Port scanning

From Citizendium, the Citizens' Compendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
This editable Main Article is under development and not meant to be cited; by editing it you can help to improve it towards a future approved, citable version. These unapproved articles are subject to a disclaimer.

Port scanning involves multiple computer network activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. It may be a perfectly legitimate operational function, or it may be part of preparation for attacks on the network or its hosts. Because most common internet services utilize well known ports, port scanning is often used as a technique to identify the services available on the target.

If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist. It is good when a security guard verifies that doors are properly locked, but when attackers check these features it can be a preliminary indication of an impending attack. Many worms will probe ports using a port scan to determine if targets are vulnerable to exploitation prior to a propagation attempt.

There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages. In the case of TCP-based services, telnet is one way to script scans, but it is more common to see specific scan methods for specific application services that run over TCP. Different types of scans can reveal different levels of detail. In the most simple scans a single packet is directed to a target port and then the scanner listens for a response. This type of scan will indicate whether the port is open and listening or closed, or perhaps being filtered by some sort of a firewall. More complex scans will actually negotiate up a full protocol session in order to determine the type of service running on the target port. This later approach is more time consuming, and easier to detect, so many attackers will opt for the former approach (especially if they are attempting to scan large blocks of hosts).

Port scanning can utilize various techniques to increase the 'stealth' of the scan, or evade detection. The most straightforward port scan includes sending a single packet to the target and port and listening for a response. By manipulating the packet headers a scan can be modified so as to avoid detection by various intrusion detection systems. NMAP is a common port scanning tool that offers several configurations for evading scan detection, such as SYN/Stealth scans, Christmas Tree scans, and more.Unicorn Scan is another network scanner in common use.

The Shodan project has completed a full scan of the Internet and archived the results. This service can allow interested parties to perform "stealthy" scans by reviewing archived data and thereby avoiding any possibility of detection by scan targets.

Several passive scanning techniques exist as well. One strategy is to spoof packets from an idle third party target and watch packet sequence increments to identify available ports on a primary target. Printers are commonly used for this purpose due to their low average use and simple networking stack.

Port scanning, in and of itself, is rarely considered a network attack, as it generates little traffic. It can find services that might present vulnerabilities against which specific attacks can be launched. Port scanning can also be used to identify the purpose of various targets (i.e. this machine is probably a web server, this one is a DNS server, etc.). Port scan responses can also be used to identify operating systems.

Simple Mail Transfer Protocol

One scan, which can be done for reasons good or ill, is trying to access the Simple Mail Transfer Protocol (SMTP) on TCP port 25. A very large amount of spam comes from broadband-connected personal computers attacked by botnets that insert SMTP servers on the machines, and use the differently-addressed to send a few spam emails each.

Internet-wide spam defense considers it inappropriate for end user computers to contain SMTP servers. This does not mean that such computers cannot have, and usually should have, SMTP clients that send to an authorized SMTP server inside their network. Network operators, and anti-spam groups, often scan end user address space looking for SMTP servers. Finding such servers strongly suggests that the machine has been compromised; SMTP traffic coming from end user address space can get an ISP blacklisted as a potential spam source.

Hypertext Transfer Protocol

It is quite common to have scans for the Hypertext Transfer Protocol (HTTP), the basic World Wide Web server protocol on TCP port 80. Web indexing services need to find servers, although promiscuous searching for port 80 is not the best way of doing so.

Internet Service Providers with a small and home office market often have an acceptable use policy that forbids HTTP servers on end user machines. They may well offer individual web server hosting, but on computers they operate and onto which their users can install websites. There are a variety of reasons they do this, the most basic being that putting any Internet server on a dynamically assigned address, common in the small and home office (SOHO) market, is essentially futile; the outside world cannot find that address and even customers of the same ISP cannot assume the address will remain constant.

From an operational and commercial standpoint, ISPs may engineer their end user access networks on the assumption that the computers on them will generate amounts of traffic characteristic of clients. A Web server, which becomes popular, can cause the end user network to become overwhelmed with traffic to it, denying service to other users of the same access network.

Searching for HTTP clients, on random high-numbered ports, is likely to be the act of an attacker trying to hijack or disrupt HTTP sessions.


There is a scanner specifically to locate and probe IPsec security gateways, called IKE-scan.