Port scanner

From Wikipedia, the free encyclopedia

A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by crackers to compromise it.

To portscan a host is to scan for multiple listening ports on a single target host. To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service. For example, a SQL based computer worm may port sweep looking for hosts listening on TCP/UDP port 1433.

Contents

[edit] TCP/IP basic knowledge

The protocol stack that is most common on the Internet today is TCP/IP. In this system, hosts and host services are referenced using two components: an address and a port number. There are 65535 distinct and usable port numbers. Most services use a limited range of numbers; these numbers will eventually become assigned by the IANA when the service becomes important enough.

Some port scanners only scan the most common, or most commonly vulnerable, port numbers on a given host. See: List of TCP and UDP port numbers.

The result of a scan on a port is usually generalized into one of three categories:

  • Open or Accepted: The host sent a reply indicating that a service is listening on the port.
  • Closed or Denied or Not Listening: The host sent a reply indicating that connections will be denied to the port.
  • Filtered, Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

  1. Security and stability concerns associated with the program responsible for delivering the service.
  2. Security and stability concerns associated with the operating system that is running on the host.

Closed ports only present the latter of the two vulnerabilities that open ports do. Blocked ports do not present any reasonable vulnerabilities. Of course, there is the possibility that there are no (yet) known vulnerabilities in either the software or operating system.

The information gathered by a port scan has many legitimate uses, including the ability to verify the security of a network. Port scanning can however also be used by those who intend to compromise security. Many exploits rely upon port scans to find open ports and send large quantities of data in an attempt to trigger a condition known as a buffer overflow. Such behavior can compromise the security of a network and the computers therein, resulting in the loss or exposure of sensitive information and the ability to do work.

[edit] TCP Scanning

The simplest port scanners use the operating system's network functions. Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. This scan mode has the advantage that the user doesn't require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less commonly used.

SYN scan is the most popular form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning," because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed.

The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection; some services can be crashed with a connect scan. However, the RST during the handshake can cause problems for some network stacks, particularly simple devices like printers. There are no conclusive arguments either way.

[edit] UDP Scanning

UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Common tools (e.g. nmap, nessus) generally have probes for less than 20 UDP services. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

To cope with the different limitations of each approach, some scanners offer a hybrid method. For example, using nmap with the -sUV option will start by using the ICMP port unreachable method, marking all ports as either "closed" or "open|filtered". The open|filtered ports are then probed for application responses and marked as "open" if one is received.

[edit] Other Scan Types

Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these.

  • ACK scan - can find packets allowed through a stateless packet filter.
  • FIN scan - can determine if ports are open/closed, even if SYN packets are filtered.
  • Protocol scan - determines what IP level protocols (TCP, UDP, GRE, etc.) are enabled.
  • Proxy scan - a proxy (SOCKS or HTTP) is used to perform the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers.
  • Idle Scan - Another method of scanning without revealing your IP address, taking advantage of the predictable ipid flaw.
  • CatScan - Checks ports for erroneous packets.
  • ICMP scan - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc.

[edit] Problems with ISPs and Port Scanning

Many Internet service providers deny their customers the ability to perform port scans outside of their home networks. This is usually covered in the Terms of Service or Acceptable Use Policy to which the customer must have already agreed. Other public and private networks may also place such limitations upon their users.

Some ISPs implement Packet filters or Transparent proxys that prevent outgoing port scans being able to access certain ports. For example, if an ISP provides a transparent HTTP proxy on port 80, port scans of any address will appear to have port 80 open, regardless of target host's actual state.


[edit] Online Portscanner

[edit] See also

[edit] External links

Legal implications