-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 301 Class 14
A port scanner is a program that checks network ports to see which state they are in, out of the possible states, there are 3; open, closed, filtered.
Port scanners can be used to diagnose network and connectivity issues. However, attackers use port scanners to detect possible access points for infiltration and to identify what kinds of devices you are running on the network, like firewalls, proxy servers or VPN servers.
A port scanner sends a network request to connect to a specific TCP or UDP port on a computer and records the response.
So what a port scanner does is send a packet of network data to a port to check the current status. If you wanted to check to see if your web server was operating correctly, you would check the status of port 80 on that server to make sure it was open and listening.
The status helps network engineers diagnose network issues or application connectivity issues, or helps attackers find possible ports to use for infiltration into your network.
A port is a virtual location where networking communication starts and ends. There are two kinds of network ports on each computer, TCP and UDP. (65,536 of each)
Each computer has an Internet Protocol (IP) address, which is how the network knows which computer to send packets to. If you send a packet to the IP address, the computer knows what port to route the packet to based on the application or packet contents. Each service running on the computer needs to “listen” on a designated port.
The first 1023 TCP ports are the well-known ports reserved for applications like FTP(21), HTTP(80), or SSH(22) and the Internet Assigned Numbers Authority (IANA) reserves these points to keep them standardized.
TCP ports 1024 – 49151 are available for use by services or applications, and you can register them with IANA, so they are considered semi-reserved. Ports 49152 and higher are free to use.
A port scanner sends a TCP or UDP network packet and asks the port about their current status. The three types of responses are below:
-
Open, Accepted: The computer responds and asks if there is anything it can do for you.
-
Closed, Not Listening: The computer responds that “This port is currently in use and unavailable at this time.”
-
Filtered, Dropped, Blocked: The computer doesn’t even bother to respond.
Port scans generally occur early in the cyber kill chain, during reconnaissance and intrusion. Attackers use port scans to detect targets with open and unused ports that they can repurpose for infiltration, command and control, and data exfiltration or discover what applications run on that computer to exploit a vulnerability in that application.
-
Ping scan: The simplest type of scan, it checks to see if your target is alive by sending ICMP requests and looking for replies.
-
TCP half open: Also known as a SYN scan, this is a fast and common scan that requests an ACK packet from a target machine.
-
TCP connect: Similar to the half open technique, but in this scenario, the host machine completes the TCP handshake.
-
UDP: Slower than a TCP scan, UDP scans work best when you send a specific payload to a target, like a DNS request.
-
Stealth scanning: Quiet and unobtrusive, this is the preferred scanning method by hackers.
Nmap is a popular scanning tool. It’s open source and provides a good variety of scanning techniques for different scenarios.
This reading material is relevant to our course content because it outlines how ports and port scanning work, which is a technique every cybersecurity professional should be well acquainted with.