Port scanning can uncover a number of holes that a hacker could use against you, we cover how to scan ports and more below.
TIP: To Scan your ports online (fast and free), take our free Firewall Test
Port Scanning is one of the most popular reconnaissance techniques attackers use to discover services they can break into. All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports. A port scan helps the attacker find which ports are available (i.e., what service might be listing to a port). Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed further for weakness.
Can I take legal action against port scanning?
A Port scan is like ringing the doorbell to see whether someone’s at home. The police usually can’t do anything about it. They have to wait until a crime is committed. The police might give it more consideration if the doorbell is repeatedly rung causing the homeowner to complain of harassment. Sometimes, if a computer system is affected too much by a port scan, one can argue that the port scan was, in fact, a denial-of-service (DoS) attack, which is usually an offense.
The various techniques used in a port scan are summarized below.
Port Scan – Port Numbers
As you know, public IP addresses are controlled by worldwide registrars, and are unique globally. Port numbers are not so controlled, but over the decades certain ports have become standard for certain services. The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers.The port numbers are divided into three ranges:
- Well Known Ports (0 – 1023)
- Registered Ports (1024 – 49151)
- Dynamic and/or Private Ports (49152 – 65535)
Ports numbered 0 to 1023 are considered well known (also called standard ports) and are assigned to services by the IANA (Internet Assigned Numbers Authority). Here are a few samples:
- echo – 7/tcp – Echo
- ftp-data – 20/udp – File Transfer [Default Data]
- ftp – 21/tcp – File Transfer [Control]
- ssh – 22/tcp – SSH Remote Login Protocol
- telnet – 23/tcp – Telnet
- domain – 53/udp – Domain Name Server
- www-http – 80/tcp – World Wide Web HTTP
By a non-standard port, we simply mean a port whose number is higher than 1023. In this range also, several services are “standard.” For example:
- wins – 1512/tcp # Microsoft Windows Internet Name Service
- radius 1812/udp # RADIUS authentication protocol
Some malicious programs such as Trojans and Viruses have spread so wide that there are a number of ports that if found open, usually indicate that a system may have a virus.
Port Scanning Basic Techniques
The simplest port scan tries (i.e., sends a carefully constructed packet with a chosen destination port number) each of the ports from 0 to 65535 on the victim to see which ones are open.
TCP connect():- The connect() system call provided by an OS is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn’t reachable.
Strobe -A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. The name comes from one of the original TCP scanning programs, though now virtually all scanning tools include this feature.
The ident protocol allows for the disclosure of the username of the owner of any process connected via TCP, even if that process didn’t initiate the connection. So, e.g., one can connect to port 80 and then use identd to find out whether the HTTP server is running as root.
Port Scanning Advanced Techniques
One problem, from the perspective of the attacker attempting to scan a port, is that services listening on these ports log scans. They see an incoming connection, but no data, so an error is logged. There exist a number of stealth scan techniques to avoid this. A stealth scan is a kind of scan that is designed to go undetected by auditing tools. Obviously, this is a race between the hacker and firewall vendors – what are considered stealth scans now may not be so in a few months once the firewall vendor becomes aware of such techniques.
Port scanners scan a host rapidly by firing off packets at different ports. So, scanning very slowly (taking a day or more) becomes a stealth technique. Another stealth scanning technique is “inverse mapping”, where you try to find out all hosts on a network by generating “host unreachable” ICMP-messages for those IPs that do not exist. Since these messages may be generated by any TCP/IP packet one may send meaningless packets (e.g. RST packets sent without any previous packet).
Fragmented packet Port Scan
The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules. Some packet filters and firewalls do queue all IP fragments, but many networks cannot afford the performance loss caused by the queuing.
This technique is also called half-open scanning, because a TCP connection is not completed. A SYN packet is sent (as if we are going to open a connection), and the target host responds with a SYN+ACK, this indicates the port is listening, and an RST indicates a non- listener. The server process is never informed by the TCP layer because the connection did not complete.
The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports. The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. This is required TCP behavior.
If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. However, since packets can be dropped accidentally on the wire or blocked by firewalls, this isn’t a very effective scan.
Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.
The ability to hide their tracks is important to attackers. Therefore, attackers scour the Internet looking for systems they can bounce their attacks through.
FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. It requires support for proxy ftp connections. This bouncing through an FTP server hides where the attacker comes from. This technique is similar to IP spoofing in that it hides where the attacker comes from. For example, badwebsitexyz.com establishes a control connection to the FTP server-PI (protocol interpreter) of say, badspiderbites.com, then requests that the server-PI initiate an active server-DTP (data transfer process) to send a file anywhere on the Internet.
A port scanner can exploit this to scan TCP ports from a proxy ftp server. Thus you could connect to an FTP server behind a firewall, and then scan ports that are more likely to be blocked (e.g., port 139). If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open.
The advantages to this approach are obvious (harder to trace, potential to bypass firewalls). The main disadvantages are that it is slow, and that many FTP server implementations have finally disabled the proxy “feature”.
Most finger servers allow commands to be forwarded through them. Finger supports recursive queries. A query such as “rob@foo@bar” will ask “bar” to resolve “rob@foo”, causing “bar” to query “foo”. This technique can be used to hide the original source of the request.
E-mail: Spammers try to relay their spam through SMTP servers. As a result, probes for SMTP are commonly seen by machines on the Internet.
SOCKS Allows almost any protocol to be tunneled through the intermediate machine. As a result, attackers probing for SOCKS is common scan seen on the Internet.
HTTP proxy: Most web servers support proxying so that all web traffic can be directed to a single server for filtering as well as caching to improve performance. A lot of these servers are misconfigured to allow proxying of any request from the Internet, allowing attackers to relay attacks against web sites through a third party. Probes for HTTP proxies are one of the more common scans seen today.
IRC BNC: Attackers love to hide their IRC identities by bouncing their connections through other machines. A particular program called “BNC” is used for this purpose on compromised machines.
Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an “ICMP Port Unreachable” message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).
Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.
Some people think UDP scanning is pointless – not so. Sometimes for example, Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn’t matter that port 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can.
This isn’t really port scanning, since ICMP does not have a port abstraction. But it is sometimes useful to determine what hosts in a network are up by pinging them all. ICMP scanning can be done in parallel, so it can be quite fast.
Fingerprinting an OS:
The last scanning method is called Fingerprinting. Fingerprinting is the technique of interpreting the responses of a system in order to figure out what it is. Unusual combination’s of data are sent to the system in order to trigger these responses. Systems respond the same with correct data, but they rarely respond the same way for wrong data.
This document is available from Prabhaker Mateti, Associate Professor at Wright State University.
@CGP: Port scanning’s not illegal. It’s illegal if you take advantage of the open ports to penetrate someone’s system or intercept their traffic. Port scanning is simply against many ISPs’ policies for litigation liability.
Let’s be clear though: there is never ever a law that lets you do something illegal just because someone else did it to you first.
What university and what are the project details? Please be specific and I can help you more with the scanner.
am planning do a port scanner as my mini project to submit in my university……,
can advice me with details of requirements and difficulties
Ah, yes, I do happen to have a question regarding what to do to counter portscans effectively.
Besides just getting a kick-ass form of web security software program, what else can I do when I see a report come up for a Medium strength portscan? And how can I get more information on what KIND of portscan it is besides what my security software antivirus program already tells me (which it just says Portscan: Strength : Medium). ?
And also, if some of these portscans bypass firewalls, how do I prevent people from seeing any of my info if their portscan is successful? And also, IS it legal to send a portscan BACK AT the person if they have done it to you like 5 times already in a month? (Posh! Only problem for me is first Where I would go to send a portscan to someone, and also how to send it).
And also, I’d like to know: even if my antivirus program says that it blocked the portscans, why does my computer still slow waaay down and my internet run into connection issues when I am being attacked? Is it just like my computer taking processing power away to go answer the portscan’s queries or what? :/
Does it mean that the hacker actually got something through? :/
my Esset Internet security firewall log say:
15.01.2011 15:45:28 Detected Port Scanning attack source-22.214.171.124:12200 target- 126.96.36.199:8118 TCP
is that meaning the attack was blocked? am i safe?
the information above is awsome can you please tell me if hacker found open port on victim’s computer then what next hacker done…..can you explain practically…if you explain practically it is good to learn by people like me…thanx a lot buddy
Thanks for the suggestion Elvis, I’ll write something up as I have time, but for those of you looking to conduct your own scans, nmap is an excellent way to do this without paying for it.
This thread was very informative, however, it lack the ability on how to conduct such scans. This post could have been more effect if a real life test would have been done. scanners such as nmap are very effective to use, perhaps worth mentioning on this thread. Overall very informative, but lacks syntax of conductive and carrying out the scans.
from where should i start?
hi.. i need to build a dynamic port scanner in C# with oracle 9i as backend , please tell me the other requirements for this.
i got portscan on my mac today but it block it so i stop the connection come in.
hi, Once if found some ports are open, if i want to start some ftp connection.what are the basic information i should have.
Perhaps he had turned off your firewall while setting up and testing the FTP service and used port scanning to make sure everything was locked down when it was completed. If it happens more than once on different days, then something is up. Try asking him why he scanned your ports – I’d be interested in the answer.
is there any “good” reason why someone would run a a port scan? I paid someone to set up an FTP site for me, then my new Virusbarrier X6 program picked up his port scan (I couldn’t log onto my own website he’d set up once it was on the blocked list)??
ty. great explaining test running well.
i get scanned for days now. if i look in my fwlogs, i see the one who is cracking me use every method which is listed cO
Its not really anything to worry too much about sharpe, even if it was’nt blocked it would do little harm. My bitdefender blocks about 1 or 2 port attacks a day..
As the article says, its more of a test. A test to see how secure you are.
Your explanations on port scans were helpful to my project. thanks!
Hi now and then i keep get scanned with there ip address will come up, my antivirus picks it up is it anything to worry about? my antivirus says portscan blocked? if anyone got any information that could help me? thanks