Port scanner


Port scanner

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by crackers to compromise it.To portscan a host is to scan for listening ports on a single target host. To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service, for example, an SQL based computer worm may port sweep looking for hosts listening on TCP/UDP port 1433.

TCP/IP basic knowledge

The protocol stack that is most common on the Internet today is TCP/IP. In this system, hosts and host services are referenced using two components: an address and a port number. There are 65535 distinct and usable port numbers. Most services use a limited range of numbers; these numbers will eventually become [http://www.iana.org/assignments/port-numbers assigned by the IANA] when the service becomes important enough.

Some port scanners only scan the most common, or most commonly vulnerable, port numbers on a given host. See: List of TCP and UDP port numbers.

The result of a scan on a port is usually generalized into one of three categories:
*Open or Accepted: The host sent a reply indicating that a service is listening on the port.
*Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
*Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:
#Security and stability concerns associated with the program responsible for delivering the service.
#Security and stability concerns associated with the operating system that is running on the host.

Closed ports only present the latter of the two vulnerabilities that open ports do. Blocked ports do not present any reasonable vulnerabilities. Of course, there is the possibility that there aren't any known vulnerabilities in either the software or operating system at this given time.

The information gathered by a port scan has many legitimate uses, including the ability to verify the security of a network. Port scanning can however also be used by those who intend to compromise security. Many exploits rely upon port scans to find open ports and send large quantities of data in an attempt to trigger a condition known as a buffer overflow. Such behavior can compromise the security of a network and the computers therein, resulting in the loss or exposure of sensitive information and the ability to do work.

SYN scanning

SYN scan is the most popular form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection while some services can be crashed with a connect scan. However, the RST during the handshake can cause problems for some network stacks, particularly simple devices like printers. There are no conclusive arguments either way.

TCP scanning

The simplest port scanners use the operating system's network functions and is generally the next option to go to when SYN is not a feasible option. Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. This scan mode has the advantage that the user doesn't require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less commonly used.

UDP scanning

UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g. nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g. nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

To cope with the different limitations of each approach, some scanners offer a hybrid method. For example, using nmap with the -sUV option will start by using the ICMP port unreachable method, marking all ports as either "closed" or "open|filtered". The open|filtered ports are then probed for application responses and marked as "open" if one is received.

ACK scanning

ACK scanning is one of the more unique scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and their rulesets. It does this by only setting the RST flag in the packet to determine whether or not the packet will come back, regardless of the port being open or closed.

Window scanning

Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1's before it returns to the sender.

While this method has been phased out almost completely, using this scanning technique with systems that no longer support this implementation returns 0's for the window field, labeling open ports as closed.

FIN scanning

Since SYN scans aren’t surreptitious enough, firewalls are generally scanning for and blocking packets in the form of SYN packets. Presented in 1996 issue of Phrack 49, article 15, by Uriel Maimon. It is documented that FIN packets are able to pass by firewalls with no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall. Systems vulnerable to this type of scan are most Unix and NT systems. Microsoft is immune in that it is not bias in the port state and will send a RST packet regardless of the port being open or closed.

Custom TCP scanning

Allowing the entire scan to be completely set up by the user, this scan technique is more for advanced purposes when standard scanning techniques lack in certain areas.

Other scan types

Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these. [ [http://nmap.org/man/man-port-scanning-techniques.html Port Scanning Techniques ] ]

*Protocol scan - determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled.
*Proxy scan - a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers.
*Idle scan - Another method of scanning without revealing your IP address, taking advantage of the predictable ip id flaw.
*CatScan - Checks ports for erroneous packets.
*ICMP scan - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

Problems with ISPs and port scanning

Many Internet service providers deny their customers the ability to perform port scans outside of their home networks. This is usually covered in the Terms of Service or Acceptable Use Policy to which the customer must have already agreed. Other public and private networks may also place such limitations upon their users.

Some ISPs implement Packet filters or Transparent proxies that prevent outgoing port scans being able to access certain ports. For example, if an ISP provides a transparent HTTP proxy on port 80, port scans of any address will appear to have port 80 open, regardless of target host's actual state.

Famous Port scanners

* Nmap (Unix/Windows)
* PacketTrap Port Scan (as part of pt360 Tool Suite)
* Advanced Port Scanner (Windows, Freeware)
* Superscan (Windows)
* Scanmetender Standard (Windows and GNU/Linux)
* Unicornscan (Unix)
* nhs nohack scanner (Windows)

See also

*List of TCP and UDP port numbers
*Computer system
*Computer security
*Cracking
*TCP/IP
*Internet
*Service scan
*Vulnerability scanner

References

External links

;External links to port scanners
* [http://insecure.org Nmap]
* [http://sectools.org/port-scanners.html Top port scanner in Fyodor's 2006 security tools survey]
* [http://www.scanmetender.com Scanmetender Standard]
* [http://www.radmin.com/products/utilities/portscanner.php Advanced Port Scanner]
* [http://www.foundstone.com/us/resources-free-tools.asp Superscan]
* [http://www.unicornscan.org/ Unicornscan]
* [http://nohack.de/freietools.html nhs nohack scanner]
* [http://www.recurity-labs.com/portbunny/ PortBunny]
* [http://atlas.arbor.net/summary/scans ATLAS Host/Port Scanning Real-Time Summary Report]
* [http://www.dnsminer.com/ DNS MINER - A simple web based port scanner]
* [http://autoscan-network.com/ AutoScan Network - Network Monitoring and Management Tool]

; Port list
* [http://www.iana.org/assignments/port-numbers IANA assigned ports list]

;Papers
* [http://www.milw0rm.com/papers/141 Port Scanning Techniques] by Kris Katterjohn. Includes examples using Nmap and Hping.
* [http://doc.bughunter.net/network-security/portscan.html Port Scanning Unscanned] by Ankit Fadia

;Legal implications
* [http://www.asianlaws.org/library/cyber-laws/cc/ptscanning.htm Port Scanning and its Legal Implications] from the Asian School of Cyber Laws
* [http://www.sans.org/rr/whitepapers/legal/71.php The Ethics and Legality of Port Scanning] is a PDF of a paper by Shaun Jamieson, published October 8, 2001 as part of the SANS Reading Room


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Port scanner — Balayage de port En informatique, le balayage de port (appelé portscan en anglais) est une technique pour rechercher les ports ouverts sur un serveur d un réseau. Cette technique est utilisée par les administrateurs des systèmes informatiques… …   Wikipédia en Français

  • Scanner — may refer to a number of technological devices: * Scanner (radio), for searching for and receiving radio broadcasts * A rotating radar antenna * Image scanner, which digitizes a two dimensional image * 3D scanner, which digitizes the three… …   Wikipedia

  • Scanner de ports — Balayage de port En informatique, le balayage de port (appelé portscan en anglais) est une technique pour rechercher les ports ouverts sur un serveur d un réseau. Cette technique est utilisée par les administrateurs des systèmes informatiques… …   Wikipédia en Français

  • Port parallele — Port parallèle Port parallèle pour imprimante (format DB 25) au dos d un ordinateur portable Le Port parallèle associé à l interface parallèle Centronics (à l’origine : LPT pour Line Printing Terminal) est un connecteur situé à l arrière des …   Wikipédia en Français

  • Port parallèle — pour imprimante (format DB 25) au dos d un ordinateur portable Le Port parallèle associé à l interface parallèle Centronics (à l’origine : LPT pour Line Printing Terminal) est un connecteur situé à l arrière des ordinateurs compatibles PC… …   Wikipédia en Français

  • Scanner Access Now Easy — SANE Basisdaten Entwickler Das SANE Project Aktuelle Ve …   Deutsch Wikipedia

  • Scanner (informatique) — Pour les articles homonymes, voir scanner. Un scanner, parfois francisé en scanneur[1][réf. incomplète], ou numériseur de document, est un périphérique informatique qui permet de transformer un document en une image numérique. Le document… …   Wikipédia en Français

  • Scanner de document — Numériseur de document Pour les articles homonymes, voir scanneur. Un numériseur de document, aussi appelé scanneur (du nom anglais scanner dont l origine provient du latin scandere[1] ; monter pas à pas, escalader, puis scander parcourir… …   Wikipédia en Français

  • Scanner optique — Numériseur de document Pour les articles homonymes, voir scanneur. Un numériseur de document, aussi appelé scanneur (du nom anglais scanner dont l origine provient du latin scandere[1] ; monter pas à pas, escalader, puis scander parcourir… …   Wikipédia en Français

  • Port-Scanning — Ein Portscanner ist eine Software, mit der überprüft werden kann, welche Dienste ein mit TCP/IP oder UDP arbeitendes System anbietet. Der Portscanner nimmt dem Anwender dabei die Arbeit ab, das Antwortverhalten eines Systems selbst mit einem… …   Deutsch Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.