scanner sends a UDP or TCP network packet that asks the port about its status. The results will uncover network or server status, which can be one of the following: open, closed and filtered.
1. Open — Accepted
An open port indicates the following:
For bad actors, locating open ports is the mission. This creates a challenge for security personnel faced with the task of blocking open ports with firewalls (while avoiding cutting off access for authorized users).
2. Closed — Not Listening
A closed port indicates the following:
Although the port is closed, it can still be accessed, and therefore useful in confirming that a host is present on an IP address. Security personnel should continuously monitor closed ports and consider barricading them with firewalls (making them filtered ports).
3. Filtered — Dropped/Blocked
A filtered port indicates the following:
As long as packets do not reach the target, bad actors will have no way to uncover further insights. Typically, packets sent to filtered ports will not receive a response, but when they do, the error message is usually “communication prohibited” or “destination unreachable.”
Port scanning is one of the most popular tactics bad actors use when in search of a vulnerable server, according to the SANS Institute. When targeting networks, port scanning is typically the first step. The port scan delivers useful information about the network environment, such as:
This type of information is highly valuable to malicious actors who are looking for vulnerabilities in software. Being able to identify that an organization is running a specific DNS or web server makes finding those vulnerabilities much easier. There are several TCP protocol techniques that allow bad actors to use decoy traffic for port scans, hiding their network address and location entirely.
Scans that are developed for the sender to go undetected by a receiving system’s log are known as stealth scans and are of particular interest to attackers. Despite its popularity in this area, port scanning is a valuable tool for fingerprinting a network and for a penetration tester to assess the strength of network security.