Information Gathering: Port Scanning

This excerpt from Chapter 4 of "Network Security: A Practical Approach," by Jan Harrington examines how port scanning, while useful for troubleshooting network vulnerabilities, can arm crackers with a wealth of information.

In this excerpt from Chapter 4 of Network Security: A Practical Approach, author Jan Harrington examines how port scanning, while useful for troubleshooting a network, can arm crackers with a wealth of information.

In TCP/IP terminology, a port is a software identifier that corresponds to a specific application or protocol running on a host. For example, by default HTTP uses port 80. An edge router typically provides the only IP address for an internal network. All packets for hosts on the internal network are addressed to the router's WAN IP address. Therefore, the router determines where to deliver a packet on its local network in part by looking at the port requested by the packet and then sending the packet to the host running the corresponding application. (It's actually a little more complicated than this because more than one computer may be using the same protocol or application, in which case the router needs to examine the destination host name as well.)

An open port is any port for which packets will be accepted. Packets for closed ports are dropped. Because packets for open ports are passed through the edge router not an internal network, they provide an access tunnel through any defenses the router might have. If a cracker can determine which ports are open through an edge router, he or she has identified potential avenues for system attacks.

The port numbers used by protocols and applications are generally not kept secret. In fact, those ports that are used by TCP/IP are called well known ports. You can find a listing of common well-known ports in Appendix C.


An Aside: It is possible, and sometimes desirable, to use a port other than the well known port for a protocol. For example, if you have multiple Web servers on a network (and they are not clones of one another), then you want only one of those servers to use port 80. The others need to use a different port -- which you can code into its IP address -- so that each Web server can receive the correct packets. If you see an IP address in the form X.X.X.X:9999, where the 9s are replaced with a number, then you know you're seeing a redirection from a standard port. For example, indicates that HTTP traffic is intended for port 8080 on the host with IP address (Don't try this address; as you probably recognize, it's an internal, nonrouteable address used just for this example.)

As a first example of a port scan, take a look at Figure 4.9, which contains the result of a port scan on a host that has open ports for the most common TCP/IP protocols. The scan result shows the port numbers along with the protocols or applications that are listening for traffic on each port.

Today, network administrators know better than to leave unused ports open. A port scan on an edge router, such as that in Figure 4.10, is likely to show very few open ports. This particular router allows Web traffic through, but little else.

One of the ironies of computer security work is that the tools that crackers use to perform port scans and other information gathering activities are also useful for troubleshooting networks and performing penetration testing. Therefore, the tools are widely and legally available, and, in some cases, are actually supplied with an operating system.

This means that to defend against a port scan, you need to be very proactive. First, on all hosts close all ports that will not be used. To do so, you shut down the services (the applications or operating system daemons) that run on those ports. Also block traffic for all unnecessary ports using a firewall on your edge router.


Reality Check: If you have a good, well-configured firewall on your edge router or as a stand-alone firewall appliance, do you need firewalls on the hosts on your internal network? Probably not. However, home users that are connected directly to the Internet without going through a firewall-equipped router do need their own firewalls. Even a dial-up connection isn't safe from port scans. The ranges of IP addresses used by major ISPs are well known at this point, and script kiddies run software that attempts port scans through the entire range of addresses automatically.

Download the rest of Chapter 4 from Network Security: A Practical Approach

Printed with permission from Morgan Kaufmann, a division of Elsevier. "Network Security: A Practical Approach" by Jan Harrington. Copyright 2005. For more information about this title and other similar books, please visit

This was last published in April 2006

Dig Deeper on Risk assessments, metrics and frameworks