Port scanning is the act of investigating a computer or servers ports – where information is sent and received – in the hopes of detecting activity or vulnerability. It helps to think of port scanning as knocking on doors to see if anyone is inside. Running a port scan on a network or server shows which ports are open and listening (accepting external data), and reveals the location of security systems that are present between transmitter and target.
Port scanning software will send out a connection request to the targeted system, asking to join each port sequentially, while making note of which ports responded, and which ports deserved more in-depth investigation. While a port scan is not harmful by itself, it is commonly a prelude to targeted attacks.
Port Scanning Techniques
A port scan sends a carefully prepared packet to each destination port number. The basic techniques that port scanning software is capable of include:
- Vanilla: The most basic scan; an attempt to connect to all 65,536 ports one at a time. A vanilla scan is a full connect scan, meaning it sends a SYN flag (request to connect) and upon receiving a SYN-ACK (acknowledgement of connection) response, sends back an ACK flag. This SYN, SYN-ACK, ACK exchange comprises a “TCP handshake”. Full connection scans can be exact, but they are often detected, because firewalls will log full connections.
- SYN Scan: Sometimes called a half-open scan, it sends a synchronized packet (SYN), and waits for the target to respond with a SYN-ACK. If a response is received, the scanner ceases further communication. Because the TCP connection was never completed, a firewall won’t log the interaction, but the sender will still have learned if the port is in fact open.
- XMAS and FIN Scans: A collection of scan types used to collect information without triggering a log from the target system. With a FIN scan, an unsolicited FIN flag, which is normally used to complete an already established session, will be bounced to a port. How the system responds to this random flag can show the status of the port, and even help reveal a firewall. An XMAS scan sends a packet of every flag, creating a chaotic interaction. The port response to this cluster of packets can indicate the state of both the firewall and system.
- FTP Bounce Scan: Where the sender’s location is concealed by first sending the packet through an unrelated FTP server. This is designed to help the packet sender avoid detection.
- Sweep scan: The same port will be pinged from a large number of separate systems, in order to identify which computers on the network are in fact active. This doesn’t help to understand which ports are active, it’s goal is to show which systems on the network are active. It is generally an initial scan done by someone hoping to discover as much information about the network they are scanning.
When attempting to port scan, the informations sent back is usually generalized into one of three categories:
- Open or Accepted: The host sent a reply indicating that a service is listening on the port.
- Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
- Filtered, Dropped or Blocked: There was no reply from the host.
Ports are given a number ranging from 0 to 65535, with certain ranges carrying the majority of traffic. Ports 0 to 1023 are recognized as the standard ports and have default service assignments when connected to the internet, these port assignments are defined by the Assigned Numbers Authority (IANA). A few of the more prominent ports and their assigned services include:
- Port 20 (UDP): File Transfer Protocol (FTP) for data transfer
- Port 22 (TCP): Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
- Port 23 (TCP): Telnet protocol for unencrypted text commutations
- Port 53 (UDP): Domain Name System (DNS) translates names of all computers on internet to IP addresses
- Ports 80 and 443 (TCP): World Wide Web HTTP and HTTPS
There are major services offered on ports well past 1023, some of which can be manipulated by far-reaching trojans and viruses hoping to avoid detection on the more closely watched ports.
Every system is vulnerable to port scanning. Most default operating system installations have numerous ports open to allow greater flexibility. Before a system is placed online, a port scan should be performed against the system. If more ports are open then required, close those ports. The greater number of services that a system offers, the more vulnerable it will be.
If a system has been compromised, attackers may try to open up more ports on the system so they can more easily exploit the ports weaknesses. The more vigilant the system administrator is, the more resistant their system will be to penetration and the less likely they will be exploited.
How Barracuda Can Help:
Port scanning is a common technique used by firewalls in order to prevent threats from entering a network. Barracuda CloudGen Firewalls allow for a high level of granularity for how often port scans are initiated. In addition, Barracuda firewalls offer a threat scan page which lists all threats detected by the Intrusion Prevention System (IPS), the Virus Scanner service, and Advanced Threat Protection (ATP).
Do you have more questions about Port Scanning? Contact us today!