A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services -- each associated with a "well-known" port number -- the computer provides. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.
Attackers use port scans to break into vulnerable networks to gain unauthorized access to sensitive information. Port scans are also a useful tool for penetration testers (pen testers), enabling them to identify vulnerabilities in their own network with the goal of strengthening its defenses.
Why run a port scan?
A port scan's main function is to map the ports on a given network. However, a port scanner can have a variety of reasons to run one. For malicious users, a port scan is usually the prelude to an attack, a type of network reconnaissance used to identify the systems, ports and software in use that are vulnerable to attack.
However, port scans also have legitimate uses by pen testers and white hat hackers. These are people looking to identify potentially exploitable systems so that they can strengthen them against attackers. They can use port scan data in conjunction with vulnerability management tools to identify new devices or systems on a network that they need to protect or identify misconfigurations in system defenses.
How port scans work
Ports are logical connection endpoints in a network. Each port is assigned a number that a client uses to identify a server and the service it offers. The number is included in the header of data packets that travel between client and server using transport layer protocols, such as the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). A port scan uses this number to identify potentially vulnerable services on a given host.
It does this by sending a series of client requests to server port addresses -- denoted by their port number -- in order to find an active or open port. Once the host receives a message on a port, it returns one of three general responses: open, closed or blocked -- meaning no reply. Open ports represent vulnerable points in a network.
A variety of tools can be used to perform a port scan. The most commonly used tool is Nmap, which stands for Network Mapper. Nmap is a free, open source tool that offers several network mapping features, including port scanning. Users can enter the command nmap-p into a terminal window or command line to utilize its port scanning feature. Nmap-p followed by a single number will return the status of a single port on a given host. The nmap-p command followed by a range of numbers -- e.g., 80-200 -- will return the status of every port in that range. Many other commands are available to specify scans using Nmap, but nmap-p is the most basic. Other Nmap commands include the following:
- nmap-sT, which scans TCP ports;
- nmap-sU, which scans UDP ports;
- nmap-sV, which probes for the services being used on certain ports;
- nmap followed by an Internet Protocol address scans ports on that IP address; and
- nmap followed by an IP address with a slash after the last digit (e.g., 192.168.1.0/23) scans a subnet.
Beyond Nmap, there are other tools to perform port scans -- such as Metasploit and NetScanTools Pro -- as well as other types of port scans that retrieve different information.
Types of port scans
Types of port scans include the following:
- Vanilla. An attempt to connect to all ports -- there are 65,536.
- Strobe. An attempt to connect to only selected ports -- typically, under 20.
- Stealth scan. Several techniques for scanning that attempt to prevent the request for connection being logged.
- File Transfer Protocol (FTP) bounce scan. An attempt that is directed through an FTP server to disguise the cracker's location.
- Fragmented packets. A scan performed by sending packet fragments that can get through simple packet filters in a firewall.
- UDP. A scan for open UDP ports.
- Sweep. A scan of the same port on various computers.
The simplest way an organization can protect itself against malicious port scan attacks is to deploy a firewall in conjunction with either an intrusion detection system (IDS) or intrusion prevention system (IPS). The firewall manages the visibility of and state of ports -- open, closed or filtered -- on the network. The IDS looks for suspicious activity and alerts the user to port scans in progress. The IPS does the same thing but also takes measures to stop the attack as it is happening.
There are certain ports that are more vulnerable to attacks involving port scans due to the nature of the service they have been assigned to provide. For example, port 445 is a traditional Microsoft networking port that is a core means of communication for Windows hosts on a network. This means that, on most Windows-based networks, port 445 is open on a firewall and, therefore, is a good starting point for TCP port scanning attacks.
TCP vs. UDP
TCP and UDP are two of the most common protocols used to communicate between client and server. They exist at the transport layer of the IP stack and generate the responses that certain port scans use to determine the status of the ports they are scanning. An effective port scan relies on the fact that a target host is Request for Comments (RFC)-compliant, meaning that it uses the TCP/IP stack in a standardized way, generating standardized results for the scanner.
The difference between TCP and UDP is in the type of communication they enable. TCP is a connection-oriented protocol -- meaning an end-to-end connection is established before any data is sent. This means that it sends acknowledgements of received information, known as an acknowledgement (ACK) packet. The ACK packet lets the sender know that the packet has been properly received. When information is not received, is rejected or is received in error, a negative acknowledgement (NACK) packet is sent.
UDP, however, is a connectionless protocol -- meaning a two-way connection does not need to be established for communication to ensue. Instead of sending ACK packets, a UDP connection simply receives the data being sent to it without an acknowledgement, only responding with a port unreachable message when the information was not received.
When performing a UDP scan, port scanners use the lack of response to infer that a port is open. In a TCP scan, a port scanner uses ACK packets or NACK packets to determine the state of a port. A TCP scan is an easily detectable scan but yields more reliable information than a UDP scan because of the existence of ACK and NACK packets. Scanners can use this information to determine the existence of a firewall and its rule sets. A UDP scan rarely elicits a response and can elicit false positives but is generally stealthier than TCP because of the lack of the back-and-forth communication between a client and a web server.