Port scanner

From Wikipedia, the free encyclopedia

Jump to: navigation, search

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to compromise it. To portscan a host is to scan for listening ports on a single target host. To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service, for example, an SQL based computer worm may port sweep looking for hosts listening on TCP/UDP port 1433.

Contents

[edit] TCP/IP basic knowledge

The protocol stack that is most common on the Internet today is TCP/IP. In this system, hosts and host services are referenced using two components: an address and a port number. There are 65536 distinct and usable port numbers. Most services use a limited range of numbers; these numbers will eventually become assigned by the IANA when the service becomes important enough.

Some port scanners only scan the most common, or most commonly vulnerable, port numbers on a given host. See: List of TCP and UDP port numbers.

The result of a scan on a port is usually generalized into one of three categories:

  • Open or Accepted: The host sent a reply indicating that a service is listening on the port.
  • Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
  • Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

  1. Security and stability concerns associated with the program responsible for delivering the service.
  2. Security and stability concerns associated with the operating system that is running on the host.

Closed ports only present the latter of the two vulnerabilities that open ports do. Blocked ports do not present any reasonable vulnerabilities. Of course, there is the possibility that there aren't any known vulnerabilities in either the software or operating system at this given time.

The information gathered by a port scan has many legitimate uses, including the ability to verify the security of a network. Port scanning can however also be used by those who intend to compromise security. Many exploits rely upon port scans to find open ports and send large quantities of data in an attempt to trigger a condition known as a buffer overflow. Such behavior can compromise the security of a network and the computers therein, resulting in the loss or exposure of sensitive information and the ability to do work.

[edit] SYN scanning

SYN scan is the most popular form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection while some services can be crashed with a connect scan. However, the RST during the handshake can cause problems for some network stacks, particularly simple devices like printers. There are no conclusive arguments either way.

[edit] TCP scanning

The simplest port scanners use the operating system's network functions and is generally the next option to go to when SYN is not a feasible option. Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. This scan mode has the advantage that the user doesn't require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less commonly used.

[edit] UDP scanning

UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g. nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g. nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

To cope with the different limitations of each approach, some scanners offer a hybrid method. For example, using nmap with the -sUV option will start by using the ICMP port unreachable method, marking all ports as either "closed" or "open|filtered". The open|filtered ports are then probed for application responses and marked as "open" if one is received.

[edit] ACK scanning

ACK scanning is one of the more unique scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set) whereas a more sophisticated stateful firewall might not.

[edit] Window scanning

Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1's before it returns to the sender.

While this method has been phased out almost completely, using this scanning technique with systems that no longer support this implementation returns 0's for the window field, labeling open ports as closed.

[edit] FIN scanning

Since SYN scans aren’t surreptitious enough, firewalls are generally scanning for and blocking packets in the form of SYN packets. Presented in 1996 issue of Phrack 49, article 15, by Uriel Maimon. It is documented that FIN packets are able to pass by firewalls with no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall. Systems vulnerable to this type of scan are most Unix and NT systems. Microsoft is immune in that it is not bias in the port state and will send a RST packet regardless of the port being open or closed.

[edit] Custom TCP scanning

Allowing the entire scan to be completely set up by the user, this scan technique is more for advanced purposes when standard scanning techniques lack in certain areas.

[edit] Other scan types

Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these.[1]

  • Protocol scan - determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled.
  • Proxy scan - a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers.
  • Idle scan - Another method of scanning without revealing your IP address, taking advantage of the predictable ip id flaw.
  • CatScan - Checks ports for erroneous packets.
  • ICMP scan - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

[edit] Problems with ISPs and port scanning

Many Internet service providers deny their customers the ability to perform port scans outside of their home networks. This is usually covered in the Terms of Service or Acceptable Use Policy to which the customer must have already agreed. Other public and private networks may also place such limitations upon their users.

Some ISPs implement Packet filters or Transparent proxies that prevent outgoing port scans being able to access certain ports. For example, if an ISP provides a transparent HTTP proxy on port 80, port scans of any address will appear to have port 80 open, regardless of target host's actual state.

[edit] Common port scanning software

[edit] See also

[edit] References

  1. ^ Port Scanning Techniques

[edit] External links

External links to port scanners
Port list
Papers
Legal implications
Personal tools